FreeBSD < 10.3-RELEASE-p19 / 11.0 < 11.0-RELEASE-p10 ipfilter Kernel Module Packet Fragment DoS (FreeBSD-SA-17:04.ipfilter)
High Nessus Plugin ID 99994
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionThe version of the FreeBSD kernel running on the remote host is prior to 10.3-RELEASE-p19 or 11.0 prior to 11.0-RELEASE-p10. It, therefore, affected by a use-after-free error in the ipfilter kernel module (ipl.ko) due to freeing the wrong entry in a hash table when matching packet fragments are processed. An unauthenticated, remote attacker can exploit this issue, via specially crafted packet fragments, to cause a panic and reboot, resulting in a denial of service condition.
Note that this issue only affects hosts with ipfilter enabled and the 'keep state' or 'keep frags' rule options enabled.
SolutionUpgrade to FreeBSD version 10.3-RELEASE-p19 / 11.0-RELEASE-p10 or later. Alternatively, apply the patch referenced in the advisory.