pf incorrectly handles multiple IPv6 fragment headers

Vulnerability

In FreeBSD's pf packet filter, when a 'scrub fragment reassemble' rule is configured, a packet containing multiple IPv6 fragment headers would be reassembled and then immediately processed incorrectly. The pf code fails to recognize the packet's true payload, treating it as a fragmented packet instead of its actual content. This affects all supported versions of FreeBSD [1]. The bug has been present since 2013 when support for atomic fragments was added [2].

Exploitation

An attacker needs network access to send crafted IPv6 packets to a FreeBSD host or through a FreeBSD router running pf with 'scrub fragment reassemble' enabled. The attacker crafts a packet that appears as an IPv6 atomic fragment (with multiple fragment extension headers) [3]. After the packet is reassembled, it is processed against some firewall rules but then "corrected" and forwarded if no explicit deny rule is triggered [4]. No authentication or user interaction is required.

Impact

Successful exploitation allows IPv6 fragments to bypass firewall rules written on the assumption all fragments have been reassembled. The attacker's packet may be forwarded or processed by the host, potentially reaching internal network segments or services that should be protected [1]. This can lead to unauthorized information disclosure, bypass of access controls, or further network compromise.

Mitigation

FreeBSD has released patches for stable/13 (13.2-STABLE) and stable/12 (12.4-STABLE) on 2023-08-04, and for RELENG/13.2 (13.2-RELEASE-p3) and RELENG/12.4 (12.4-RELEASE-p5) on 2023-09-06 [1]. Users should update to the fixed versions immediately. OpenBSD pf is not affected by this bug [2]. There are no known workarounds; the only mitigation is applying the security update.