CVE-2004-1799

Vulnerability

In OpenBSD's Packet Filter (PF) with stateful filtering enabled, states are by default "floating," meaning they are not bound to the interface on which they were created [1]. This allows packets that match an existing state to be accepted on any interface, regardless of the PF rules on that interface. Affected versions include OpenBSD 3.3 and earlier, as discussed in the reference [1]. The issue was known and addressed by introducing if-bound, group-bound, and floating state options, but floating remained the default.

Exploitation

An attacker with network access can observe a legitimate state created on one interface (e.g., for IKE traffic) and then send spoofed packets with the same source/destination IPs and ports from a different interface. The firewall will match the existing state and allow the packet through, bypassing any rules on that second interface. No authentication or user interaction is required [1].

Impact

Successful exploitation allows an attacker to bypass packet filter rules on other interfaces, potentially gaining unauthorized network access, disclosing information, or launching further attacks. The attacker can circumvent firewall policies that rely on interface-specific filtering [1].

Mitigation

To mitigate, administrators should configure PF rules with keep state (if-bound) or keep state (group-bound) to bind states to specific interfaces [1]. This ensures that states are tied to the interface where the connection originated. Upgrading to a version where the default behavior is changed (if available) or applying patches is recommended. The reference indicates that the floating default was a design choice, but the vulnerability was known; later OpenBSD versions likely addressed this by making if-bound the default or providing clear guidance. Workaround: explicitly set state binding in PF rules.