CVE-2023-4809 – This CVE allows IPv6 packets with multiple frag... (How to Fix)

Q: What is the severity of CVE-2023-4809?

CVE-2023-4809 has a CVSS score of 7.5 (HIGH). This CVE allows IPv6 packets with multiple fragment headers to bypass pf firewall rules by being incorrectly reassembled and processed. Systems using pf packet filtering with IPv6 fragment reassembly enabled are affected, potentially allowing unauthorized network traffic.

📋 TL;DR

This CVE allows IPv6 packets with multiple fragment headers to bypass pf firewall rules by being incorrectly reassembled and processed. Systems using pf packet filtering with IPv6 fragment reassembly enabled are affected, potentially allowing unauthorized network traffic.

💻 Affected Systems

Products:

pf (packet filter)
FreeBSD
NetApp products using affected pf versions

Versions: FreeBSD versions before the fix; specific pf implementations with IPv6 fragment reassembly

Operating Systems: FreeBSD, Other systems using pf packet filtering

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using 'scrub fragment reassemble' rules with IPv6 traffic. Systems without IPv6 or without fragment reassembly rules are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass firewall rules entirely, allowing malicious traffic to reach protected systems, potentially leading to network intrusion or data exfiltration.

🟠

Likely Case

IPv6 fragments bypass firewall filtering rules, allowing unauthorized network communication that should have been blocked.

🟢

If Mitigated

With proper network segmentation and additional security controls, the impact is limited to potential firewall rule bypass within the affected segment.

🌐 Internet-Facing: HIGH - Internet-facing systems with pf firewall and IPv6 enabled could allow malicious traffic to bypass firewall protections.

🏢 Internal Only: MEDIUM - Internal systems could be vulnerable to lateral movement if attackers gain initial access to the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted IPv6 packets with multiple fragment headers to bypass firewall rules.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreeBSD security advisory FreeBSD-SA-23:10.pf provides fixes

Vendor Advisory: https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc

Restart Required: Yes

Instructions:

1. Apply the FreeBSD security patch from the advisory. 2. Update pf configuration if needed. 3. Restart affected services or reboot the system.

🔧 Temporary Workarounds

Disable IPv6 fragment reassembly

all

Remove or disable 'scrub fragment reassemble' rules for IPv6 traffic

Edit pf.conf to remove or comment out 'scrub fragment reassemble' rules for IPv6

Disable IPv6 entirely

all

If IPv6 is not required, disable it completely

sysctl net.inet6.ip6.forwarding=0
Disable IPv6 in network interfaces

🧯 If You Can't Patch

Implement network segmentation to limit potential impact
Use additional firewall layers or intrusion detection systems to monitor for bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check pf.conf for 'scrub fragment reassemble' rules and verify if IPv6 is enabled on the system

Check Version:

uname -a (for FreeBSD) or check pf version

Verify Fix Applied:

Verify the system has been updated to a patched version and test with IPv6 fragment traffic

📡 Detection & Monitoring

Log Indicators:

Unusual IPv6 fragment traffic patterns
Firewall rule bypass events in pf logs

Network Indicators:

IPv6 packets with multiple fragment headers
Traffic that should be blocked by firewall rules

SIEM Query:

source="pf.log" ("IPv6 fragment" OR "scrub") AND ("bypass" OR "unexpected")

📊 Metadata

CVE ID: CVE-2023-4809

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-167

Published: September 6, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/09/08/5 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/08/6 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/08/7 Mailing List,Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc Vendor Advisory
https://security.netapp.com/advisory/ntap-20231221-0009/
http://www.openwall.com/lists/oss-security/2023/09/08/5 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/08/6 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/08/7 Mailing List,Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc Vendor Advisory
https://security.netapp.com/advisory/ntap-20231221-0009/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4809, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable IPv6 fragment reassembly

Disable IPv6 entirely

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities