FreeBSD Security Advisory FreeBSD-SA-23:17.pf

From: FreeBSD Security Advisories <security-advisories_at_freebsd.org>
Date: Tue, 05 Dec 2023 22:15:27 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:17.pf                                         Security Advisory
                                                          The FreeBSD Project

Topic:          TCP spoofing vulnerability in pf(4)

Category:       core
Module:         pf
Announced:      2023-12-05
Credits:        Yuxiang Yang, Ao Wang, Xuewei Feng, Qi Li and Ke Xu from
                Tsinghua University
Affects:        All supported versions of FreeBSD.
Corrected:      2023-12-05 18:24:35 UTC (stable/14, 14.0-STABLE)
                2023-12-05 18:26:28 UTC (releng/14.0, 14.0-RELEASE-p2)
                2023-12-05 18:25:22 UTC (stable/13, 13.2-STABLE)
                2023-12-05 18:28:12 UTC (releng/13.2, 13.2-RELEASE-p7)
                2023-12-05 18:31:13 UTC (stable/12, 12.4-STABLE)
                2023-12-05 18:38:14 UTC (releng/12.4, 12.4-RELEASE-p9)
CVE Name:       CVE-2023-6534

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

pf(4) is an Internet Protocol packet filter originally written for
OpenBSD.  pf implements TCP state tracking, wherein it maintains
metadata for each TCP connection tracked by the firewall and uses this
metadata to decide whether to accept or reject packets matching the
connection identifiers.

II.  Problem Description

As part of its stateful TCP connection tracking implementation, pf
performs sequence number validation on inbound packets.  This makes it
difficult for a would-be attacker to spoof the sender and inject packets
into a TCP stream, since crafted packets must contain sequence numbers
which match the current connection state to avoid being rejected by the
firewall.

A bug in the implementation of sequence number validation means that the
sequence number is not in fact validated, allowing an attacker who is
able to impersonate the remote host and guess the connection's port
numbers to inject packets into the TCP stream.

III. Impact

An attacker can, with relatively little effort, inject packets into a
TCP stream destined to a host behind a pf firewall.  This could be used
to implement a denial-of-service attack for hosts behind the firewall,
for example by sending TCP RST packets to the host.

IV.  Workaround

No workaround is available.

Systems which do not use pf(4) are unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date
and reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platfrom on FreeBSD 13 and earlier, can be updated via
the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-23:17/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-23:17/pf.patch.asc
# gpg --verify pf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              a47a44c0d69c    stable/14-n265915
releng/14.0/                            0019b7058a7a  releng/14.0-n265395
stable/13/                              ee1d1e38fae6    stable/13-n256844
releng/13.2/                            45e256e24c97  releng/13.2-n254647
stable/12/                                                        r373284
releng/12.4/                                                      r373287
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6534>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:17.pf.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVvmWsACgkQbljekB8A
Gu8kgxAA0SNvDNzfrivMBDrp3s4q86rLLsDSe3DN4kc+Rtid4R2tf/AzjSO7BVcg
O3jvzXtx5RdX+udEbwK26ej+B2N2JCR4L5UC2N0ECo5ECdVd7jCZ5yty9CRawAeE
cZZoT028eWeDCMrMI35iO4HTZeT0zF0lER1gTlogQbTzCu4uODSjPvOat/bilmh/
VaXI2ofiVrOpwjhq4t7ksTUK6O0g7LogDF/CEhj1ohEULtHCIDomm+9JuN86CFxJ
T0Zd5nePCGMhQBewXir25XFKTFOOAOVGRy79Otx5+gPEg9SucWlwBxMwmhASAHPO
60SCWUt95q/5C2OCyWoFhi6H7303YvinFKO/3FCx9/iTxAh/O86y1d2CU8PRStzk
0kPOoN9fnXP2P27+o0q0Uqn9AiViRWMHC99nM1w6Kxz7wTSvs0dMGrLRQENRs7YF
+9Zte+1yqsi/gcWsDkoTJstCJ8E2hjn/h12/LSZyLY3D3qNSdczFWauhIOQFTloj
8MHmzLGUBvWpQNWair4+mb5TpXVuJfFW3XBcQ2XGkUnT0Ws8hU0W/Lxef+wrNHFh
aPvT5rF683RH7qX8cnJGkMgPPI4/CTS+U+WePlAITumND8gf/jHaa3qourqLkmSM
XV8+9LIVfPimjFDmqpbyi6QxdWo834KP83c8TmzLDNUgEXe9L/k=
=s8QG
-----END PGP SIGNATURE-----