ASA-2019-00159 – OpenBSD: States in pf (packet filter) let ICMP and ICMP6 packets pass

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00159

Identifier(s)

ASA-2019-00159

Title

States in pf (packet filter) let ICMP and ICMP6 packets pass

Vendor(s)

The OpenBSD Project

Product(s)

OpenBSD

Affected version(s)

OpenBSD 6.4 before errata 015
OpenBSD 6.3 before errata 031

Fixed version(s)

OpenBSD 6.4 errata 015
OpenBSD 6.3 errata 031

Proof of concept

Unknown

Description

States in pf (packet filter) let ICMP and ICMP6 packets pass if they have a packet in their payload that matches an exiting connection. It was not checked whether the outer ICMP packet has the same destination IP as the source IP of the inner protocol packet.

Technical details

Unknown

Credits

Nicolas Collignon (Synacktiv.com), Corentin Bayet (Synacktiv.com), Eloi Vanderbeken (Synacktiv.com) and Luca Moro (Synacktiv.com)

Reference(s)

OpenBSD 6.4 Errata
https://www.openbsd.org/errata64.html

OpenBSD 6.3 Errata
https://www.openbsd.org/errata63.html

015_pficmp.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/015_pficmp.patch.sig

031_pficmp.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig

States in pf(4) let ICMP and ICMP6 packets pass
https://github.com/openbsd/src/commit/0db42a1fafb49002468d07e09f9adeadc062a255#diff-9517dfce4e8db974781a4536fd38cfc1

ICMP-REACHABLE
https://www.synacktiv.com/posts/systems/icmp-reachable.html

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 28, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.