CVE-2024-6640 Overview
CVE-2024-6640 is a firewall bypass vulnerability in the FreeBSD pf (packet filter) firewall affecting ICMPv6 Neighbor Discovery (ND) protocol handling. The vulnerability exists because the ICMPv6 identifier field is always set to 0 during Neighbor Discovery operations. When pf is configured to allow Neighbor Discovery while blocking incoming Echo Requests, an attacker can craft a malicious Echo Request packet that bypasses firewall rules by exploiting this predictable identifier value.
The attack requires sending a crafted Echo Request from the same host as a preceding Neighbor Solicitation (NS), using an identifier value of zero. This matches the state created by the Neighbor Discovery process, allowing the firewall to incorrectly permit Echo Reply responses. ICMPv6 packets with identifier values of zero effectively bypass firewall rules that assume incoming packets will create unique states in the state table.
Critical Impact
Attackers can bypass firewall rules to send and receive ICMPv6 traffic that should be blocked, potentially enabling network reconnaissance, host discovery, and circumvention of security policies.
Affected Products
- FreeBSD systems with pf firewall enabled
- Systems using ICMPv6 Neighbor Discovery with pf packet filtering
- NetApp products utilizing affected FreeBSD components
Discovery Timeline
- August 12, 2024 - CVE-2024-6640 published to NVD
- November 26, 2024 - Last updated in NVD database
Technical Details for CVE-2024-6640
Vulnerability Analysis
This vulnerability stems from a design flaw in how the FreeBSD pf firewall handles ICMPv6 Neighbor Discovery protocol states. The root cause is classified as CWE-276 (Incorrect Default Permissions), where the firewall's state tracking mechanism fails to properly isolate Neighbor Discovery traffic from other ICMPv6 message types.
When a legitimate Neighbor Solicitation packet is processed, pf creates a state entry with an identifier value of 0. Since this identifier is predictable and static, an attacker can exploit this by sending Echo Request packets with the same zero identifier, causing the firewall to match these packets against the existing ND state entry rather than blocking them according to configured rules.
The vulnerability enables network-based attackers with low privileges to bypass firewall rules intended to block ICMPv6 Echo Requests. This could facilitate reconnaissance activities, network mapping, and potentially serve as a stepping stone for further attacks against protected systems.
Root Cause
The vulnerability originates from the ICMPv6 implementation's use of a static identifier value of 0 for all Neighbor Discovery operations. The pf firewall's stateful inspection mechanism does not differentiate between ND-related states and other ICMPv6 traffic when matching packets with identifier 0. This allows malicious Echo Requests to be incorrectly associated with legitimate ND state entries, bypassing rules that would otherwise block such traffic.
Attack Vector
The attack is executed over the network and requires the following conditions:
- The target system must have pf firewall enabled with rules allowing ICMPv6 Neighbor Discovery
- Firewall rules must be configured to block incoming ICMPv6 Echo Requests
- The attacker must be able to observe or time their traffic relative to legitimate Neighbor Solicitation packets
- Echo Requests must originate from the same host address as a preceding NS packet
- The crafted Echo Request must use an identifier value of zero
The attack leverages the assumption that firewall administrators expect incoming packets to create unique state table entries. By exploiting the predictable identifier value, attackers can piggyback on existing ND states to bypass blocking rules.
Detection Methods for CVE-2024-6640
Indicators of Compromise
- Unusual ICMPv6 Echo Request/Reply traffic from hosts that should only be performing Neighbor Discovery
- ICMPv6 packets with identifier value 0 that are not part of legitimate ND operations
- Unexpected Echo Reply responses to hosts that should be blocked by firewall rules
- Anomalous patterns of Neighbor Solicitation followed by Echo Request from the same source
Detection Strategies
- Monitor pf state tables for unusual ICMPv6 state entries with identifier 0
- Implement network traffic analysis to detect Echo Requests with zero identifiers immediately following NS packets
- Configure logging for ICMPv6 traffic to identify bypass attempts
- Deploy intrusion detection rules that alert on suspicious ICMPv6 identifier patterns
Monitoring Recommendations
- Enable verbose pf logging for ICMPv6 traffic to capture state table changes
- Set up alerts for unexpected ICMPv6 Echo traffic from hosts performing Neighbor Discovery
- Review firewall logs regularly for patterns indicating bypass attempts
- Implement network flow monitoring to detect reconnaissance activities using this bypass technique
How to Mitigate CVE-2024-6640
Immediate Actions Required
- Apply FreeBSD security patches as referenced in the FreeBSD Security Advisory
- Review pf firewall rules for configurations that allow ND while blocking Echo Requests
- Consider implementing additional filtering mechanisms to validate ICMPv6 traffic
- Audit network segmentation to limit exposure of vulnerable systems
Patch Information
FreeBSD has released security patches to address this vulnerability. Administrators should consult the FreeBSD Security Advisory FreeBSD-SA-24:05.pf for specific patch versions and upgrade instructions. NetApp customers should review the NetApp Security Advisory for guidance on affected products and remediation steps.
Workarounds
- Implement additional stateless filtering rules that explicitly block ICMPv6 Echo Requests with identifier 0 before stateful inspection
- Consider using separate firewall rules or an additional filtering layer to handle ICMPv6 traffic validation
- If possible, restrict ICMPv6 Echo traffic at network boundaries rather than relying solely on host-based pf rules
- Implement network-level access controls to limit which hosts can send ICMPv6 traffic to protected systems
# Example pf rule modification to mitigate the bypass
# Add explicit blocking for Echo Requests with icmp6-type before ND rules
block in quick on $ext_if inet6 proto icmp6 icmp6-type echoreq
pass in on $ext_if inet6 proto icmp6 icmp6-type neighbrsol
pass in on $ext_if inet6 proto icmp6 icmp6-type neighbradv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
