pfSense: pfSense-SA-23_07.kernel: Denial of Service due to Kernel Panic from Oversize IPv6 Packets
Description
An IPv6 packet larger than the MTU on an interface can lead to a kernel panic in pf. For example, by generating a large ICMP packet with "ping6 -s 65500 <target address>" sent from another host to device running pfSense software. This problem is present in pfSense Plus version 23.01. It does not affect any release of pfSense CE, only development snapshots. While this issue was due to an upstream problem in the FreeBSD 14.x kernel, which is still under development, it was not present in any released version of FreeBSD. Thus, this DoS will not have a FreeBSD security advisory. A kernel panic causes a sudden reboot of the host, rendering it unavailable until it completes the reboot process, thus causing a denial of service for the interim period. On systems using UFS, it is also possible that a kernel panic may require manual intervention to repair the filesystem after a sudden reboot.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center