===================================================================== CERT-Renater Note d'Information No. 2006/VULN036 _____________________________________________________________________ DATE : 26/01/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : FreeBSD 5.3, FreeBSD 5.4, and FreeBSD 6.0 running pf. ====================================================================== ============================================================================= FreeBSD-SA-06:07.pf Security Advisory The FreeBSD Project Topic: IP fragment handling panic in pf(4) Category: contrib Module: sys_contrib Announced: 2006-01-25 Credits: Jakob Schlyter, Daniel Hartmeier Affects: FreeBSD 5.3, FreeBSD 5.4, and FreeBSD 6.0 Corrected: 2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE) 2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4) 2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE) 2006-01-25 10:02:07 UTC (RELENG_5_4, 5.4-RELEASE-p10) 2006-01-25 10:02:27 UTC (RELENG_5_3, 5.3-RELEASE-p25) CVE Name: CVE-2006-0381 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant. III. Impact By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash. IV. Workaround Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details. Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:07/pf.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:07/pf.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/contrib/pf/net/pf_norm.c 1.10.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.19 src/sys/conf/newvers.sh 1.62.2.18.2.15 src/sys/contrib/pf/net/pf_norm.c 1.10.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.28 src/sys/conf/newvers.sh 1.62.2.15.2.30 src/sys/contrib/pf/net/pf_norm.c 1.10.4.1 RELENG_6 src/sys/contrib/pf/net/pf_norm.c 1.11.2.3 RELENG_6_0 src/UPDATING 1.416.2.3.2.9 src/sys/conf/newvers.sh 1.69.2.8.2.5 src/sys/contrib/pf/net/pf_norm.c 1.11.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0381 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:07.pf.asc ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================