CVE-2019-5598

Name of the Vulnerable Software and Affected Versions FreeBSD versions 11.3-PRERELEASE before r345378 FreeBSD versions 12.0-STABLE before r345377 FreeBSD versions 11.2-RELEASE before 11.2-RELEASE-p10 FreeBSD versions 12.0-RELEASE before 12.0-RELEASE-p4

Description A bug in the pf component of FreeBSD does not properly check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. This allows a maliciously crafted ICMP/ICMP6 packet to bypass packet filter rules and be passed to a host that would otherwise be unavailable.

Recommendations For FreeBSD versions 11.3-PRERELEASE before r345378, update to a version after r345378. For FreeBSD versions 12.0-STABLE before r345377, update to a version after r345377. For FreeBSD versions 11.2-RELEASE before 11.2-RELEASE-p10, update to 11.2-RELEASE-p10 or later. For FreeBSD versions 12.0-RELEASE before 12.0-RELEASE-p4, update to 12.0-RELEASE-p4 or later.