Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CVE-2023-4809 in 2.7.0-RELEASE i.e FreeBSD 14.0 ?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 806 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rainbowHash
      last edited by rainbowHash

      Hello pfSense team,

      i would like to ask a simple question, does anyone know if the current release 2.7.0-RELEASE FreeBSD 14.0 is affected by the vulnerability CVE-2023-4809. And if so will disabling the IPv6 stack help or not. If it is affected is there any workaround ?

      i.e. here it is said only 13.2-STABLE, 13.2-RELEASE-p3, 12.4-STABLE, and 12.4-RELEASE-p5, but i can not find any information about 14.0?

      NollipfSenseN R 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @rainbowHash
        last edited by

        @rainbowHash It seems that you should have post in the General section...

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • R
          rainbowHash
          last edited by

          ok let me post in general section the same question

          1 Reply Last reply Reply Quote 0
          • R rcoleman-netgate moved this topic from Off-Topic & Non-Support Discussion on
          • R
            rcoleman-netgate Netgate @rainbowHash
            last edited by

            @rainbowHash said in CVE-2023-4809 in 2.7.0-RELEASE i.e FreeBSD 14.0 ?:

            CVE-2023-4809

            Per: https://www.reddit.com/r/PFSENSE/comments/16dm4bn/cve20234809_freebsd_pf_bypass_when_using_ipv6/

            _arthur_ kp@FreeBSD.org
            Note that this bypass requires rules which allow IPv6 fragments through, which is not the default in pfSense.
            
            The vulnerability is essentially that any traffic can pretend to be IPv6 fragments.
            

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            R 1 Reply Last reply Reply Quote 1
            • R
              rainbowHash @rcoleman-netgate
              last edited by

              @rcoleman-netgate said in CVE-2023-4809 in 2.7.0-RELEASE i.e FreeBSD 14.0 ?:

              fragments

              Thank you @NollipfSense basically from your response i would say 14.0 it is affected but not per the default configuration. Can you please mentioned where can we specifically deny the IP fragments with IPv6 i.e.
              under
              System > Advanced, Firewall & NAT

              IP Do-Not-Fragment compatibility
              Firewall Maximum Fragment Entries
              IP Do-Not-Fragment compatibility
              IP Fragment Reassemble

              System > Tunables
              or maybe something under the system Tunables

              under Firewall -> rules -> advanced options i see

              Allow IP options

              which one is related to the default configuration and what it value should be i.e. checked or unchecked ?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                There is no specific rule to block it. All unsolicited traffic is blocked inbound by default.

                Traffic is scrubbed by default which prevents fragments passing but even if you disabled that most rules would not pass fragmented traffic because they cannot match without the header info.
                See: https://man.freebsd.org/cgi/man.cgi?query=pf.conf#FRAGMENT_HANDLING

                There's no way to actively pass fragments from the GUI, there is no fragment option on user rules.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.