FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ipfw -- IP fragment denial of service

Affected systems
6.0 < FreeBSD < 6.0_2

Details

VuXML ID d7c1d00d-9d2e-11da-8c1d-000e0c2e438a
Discovery 2006-01-11
Entry 2006-02-14
Modified 2006-06-09

Problem description:

The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized.

Impact:

An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions.

Workaround:

Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded.

References

CVE Name CVE-2006-0054
FreeBSD Advisory SA-06:04.ipfw