CVE-2023-3107
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| FreeBSD | FreeBSD | 13.2-RELEASE < 13.2-RELEASE-p2 | affected |
| FreeBSD | FreeBSD | 13.1-RELEASE < 13.1-RELEASE-p9 | affected |
| FreeBSD | FreeBSD | 12.4-RELEASE < 12.4-RELEASE-p4 | affected |
Weaknesses
- CWE-190: CWE-190 Integer Overflow or Wraparound
Workarounds
Users with IPv6 disabled on untrusted network interfaces are not affected. Such interfaces will have the IFDISABLED nd6 flag set in ifconfig(8).
The kernel may be configured to drop all IPv6 fragments by setting the net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from being triggered, with the caveat that legitimate IPv6 fragments will be dropped.
If the pf(4) firewall is enabled, and scrubbing and fragment reassembly is enabled on untrusted interfaces, the bug cannot be triggered. This is the default if pf(4) is enabled.
ADP Enrichment
CVE Program Container
Additional References
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc
- https://security.netapp.com/advisory/ntap-20230804-0001/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc
- https://security.netapp.com/advisory/ntap-20230804-0001/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.