-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:06.ipv6 Security Advisory The FreeBSD Project Topic: Remote denial of service in IPv6 fragment reassembly Category: core Module: ipv6 Announced: 2023-08-01 Credits: Zweig of Kunlun Lab Affects: All supported versions of FreeBSD Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE) 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-3107 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 packets may be fragmented in order to accommodate the maximum transmission unit (MTU) of the network path between the source and destination hosts. The FreeBSD kernel keeps track of received packet fragments and will reassemble the original packet once all fragments have been received, at which point the packet is processed normally. II. Problem Description Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header. Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field. III. Impact Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service. IV. Workaround Users with IPv6 disabled on untrusted network interfaces are not ..
Support the originator by clicking the read the rest link below.
