FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- ICMP/ICMP6 packet filter bypass in pf

Affected packages
12.0 <= FreeBSD-kernel < 12.0_4
11.2 <= FreeBSD-kernel < 11.2_10

Details

VuXML ID 59c5f255-b309-11e9-a87f-a4badb2f4699
Discovery 2019-05-14
Entry 2019-07-30

Problem Description:

States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet.

Impact:

A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable.

References

CVE Name CVE-2019-5598
FreeBSD Advisory SA-19:06.pf