-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_05.tcp Security Advisory pfSense Topic: TCP reassembly vulnerability Category: pfSense Base System Module: tcp Announced: 2014-04-30 Credits: FreeBSD, Jonathan Looney Affects: pfSense <= 2.1.2 Corrected: 2014-04-30 19:30:00 UTC (Base system) CVE Name: CVE-2014-3000 FreeBSD SA: FreeBSD-SA-14:08.tcp 0. Revision History v1.0 2014-04-30 Initial release. v1.1 2014-05-02 Added more information to Impact and Workaround sections I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. - From the FreeBSD SA: The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. When network packets making up a TCP stream (``TCP segments'') are received out-of-sequence, they are maintained in a reassembly queue by the destination system until they can be re-ordered and re-assembled. II. Problem Description - From the FreeBSD SA: FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry. III. Impact - From the FreeBSD SA: An attacker who can send a series of specifically crafted packets with a connection could cause a denial of service situation by causing the kernel to crash. Additionally, because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket. This may result in the disclosure of sensitive information such as login credentials, etc. before or even without crashing the system. For this vulnerability to be exploited, an established TCP session to the firewall host must exist. Only connections to a host are vulnerable; Firewalls/Routers are not affected when only forwarding traffic. [1] IV. Workaround It is possible to defend against these attacks by doing traffic normalization. pfSense utilizes the scrub function in pf to perform such normalization. This option is enabled by default but may be disabled by the user. If scrub has been disabled, it can be re-enabled in the web interface under System > Advanced on the Firewall/NAT tab by removing the checkmark from the "Disable Firewall Scrub" option and then pressing Save. Scrub is occasionally disabled in situations where it causes problems with certain types of VPN or VoIP traffic, so enabling scrub may have a negative impact on traffic if it was previously disabled. If this situation applies, perform a firmware upgrade instead so that scrub may be disabled safely. Scrub aids in protecing the firewall itself and connections passed through the firewall. If scrub is disabled exposure may still be limited by controlling access to the firewall's TCP-based daemons such as the GUI, SSH, and add-on packages. By default, such connections are not allowed from the WAN. If a potential attacker cannot establish a TCP session to a listening service on the firewall, the vulnerability cannot be exploited. To summarize: A firewall is only vulnerable to this issue if the following non-default conditions exist: * The firewall has the scrub option disabled * The firewall has TCP services exposed to an untrusted network V. Solution Perform the following: Upgrade to pfSense 2.1.3 upon its release. This can be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The base OS was updated to FreeBSD 8.3-RELEASE-p16 VII. References 1: The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTY9MNAAoJEBO5h/2SFPjasIcQAJcIajc06U/RKl20jkq76DP+ 8LUWJCFZjpaW8KJlamMZLVMs44jsS2MJHzvYTVcELAGtI9GMfLn9oWcjhT19zas8 IE/sXIO7vARTXFHlDdQZB9DRSAXSgA3ny/gj1IgiCv9NHprDBNcymT6hFP2EJ7OK +sT+psk18Fsqw0a6Kjz2ZrOpqP/cA8W4BQ2L/m4wRRzfGA0lAqMIlXMwTVkALAY/ no9on/qtOUBaeSpZEUpHlg/p49vl9sCNY2MqZFgX/cEE7MiABCC7JhKKifPWDi4o UoKrcecGo/XD+QzplSVnxyhGKWWiD5KQHVvs4s2cE8f7C8qiSFQHqO4H5ZsRIBp6 JlZ6h5ZAifqK/spDk3cM6bEeVtkBGI4kBgEw0eOWhBiWRoOh2jBC+O17nOhSRhTk 1NqfCJMqwO6sa3Dp66uuULPQCJc0HhR3cY0GTQ/rTpFPbpUrN5vUBw8lVFPDzqYw pvHgRa/4LU5Brs+3dcp3OHPZQicKmseLZqs2nAJsWb9OGYfIaYI8/e7XWLuIz+O2 0Arb3cH5tWdNXUARe565h3GVi9b3fBfGhR0LT+dwtS0Djb4Mgo7AVnToBL5jUqKg jXOVmA3gA4TtEJI2s2NqbQxJAkgOpCI2I20H0jJrHRqhANnzlOJzKtCMVmLTDk76 vp0R45WgN/lCwgIAyEFr =ERnz -----END PGP SIGNATURE-----