-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2417
               Resource exhaustion in IP fragment reassembly
                              17 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         FreeBSD
Operating System:  FreeBSD
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2018-6923  

Original Bulletin: 
   https://security.freebsd.org/advisories/FreeBSD-SA-18:10.ip.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-18:10.ip                                         Security Advisory
                                                          The FreeBSD Project

Topic:          Resource exhaustion in IP fragment reassembly

Category:       core
Module:         inet
Announced:      2018-08-14
Credits:        Juha-Matti Tilli <juha-matti.tilli@iki.fi> from
                Aalto University, Department of Communications and Networking
                and Nokia Bell Labs
Affects:        All supported versions of FreeBSD.
Corrected:      2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
                2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
                2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
CVE Name:       CVE-2018-6923

Special note:   Due to source code differences in FreeBSD 10-stable a patch
                is not yet available for FreeBSD 10.4.  This will follow at
                a later date.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
packets which are too big to traverse all the links between two end
stations. Any router along the path between two end hosts may fragment
packets which are larger than a link's maximum transmission unit
(MTU). FreeBSD's implementation of some IPv4 protocols (such as the
Transmission Control Protocol [TCP]) perform path MTU discovery to
avoid the need for fragmentation.

IP version 6 (IPv6) retains the concept of packet fragmentation. It
changed the fragmentation operation to require that the originating
end-system perform path MTU discovery and fragment packets which are
too large for any MTU along the path between two end systems.

While all hosts attached to the Internet are required to support
fragmentation and reassembly, many hosts will encounter very few
legitimate fragmented packets due to the operation of path MTU discovery.

II.  Problem Description

A researcher has notified us of a DoS attack applicable to another
operating system. While FreeBSD may not be vulnerable to that exact
attack, we have identified several places where inadequate DoS protection
could allow an attacker to consume system resources.

It is not necessary that the attacker be able to establish two-way
communication to carry out these attacks. These attacks impact both
IPv4 and IPv6 fragment reassembly.

III. Impact

In the worst case, an attacker could send a stream of crafted
fragments with a low packet rate which would consume a substantial
amount of CPU.

Other attack vectors allow an attacker to send a stream of crafted
fragments which could consume a large amount of CPU or all available
mbuf clusters on the system.

These attacks could temporarily render a system unreachable through
network interfaces or temporarily render a system unresponsive. The
effects of the attack should clear within 60 seconds after the attack stops.

IV.  Workaround

Disable fragment reassembly, using these commands:
 % sysctl net.inet.ip.maxfragpackets=0
 % sysctl net.inet6.ip6.maxfrags=0

On systems compiled with VIMAGE, these sysctls will need to be
executed for each VNET.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release or
security branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
# gpg --verify ip.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
stable/11/                                                        r337804
releng/11.1/                                                      r337828
releng/11.2/                                                      r337828
- - -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://www.kb.cert.org/vuls/id/641765>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.2.9 (FreeBSD)

iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n
5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ
vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN
NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt
1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA
ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic
PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW
tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE
FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O
I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS
dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx
bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3w=
=ddfE
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3ZlS2aOgq3Tt24GAQiolRAAsODEK9lCF3EkbFmp0N+oJT3xv/z+knJq
wU9poL5kLlUCQVQVB+R4tIj3i3ozt79sqo47shNfuVtkfZbPF3v3l8fZf6sOYMmY
h/H73LE5eQDAaJpbmF3PISQPlFUzIsw71VpR+a/c/ssdDuefbLhxYCwKn+e+aocn
iSkNsXrO3wnIoA/Q/QVOcUf6JhmeMYUNb7u8gkZXVBqyVe/MIV/PfuYtRBUpzxPK
uz5d9jA/DAfeWaCBwdr2FqGbfoEUexdycEN3t779M0r9uVt0iI4e5FVsJb7kQsYp
w817BscSCKyXRnoujE4V0U6CngILvveDfgMTHffRyUz500y0OPm9scMpj6C4IWUS
F5BiQsw5JaT7K8DOUxV5VrpyGfvsd1iWaCWXuFEpHVh5b81sJdctc3Af2/3d3her
SWKeSfOdWNZNcYPBZ9tmx5ScGgDi80KSXkv7DHJGeWGXAuPvX3/x3XA0ir5p//ce
CrGWNq4S1EcTzimdo2eYm9AhQW8pnv5SrcZsRG7AK9HyFbGyumRJHfj4eJ9rXUQd
tipm7utOp/a7NlXvP0m5ZUWxFY7HTEcRO3a/wRNxCcT21hGRm0nPyA750ngFJ0LA
9M8dY+3x6KIFfrNaUpuhPYl9xx1UiaEHwUJjiTvhYFAU3uhTzn3x7KBYvBlLdcjY
/Ubv0ydmKko=
=9ofH
-----END PGP SIGNATURE-----