Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-16_04.filterlog: Denial of Service in filterlog due to malformed SCPS options in a packet.

Back to Search

pfSense: pfSense-SA-16_04.filterlog: Denial of Service in filterlog due to malformed SCPS options in a packet.

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
05/16/2016
Created
07/25/2018
Added
08/25/2017
Modified
02/20/2020

Description

A deliberately malformed TCP SYN packet with option 20 (0x14) can cause the filterlog daemon to crash with a segmentation fault, which causes all logging of packets from firewall rules to cease. Option 20 is SCPS-TP, which is a space communications version of TCP and not an option typically found on the Internet in general. The SCPS Capabilities Option should be sent in a TCP SYN packet and contain four fields of one byte each and begin with 0x14 0x04 (Kind=20, Length=4). A malformed packet that causes a segmentation fault in filterlog omits the two mandatory fields "Capabilities Option Bit-Vector" and "Connection ID" and have changes the option length to 0x02, which breaks the SCPS-TP standard but follows the TCP Options standard in general. The packet passes TCP option parsers that don't specifically care about SCPS-TP. The packet processing code in filterlog, which comes directly from tcpdump, incorrectly defines TCPOPT_AUTH to the wrong option. The switch case for TCPOPT_AUTH in filterlog incorrectly subtracts from the option length, resulting in a segmentation fault when next option is read. A packet with the SCPS Capabilities option adhering to the standard should be 4 bytes long and will not trigger this bug. A shortened SPCS option must be crafted deliberately. An affected version of filterlog which receives this malformed packet will crash, which stops further logging, potentially denying access to information about a later attack.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;