pfSense

(Copy of what I just sent to secteam@FreeBSD.org)

Netgate received a report that there’s an issue with pf’s sequence number validation, specifically for forged RST packets. That results in fairy easy denial of service attacks (given that the attacker only has to work out the IP addresses and ports involved, not the sequence number).

My initial tests seem to confirm that this is indeed the case.

The attached pdf describes a scenario with NAT, but the issue manifests without NAT as well (see attached test case).

My current understanding is that it may be in part due to this: https://cgit.freebsd.org/src/tree/sys/netpfil/pf/pf.c#n5335
It’s not quite clear to me what that if block tries to accomplish.

Another factor is the incorrect check in https://cgit.freebsd.org/src/tree/sys/netpfil/pf/pf.c#n5371

Specifically, (pd->flags & PFDESC_IP_REAS) == 0) is currently always true (at least on IPv4), and is not a relevant check. It appears to cause the preceding checks to incorrectly pass, leading to an incorrect acceptance of the packet, and thus the DoS.

That’s also one distinction between us and OpenBSD’s version of this code. That is likely the reason I couldn’t reproduce this on OpenBSD.

The attached patch should be the fix we need.

Updating subject. This is not specific to NAT.

Kristof pushed a fix for this to the Plus 23.09.1 and CE 2.7.2 branches.

The behavior seems to be correct on current snapshots. On snapshots before the fix it would fall into time_wait every time I ran the attack script against the connection. On snapshots after the fix it appears to properly ignore the spoofed packets.

This has been announced by FreeBSD as FreeBSD-SA-23:17.pf so the details are no longer private.