-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-16_04.filterlog                                  Security Advisory
                                                                      pfSense

Topic:          Denial of Service in filterlog due to malformed SCPS options
                in a packet.

Category:       pfSense Base System
Module:         filterlog
Announced:      2016-05-16
Credits:        Patrik Lundquist
Affects:        pfSense >= 2.2 and < 2.3.1
Corrected:      2016-05-05 20:24:45 UTC (Base system)

0.   Revision History

v1.0  2016-05-16 Initial release.

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A deliberately malformed TCP SYN packet with option 20 (0x14) can cause the
filterlog daemon to crash with a segmentation fault, which causes all logging of
packets from firewall rules to cease.

Option 20 is SCPS-TP, which is a space communications version of TCP and not an
option typically found on the Internet in general. The SCPS Capabilities Option
should be sent in a TCP SYN packet and contain four fields of one byte each and
begin with 0x14 0x04 (Kind=20, Length=4).

A malformed packet that causes a segmentation fault in filterlog omits the two
mandatory fields "Capabilities Option Bit-Vector" and "Connection ID" and have
changes the option length to 0x02, which breaks the SCPS-TP standard but follows
the TCP Options standard in general. The packet passes TCP option parsers that
don't specifically care about SCPS-TP.

The packet processing code in filterlog, which comes directly from tcpdump,
incorrectly defines TCPOPT_AUTH to the wrong option. The switch case for
TCPOPT_AUTH in filterlog incorrectly subtracts from the option length, resulting
in a segmentation fault when next option is read.

A packet with the SCPS Capabilities option adhering to the standard should be 4
bytes long and will not trigger this bug. A shortened SPCS option must be
crafted deliberately.

III. Impact

An affected version of filterlog which receives this malformed packet will crash,
which stops further logging, potentially denying access to information about a
later attack.

IV.  Workaround

Upgrade to pfSense 2.3.1 or later which includes a fix for this issue.

V.   Solution

Upgrade to pfSense 2.3.1. This may be performed in the web interface or from the
console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
freebsd-ports/master               cc00fec1986ba90e541097ff4bc1589bb211d093
freebsd-ports/RELENG_2_3           47440396e4a056808fe1f3a0b714a14a41866d48
- - -------------------------------------------------------------------------

The related issue in tcpdump code was also reported to the tcpdump group.

VII. References

<URL:https://en.wikipedia.org/wiki/Space_Communications_Protocol_Specifications>
<URL:http://public.ccsds.org/publications/archive/714x0b2.pdf>
<URL:https://github.com/pfsense/FreeBSD-ports/>
<URL:https://github.com/the-tcpdump-group/tcpdump/issues/516>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_04.igmp.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmElUykACgkQE7mH/ZIU
+Nrbqw//V/NhIpSW8PfKKj2VTNvg+paCGwrTA3ffjBm5TLE01dGBD3oo+uWXdU43
5SyBlXxN+jlZJqVRg1H0FNAdZNjOzOsPpSdfemdc0KFhU97Cbvwbr8yn5K8jGL6f
EJiSJ/oMNp6h9zSNxCUhPhdosTvN85FKK00SivgluLriu85ciR4Ht/aoWvEoZb2D
Y+IUVBbawrN8ZQLpObWVIRQO6Jys6QYH+U2o6SMy5N4M/8w9icldfowvZqCM5XS8
FsSyU9gh3LUOPYi922RghEdjPBymSxTEABFwzswhQqCcH8jPGKjl0bRK+K7qlIMG
7TXLY8KWBEfTgKy+RC8rTLH1y2Al6HNP17L6GifzgPnTPFSowhfluwxMI2nJFFjW
1ORYDi0wPGzWolVFSdwlaiWw66NOq9sciYNe0F6kifl7Q3neUme9GGsnmpmzAjDC
Iy/HaPeFZSEe4fBbQtKUfmxYO/AfiRRScSKuaTh+rBIjDu1kjqs1Sqzf5xx4tkKw
yEKjR0CeR346oLA4IAHsNwRANqH5Lj4noZiuXsT3Ec9UqX6N8kbyDwMNAT1EqUKh
qA0M68fzXMtZYVBTIh0AWh/D6G9S72vJN4mBIW8gNT9Hu3iILVm76Ob/8XODLgR1
8OragOfkh4i2AlJo5zyYayNAJJyFgpRyhXrW/mVKApQZIBSZ0hw=
=+Hl1
-----END PGP SIGNATURE-----