FreeBSD Vulnerabilities: PF Bypass and Wi-Fi Issue
At FreeBSD, a vulnerability (CVE-2023-4809) has been identified in the PF package filter code, allowing for the bypass of rules for blocking IPV6 traffic through manipulation with fragmented IPV6 packages. This vulnerability occurs when using PF to filter IPV6 traffic in the “Scrub Fragment Reassemble” mode. By sending specially designed incorrect IPV6 packages that contain several expanded headlines with fragmentation data contrary to the specification requirements, an attacker can bypass the PF rules.
The vulnerability is caused by an error in the processor of atomic fragments. In the case of atomic fragmentation, where a fragmented transmission consists of only one fragment, IPV6 packages with multiple expanded fragment title headers were not discarded as incorrect. Instead, they were processed as separate fragments, rendering the rules designed for the final package irrelevant.
The vulnerability has been eliminated in the FreeBSD 13.2-Release-P3 and 12.4-release-P5 updates. However, the original implementation of PF from OpenBSD is not subject to these vulnerabilities, as the necessary check to block IPV6 packages with multiple headers specific to fragmentation was added to the PF code in 2013. Unfortunately, the PF_Walk_HEADER6 function containing this check was not transferred to FreeBSD.
Another correction has been made in the wireless module of FreeBSD related to the vulnerability (CVE-2022-47522), known as “macstealer”. This vulnerability affects the mechanism of queue formation for buffering personnel before sending to recipients and shortcomings in the management of the defense context for the frames placed in line. It allows for the interception of other users’ traffic by bypassing customer insulation at the Mac level, even if customers are prohibited from interacting with each other