-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_07.kernel Security Advisory pfSense Topic: Denial of Service due to Kernel Panic from Oversize IPv6 Packets Category: pfSense Base System Module: kernel Announced: 2023-05-11 Affects: pfSense Plus software version 23.01 Corrected: 2023-03-17 15:58:51 UTC (pfSense Plus master, 23.05) 2023-03-17 15:49:02 UTC (pfSense CE master, 2.7.0) 0. Revision History v1.0 2023-05-11 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description An IPv6 packet larger than the MTU on an interface can lead to a kernel panic in pf. For example, by generating a large ICMP packet with "ping6 -s 65500 " sent from another host to device running pfSense software. This problem is present in pfSense Plus version 23.01. It does not affect any release of pfSense CE, only development snapshots. While this issue was due to an upstream problem in the FreeBSD 14.x kernel, which is still under development, it was not present in any released version of FreeBSD. Thus, this DoS will not have a FreeBSD security advisory. III. Impact A kernel panic causes a sudden reboot of the host, rendering it unavailable until it completes the reboot process, thus causing a denial of service for the interim period. On systems using UFS, it is also possible that a kernel panic may require manual intervention to repair the filesystem after a sudden reboot. IV. Workaround There is no viable workaround without blocking all IPv6 traffic. V. Solution Users can upgrade to pfSense Plus software version 23.05 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 21c5a17399f388f95d67147f6aeeef3c69df964d pfSense/master 6e85e771fb7bfd2241712c1acf2a2048b2a14614 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmRT150ACgkQE7mH/ZIU +NonJRAA3mYu05HdjlnKkJwAMIu1qRatGRAkdNdZH900cy5waSKyRfhkVRtAppWh Tts8XE3P3PMp9GPYr9+Um22AxfC3dosYDEuGuyavJz2ujUdIp4ORTp93NUsPbmvX gXMt1D6RTI90AR/IHnQ1jWeb0ZAVQHA8c3h9szaMmbBbyk5eJm82JDwmDjeKb9wN JyI86qu4BDkBFTHCSDkiGrijIvGAipLSdLew9YMHIuGzzPaF6inO68PDCXpDxZQz vmhcNNhA95K4wRHzNE+GOL46rCFArOoR6VyEl2zNVb5ZGVHW/CpoY6/wOqLEhEq6 FvgcIiDECIysOwY4YezGdf6pAQkLfERHtRplf8ExZoJsw6LYsZNShwmVub/s7HNB WfAcrvJPBqExskDGIrFgdB1UURQbBy9HSoL1xtJA/1oUsrUYPOGgY8YpyVabevsW 7pOnh/LQ54L6edpyC4jRSioj1KnHeJSthZrWxG6lCqJa2jlPEvKdf3J9XA9UQ5H5 0SVupm/ARzPw7yEHwedj94vY9iNAIpwKcYQyJzTkw24DC4bHVFtWdUJxQIzHw8Zw fxksg9+2vhfoUKNYCFg4egVEgmlWvu1NHvU7m9SVc/O9gL7PR7N2LvzoE1yqGUQv qk2tdVciVtjUGmpPlnzsMazjnYhDfJANOPlSMx38KGL6PSJ6gUc= =wHyx -----END PGP SIGNATURE-----