Allele Security Alert
ASA-2019-00159
Identifier(s)
ASA-2019-00159
Title
States in pf (packet filter) let ICMP and ICMP6 packets pass
Vendor(s)
The OpenBSD Project
Product(s)
OpenBSD
Affected version(s)
OpenBSD 6.4 before errata 015
OpenBSD 6.3 before errata 031
Fixed version(s)
OpenBSD 6.4 errata 015
OpenBSD 6.3 errata 031
Proof of concept
Unknown
Description
States in pf (packet filter) let ICMP and ICMP6 packets pass if they have a packet in their payload that matches an exiting connection. It was not checked whether the outer ICMP packet has the same destination IP as the source IP of the inner protocol packet.
Technical details
Unknown
Credits
Nicolas Collignon (Synacktiv.com), Corentin Bayet (Synacktiv.com), Eloi Vanderbeken (Synacktiv.com) and Luca Moro (Synacktiv.com)
Reference(s)
OpenBSD 6.4 Errata
https://www.openbsd.org/errata64.html
OpenBSD 6.3 Errata
https://www.openbsd.org/errata63.html
015_pficmp.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/015_pficmp.patch.sig
031_pficmp.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig
States in pf(4) let ICMP and ICMP6 packets pass
https://github.com/openbsd/src/commit/0db42a1fafb49002468d07e09f9adeadc062a255#diff-9517dfce4e8db974781a4536fd38cfc1
ICMP-REACHABLE
https://www.synacktiv.com/posts/systems/icmp-reachable.html
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 28, 2019