FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- TCP spoofing vulnerability in pf(4)

Affected packages
14.0 <= FreeBSD-kernel < 14.0_2
13.2 <= FreeBSD-kernel < 13.2_4
12.4 <= FreeBSD-kernel < 12.4_6


VuXML ID 9cbbc506-93c1-11ee-8e38-002590c1f29c
Discovery 2023-12-05
Entry 2023-12-05
Modified 2023-12-14

Problem Description:

As part of its stateful TCP connection tracking implementation, pf performs sequence number validation on inbound packets. This makes it difficult for a would-be attacker to spoof the sender and inject packets into a TCP stream, since crafted packets must contain sequence numbers which match the current connection state to avoid being rejected by the firewall.

A bug in the implementation of sequence number validation means that the sequence number is not in fact validated, allowing an attacker who is able to impersonate the remote host and guess the connection's port numbers to inject packets into the TCP stream.


An attacker can, with relatively little effort, inject packets into a TCP stream destined to a host behind a pf firewall. This could be used to implement a denial-of-service attack for hosts behind the firewall, for example by sending TCP RST packets to the host.


CVE Name CVE-2023-6534
FreeBSD Advisory