FreeBSD pf IP fragment handling denial of service

bsd-pf-fragment-dos (24337) The risk level is classified as LowLow Risk

Description:

FreeBSD is vulnerable to a denial of service attack, caused by improper handling of IP fragments by pf, which is an IP packet filter. Under certain circumstances, a logic error in the IP fragment cache would allow a packet fragment to be entered twice. A remote attacker could exploit this vulnerability using specially-crafted IP packets to cause the system to crash.

Note: This vulnerability is exploitable on systems that are using a 'scrub fragment crop' or 'scrub fragment drop-ovl' pf rule.

Platforms Affected:

  • FreeBSD, FreeBSD 5.3
  • FreeBSD, FreeBSD 5.4
  • FreeBSD, FreeBSD 6.0

Remedy:

Refer to FreeBSD Security Advisory FreeBSD-SA-06:07.pf for patch or upgrade information. See References.

Consequences:

Denial of Service

References:

  • FreeBSD Security Advisory FreeBSD-SA-06:07.pf, IP fragment handling panic in pf(4) at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:07.pf.asc.
  • BID-16375: OpenBSD PF IP Fragment Remote Denial Of Service Vulnerability
  • CVE-2006-0381: A logic error in the IP fragment cache functionality in pf in FreeBSD 5.3, 5.4, and 6.0, and OpenBSD, when a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule is being used, allows remote attackers to cause a denial of service (crash) via crafted packets that cause a packet fragment to be inserted twice.
  • OSVDB ID: 22732: Multiple BSD pf Crafted IP Fragment Ruleset DoS
  • SA18609: FreeBSD "pf" IP Fragment Denial of Service Vulnerability
  • SECTRACK ID: 1015542: FreeBSD pf(4) Scrub Rule Error Lets Remote Users Deny Service

Reported:

Jan 25, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page