FreeBSD9CBBC506-93C1-11EE-8E38-002590C1F29CFreeBSD -- TCP spoofing vulnerability in pf(4)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.1%
Problem Description:
As part of its stateful TCP connection tracking implementation,
pf performs sequence number validation on inbound packets. This
makes it difficult for a would-be attacker to spoof the sender and
inject packets into a TCP stream, since crafted packets must contain
sequence numbers which match the current connection state to avoid
being rejected by the firewall.
A bug in the implementation of sequence number validation means
that the sequence number is not in fact validated, allowing an
attacker who is able to impersonate the remote host and guess the
connection’s port numbers to inject packets into the TCP stream.
Impact:
An attacker can, with relatively little effort, inject packets
into a TCP stream destined to a host behind a pf firewall. This
could be used to implement a denial-of-service attack for hosts
behind the firewall, for example by sending TCP RST packets to the
host.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | freebsd-kernel | = 14.0 | UNKNOWN |
| FreeBSD | any | noarch | freebsd-kernel | < 14.0_2 | UNKNOWN |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.1%