ASA-2019-00116 – OpenBSD: IPv6 fragmentation vulnerability in OpenBSD Packet Filter


Allele Security Alert

ASA-2019-00116

Identifier(s)

ASA-2019-00116, CVE-2019-5597

Title

IPv6 fragmentation vulnerability in OpenBSD Packet Filter

Vendor(s)

The OpenBSD Project

Product(s)

OpenBSD

Affected version(s)

OpenBSD 6.4 before errata 014
OpenBSD 6.3 before errata 030

Fixed version(s)

OpenBSD 6.4 errata 014
OpenBSD 6.3 errata 030

Proof of concept

Yes

Description

Unless IPv6 reassembly is explicitly disabled, Packet Filter reassembles IPv6 fragments to perform the filtering based on its configuration. The packets are then re-fragmented to comply with the end-to-end nature of the IPv6 fragmentation. When dealing with malicious fragmented IPv6 packets, the functions pf_reassemble6() and pf_refragment6(), may use an improper offset to apply a transformation on the packets. This behavior can have the following impacts:

  1. A kernel panic can happen, effectively stopping the system;
  2. An unexpected modification of the packets before and after the application of the filtering rules can occur. This may be leveraged to bypass the rules under some circumstances.

Note that with a GENERIC kernel, the panic drops to the debugger and does not reboot without a manual intervention.

Technical details

Unknown

Credits

Corentin Bayet, Nicolas Collignon and Luca Moro

Reference(s)

OpenBSD 6.4 Errata
https://www.openbsd.org/errata64.html

014_pf6frag.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/014_pf6frag.patch.sig

OpenBSD 6.3 Errata
https://www.openbsd.org/errata63.html

030_pf6frag.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/030_pf6frag.patch.sig

CVE-2019-5597 IPv6 fragmentation vulnerability in OpenBSD Packet Filter
https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf

OpenBSD Errata: March 1st, 2019 (pf6frag)
https://marc.info/?l=openbsd-announce&m=155138220226298&w=2

CVE-2019-5597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597

CVE-2019-5597
https://nvd.nist.gov/vuln/detail/CVE-2019-5597

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.