Allele Security Alert
ASA-2019-00116
Identifier(s)
ASA-2019-00116, CVE-2019-5597
Title
IPv6 fragmentation vulnerability in OpenBSD Packet Filter
Vendor(s)
The OpenBSD Project
Product(s)
OpenBSD
Affected version(s)
OpenBSD 6.4 before errata 014
OpenBSD 6.3 before errata 030
Fixed version(s)
OpenBSD 6.4 errata 014
OpenBSD 6.3 errata 030
Proof of concept
Yes
Description
Unless IPv6 reassembly is explicitly disabled, Packet Filter reassembles IPv6 fragments to perform the filtering based on its configuration. The packets are then re-fragmented to comply with the end-to-end nature of the IPv6 fragmentation. When dealing with malicious fragmented IPv6 packets, the functions pf_reassemble6() and pf_refragment6(), may use an improper offset to apply a transformation on the packets. This behavior can have the following impacts:
- A kernel panic can happen, effectively stopping the system;
- An unexpected modification of the packets before and after the application of the filtering rules can occur. This may be leveraged to bypass the rules under some circumstances.
Note that with a GENERIC kernel, the panic drops to the debugger and does not reboot without a manual intervention.
Technical details
Unknown
Credits
Corentin Bayet, Nicolas Collignon and Luca Moro
Reference(s)
OpenBSD 6.4 Errata
https://www.openbsd.org/errata64.html
014_pf6frag.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/014_pf6frag.patch.sig
OpenBSD 6.3 Errata
https://www.openbsd.org/errata63.html
030_pf6frag.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/030_pf6frag.patch.sig
CVE-2019-5597 IPv6 fragmentation vulnerability in OpenBSD Packet Filter
https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf
OpenBSD Errata: March 1st, 2019 (pf6frag)
https://marc.info/?l=openbsd-announce&m=155138220226298&w=2
CVE-2019-5597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597
CVE-2019-5597
https://nvd.nist.gov/vuln/detail/CVE-2019-5597
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 1, 2019