Bug #13918: ICMP timestamp requests are passed by states created from ICMP echo requests if they use the same ID - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #13918

open

ICMP timestamp requests are passed by states created from ICMP echo requests if they use the same ID

Added by Marcos M about 1 year ago. Updated about 1 year ago.

Status:

New

Priority:

Low

Assignee:

Reid Linnemann

Category:

Operating System

Target version:

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

ICMP timestamp requests with the same identifier of a previously allowed ICMP echo request are also allowed. This is due to the ICMP timestamp request matching the ICMP echo request state that exists.

This issue seems to have existed for some time:
https://marc.info/?l=openbsd-tech&m=117487638116535
https://nvd.nist.gov/vuln/detail/CVE-1999-0524

Test:

Create a rule on the firewall allowing ICMP echo requests, then another blocking all ICMP:
pass in quick on $ADMIN inet proto icmp from any to any icmp-type echoreq ridentifier 1675111483 keep state label "USER_RULE" label "id:1675111483" block in quick on $ADMIN inet proto icmp from any to any ridentifier 1675111494 label "USER_RULE" label "id:1675111494"
Using nping, send an echo request with a specified ID, then send the timestamp request:
nping --icmp --icmp-id 19397 10.0.5.1
nping --icmp --icmp-type 13 --icmp-id 19397 10.0.5.1

Related issues

Related to Bug #13652: Inconsistent behavior filtering ICMP traffic

Closed

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Marcos M about 1 year ago

Related to Bug #13652: Inconsistent behavior filtering ICMP traffic added

Actions

Copy link

Updated by Jim Pingle about 1 year ago

Subject changed from ICMP timestamp requests are not dropped to ICMP timestamp requests are passed by states created from ICMP echo requests if they use the same ID
Priority changed from Normal to Low

This just seems to be part of how pf tracks state for ICMP currently. Given that ICMP is a "stateless" protocol it has no choice but to play a bit loose with what is or isn't a related packet.

Actions

Copy link

Updated by Reid Linnemann about 1 year ago

Assignee set to Reid Linnemann

pf's state table is keyed by a structure that is defined with TCP/UDP in mind and includes a source and destination port. At this time, the ports are overloaded to identify the icmpid, and the icmp type is not used in the key at all. I think the proper solution to this is to change the structure definition so that it has the common destination addresses, address family, and protocol as members and replace the tcp/udp ports with a union that has a specific meaning per protocol, and put both the icmpid and icmp_type into that union for icmp proto keys. There would be no binary incompatible change, but some attention may need to be made to pfctl's state listing.

Actions

Copy link

Updated by Serge Caron about 1 year ago

First, thanks to Marcos for providing a simple test.

I have the following FLOATING rules repeated for every interface on the firewall to handle the TimeStamp/Address Mask/Information requests/replies and allow other ICMP traffic:

pass quick on em1.66 inet proto icmp from <ISPRouterIPAdresses> to any icmp-type unreach keep state label "USER_RULE: Allow ICMP reports from router (Don't know which ..." ridentifier 1668177720
block drop quick on em1.66 inet from <UnsolicitedISPTrafic> to any label "USER_RULE: Discard unsollicited trafic from ISP router" ridentifier 1668177846
pass quick on em1.66 inet proto icmp all icmp-type echoreq keep state label "USER_RULE: Allow basic diagnostics" ridentifier 1668015336
pass log on em1.66 inet proto icmp all icmp-type echorep keep state label "USER_RULE: Allow basic diagnostics (deferred)" ridentifier 1668015427
match log on em1.66 inet proto icmp all icmp-type inforep label "USER_RULE: Log bad ICMP (trafic match only)" ridentifier 1669644959
match log on em1.66 inet proto icmp all icmp-type inforeq label "USER_RULE: Log bad ICMP (trafic match only)" ridentifier 1669644959
match log on em1.66 inet proto icmp all icmp-type maskrep label "USER_RULE: Log bad ICMP (trafic match only)" ridentifier 1669644959
match log on em1.66 inet proto icmp all icmp-type maskreq label "USER_RULE: Log bad ICMP (trafic match only)" ridentifier 1669644959
match log on em1.66 inet proto icmp all icmp-type timerep label "USER_RULE: Log bad ICMP (trafic match only)" ridentifier 1669644959
match log on em1.66 inet proto icmp all icmp-type timereq label "USER_RULE: Log bad ICMP (trafic match only)" ridentifier 1669644959
block drop log quick on em1.66 inet proto icmp all icmp-type inforeq label "USER_RULE: Discard any and all ICMP Timestamp, Address Mask..." ridentifier 1667827889
block drop log quick on em1.66 inet proto icmp all icmp-type maskreq label "USER_RULE: Discard any and all ICMP Timestamp, Address Mask..." ridentifier 1667827889
block drop log quick on em1.66 inet proto icmp all icmp-type timereq label "USER_RULE: Discard any and all ICMP Timestamp, Address Mask..." ridentifier 1667827889
block drop out log on em1.66 inet proto icmp all icmp-type inforep label "USER_RULE: Discard any and all ICMP Outgoing Timestamp, Addr..." ridentifier 1667764490
block drop out log on em1.66 inet proto icmp all icmp-type maskrep label "USER_RULE: Discard any and all ICMP Outgoing Timestamp, Addr..." ridentifier 1667764490
block drop out log on em1.66 inet proto icmp all icmp-type timerep label "USER_RULE: Discard any and all ICMP Outgoing Timestamp, Addr..." ridentifier 1667764490
pass log quick on em1.66 inet proto icmp all keep state label "USER_RULE: Accept any other ICMP trafic" ridentifier 1675147686

When TimeStamp requests are allowed regardless of the blocking rule, neither the match or the block rules are ever triggered for the TimeStamp reply.

It is as if the reply is not handled by pf, regardless of the interface used.

This may or may not be the same behavior. The above rules are created to avoid these request/replies crossing ANY subnet within the firewall: they obviously fail ;-)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #13918

ICMP timestamp requests are passed by states created from ICMP echo requests if they use the same ID

Updated by Marcos M about 1 year ago

Updated by Jim Pingle about 1 year ago

Updated by Reid Linnemann about 1 year ago

Updated by Serge Caron about 1 year ago