Search:

September 2007

3382 - Three NetBSD Security Advisories

ID: 3382
Date: 14 September 2007 09:37

Title: 3382 - Three NetBSD Security Advisories
Abstract: NetBSD Security Advisories concerning how: 1. A crafted IPv6 Type 0 Routing Header packet(s) can be used to launch a denial of service attack on an IPv6 host. 2. A local user can cause the system to panic by passing out of bounds values to display driver allocattr functions via an ioctl call. 3. Due to the use of cryptographically weak query IDs an attacker can predict query IDs and poison the cache by injecting their own responses.
Vendors affected:NetBSD
Availability of fix: Available
Type of fix: Patch
Source: NetBSD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2007-005
=================================

Topic: IPv6 Type 0 Routing Header

Version: NetBSD-current: source prior to April 22, 2007
  NetBSD 4.0_BETA2 affected
  NetBSD 3.1:  affected
  NetBSD 3.0.*:  affected
  NetBSD 3.0:  affected
  NetBSD 2.1:  affected
  NetBSD 2.0.*:  affected
  NetBSD 2.0:  affected

Severity: Remote Denial of Service

Fixed:  NetBSD-current:  April 22, 2007
  NetBSD-4 branch: April 28, 2007
   (4.0 will include the fix)
  NetBSD-3-1 branch April 26, 2007
   (3.1.1 will include the fix)
  NetBSD-3-0 branch: April 26, 2007
   (3.0.3 will include the fix)
  NetBSD-3 branch: April 26, 2007
  NetBSD-2-1 branch: June 04, 2007
  NetBSD-2-0 branch: June 04, 2007
  NetBSD-2 branch: June 04, 2007

Abstract
========

A crafted IPv6 Type 0 Routing Header packet(s) can be used to launch a denial of service attack on an IPv6 host.

This vulnerability has been assigned CVE reference CVE-2007-2242.

Technical Details
=================

A remote attacker can transmit crafted IPv6 packets using a Type 0 Routing Header. The result is a type of denial of service attack known as a traffic amplification attack where the bandwidth between the sending and receiving hosts increases during the attack.

Solutions and Workarounds
=========================

To rectify these problems a kernel built from sources containing the fixes must be installed and the system rebooted. The fixes introduce a new sysctl(8) that can be used to control the processing of IPv6 type 0 packets. The new sysctl is named net.inet6.ip6.rht0 and has three possible
values:

-1 Processing is disabled (default).
0 Processing is enabled only for routers and not for hosts.
1 Processing is enabled for both routers and hosts.

NOTE: This sysctl was later removed from NetBSD-current on May 17 2007 and the default was hard set to drop IPv6 type 0 packets. This sysctl may disappear from future NetBSD releases.

The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel.

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html

* NetBSD-current:

Systems running NetBSD-current dated from before 2007-04-22
should be upgraded to NetBSD-current dated 2007-04-23 or later.

The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
  sys/netinet6/ip6_input.c
  sys/netinet6/ip6_var.h
  sys/netinet6/route6.c
  share/man/man7/sysctl.7

To update from CVS, re-build, and re-install a kernel containing
the fix:

  # cd src
  # cvs update sys/netinet6/ip6_input.c
  # cvs update sys/netinet6/ip6_var.h
  # cvs update sys/netinet6/route6.c
  # cvs update share/man/man7/sysctl.7
  # build.sh tools kernel=KERNCONFFILE

* NetBSD 3.*:

Systems running NetBSD 3.* sources dated from before
2007-04-26 should be upgraded from NetBSD 3.* sources dated
2007-04-27 or later.

The following files need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
  sys/netinet6/ip6_input.c
  sys/netinet6/ip6_var.h
  sys/netinet6/route6.c
  sbin/sysctl/sysctl.8

To update from CVS, re-build, and re-install a kernel containing
the fix:

  # cd src
  # cvs update -r <branch_name> sys/netinet6/ip6_input.c
  # cvs update -r <branch_name> sys/netinet6/ip6_var.h
  # cvs update -r <branch_name> sys/netinet6/route6.c
  # cvs update -r <branch_name> sbin/sysctl/sysctl.8
  # build.sh tools kernel=KERNCONFFILE

* NetBSD 2.*:

Systems running NetBSD 2.* sources dated from before
2007-06-04 should be upgraded from NetBSD 2.* sources dated
2007-06-05 or later.

The following files need to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branches:
  sys/netinet6/ip6_input.c
  sys/netinet6/ip6_var.h
  sys/netinet6/route6.c
  sbin/sysctl/sysctl.8

To update from CVS, re-build, and re-install a kernel containing
the fix:

Thanks To
=========

Philippe Biondi and Arnaud Ebalard for discovering and reporting this problem.

Revision History
================

2007-09-13 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-005.txt.asc

Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

$NetBSD: rt14129_RH0.txt,v 1.3 2007/08/18 20:37:42 mjf Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRuhdNz5Ru2/4N2IFAQLEkwP/Q8npU5jzm/s95MYHECcGTdW5xPOZu5Pv
UHd8W8/k8e7BygW8hhfrXZQjFmglDsdvkwQL5stPQeWNmYdJAe280UAwn6v+FoTw
LwraKzI82iV1tYhBGlq/TbrkGI4JOmEqpUqqSGtGDnrYT7ZgU0/87VGyHCftvOjE
e0KiJD5McZU=
=1z0U
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2007-006
=================================

Topic: Local panics in display driver code

Version: NetBSD-current: source prior to July 28, 2007
  NetBSD 4.0_BETA2 affected
  NetBSD 3.1:  affected
  NetBSD 3.0.*:  affected
  NetBSD 3.0:  affected
  NetBSD 2.1:  not affected
  NetBSD 2.0.*:  not affected
  NetBSD 2.0:  not affected

Severity: Local system crash

Fixed:  NetBSD-current:  July 28, 2007
  NetBSD-4 branch: July 30, 2007
   (4.0 will include the fix)
  NetBSD-3-1 branch August 6, 2007
   (3.1.1 will include the fix)
  NetBSD-3-0 branch: August 6, 2007
   (3.0.3 will include the fix)
  NetBSD-3 branch: August 6, 2007

Abstract
========

A local user can cause the system to panic by passing out of bounds values to display driver allocattr functions via an ioctl call.

This vulnerability has been assigned CVE reference CVE-2007-3654.

Technical Details
=================

vga_allocattr uses integer arguments as indicies into arrays of colors.
The vga_allocattr function does not check to see whether these arguments are within the bounds of the arrays.

Due to the lack of bounds checking a negative or large value can be passed to vga_allocattr which will cause it to access arbitrary memory locations, resulting in a panic.

Other display driver functions are also vulnerable to this issue.

Solutions and Workarounds
=========================

To rectify these problems a kernel built from sources containing the fixes must be installed and the system rebooted.

The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel.

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html

* NetBSD-current:

Systems running NetBSD-current dated from before 2007-07-28
should be upgraded to NetBSD-current dated 2007-07-29 or later.

The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
  sys/dev/ic/pcdisplay_subr.c
  sys/dev/ic/vga.c
  sys/dev/ic/vga_raster.c
  sys/dev/isa/ega.c
  sys/dev/pci/chipsfb.c
  sys/dev/rasops/rasops.c
  sys/dev/wscons/wsdisplay_vcons.c

To update from CVS, re-build, and re-install a kernel containing
the fix:

  # cd src
  # cvs update -d -P sys/dev
  # build.sh tools kernel=KERNCONFFILE

* NetBSD 3.*:

Systems running NetBSD 3.* sources dated from before
2007-08-06 should be upgraded from NetBSD 3.* sources dated
2007-08-07 or later.

The following files need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
  sys/dev/ic/pcdisplay_subr.c
  sys/dev/ic/vga.c
  sys/dev/ic/vga_raster.c
  sys/dev/isa/ega.c
  sys/dev/rasops/rasops.c

To update from CVS, re-build, and re-install a kernel containing
the fix:

  # cd src
  # cvs update -r <branch_name> sys/dev/ic/pcdisplay_subr.c
  # cvs update -r <branch_name> sys/dev/ic/vga.c
  # cvs update -r <branch_name> sys/dev/ic/vga_raster.c
  # cvs update -r <branch_name> sys/dev/isa/ega.c
  # cvs update -r <branch_name> sys/dev/rasops/rasops.c
  # build.sh tools kernel=KERNCONFFILE

Thanks To
=========

Venustech AD-LAB for discovering and reporting this problem.

Revision History
================

2007-09-13 Initial release

More Information
================

Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

$NetBSD: rt14768_vga.txt,v 1.7 2007/08/14 21:59:52 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRuhdST5Ru2/4N2IFAQJSJwP/flQbkGFFk0AUppV2f98co5RQbJQqsK7I
KEBVenilE2LpgUscPRspYWsF6WKRvWgmyOS+7DlfaQ/1/+GjlcXnuJVfJ9CSHf28
iLHHPSK9FDi0IlpFgHq6FSzsoQu+KpaKmvCxLyAlpSn5apDZkBPzobgt/fI6x0Vh
Uc9GnnDZPT0=
=LsPT
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Advisory 2007-007
=================================

Topic: BIND cryptographically weak query IDs

Version: NetBSD-current: source prior to July 24, 2007
  NetBSD 4.0_BETA2: affected
  NetBSD 3.1:  affected
  NetBSD 3.0.*:  affected
  NetBSD 3.0:  affected
  NetBSD 2.1:  affected
  NetBSD 2.0.*:  affected
  NetBSD 2.0:  affected

Severity: Remote DNS cache poisoning

Fixed:  NetBSD-current:  July 24, 2007
  NetBSD-4 branch: July 31, 2007
   (4.0 will include the fix)
  NetBSD-3-1 branch: August 14, 2007
   (3.1.1 will include the fix)
  NetBSD-3-0 branch: August 14, 2007
   (3.0.3 will include the fix)
  NetBSD-3 branch: August 14, 2007
  NetBSD-2-1 branch: September 13, 2007
  NetBSD-2-0 branch: September 13, 2007
  NetBSD-2 branch: September 13, 2007
  pkgsrc:   bind-9.4.1pl1 corrects the issue
     bind-8.4.7pl1 corrects the issue

Abstract
========

Due to the use of cryptographically weak query IDs an attacker can predict query IDs and poison the cache by injecting their own responses.

This vulnerability has been assigned CVE references CVE-2007-2926 for BIND 9.x and CVE-2007-2930 for BIND 8.x.

Technical Details
=================

- From http://www.isc.org/:

BIND 9.x:
"The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers."

BIND 8.x:
"This bug only affects outgoing queries, generated by BIND 8 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers."

Solutions and Workarounds
=========================

It is recommended that NetBSD users of vulnerable versions update their binaries.

The following instructions describe how to upgrade your bind binaries by updating your source tree and rebuilding and installing a new version of bind.

* NetBSD-current:

Systems running NetBSD-current dated from before 2007-07-24
should be upgraded to NetBSD-current dated 2007-07-25 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/bind

To update from CVS, re-build, and re-install bind:

  # cd src
  # cvs update -d -P dist/bind
  # cd usr.sbin/bind
  # make USETOOLS=no cleandir dependall
  # make USETOOLS=no install

* NetBSD 3.*:

Systems running NetBSD 3.* sources dated from before
2007-08-14 should be upgraded from NetBSD 3.* sources dated
2007-08-15 or later.

The following files need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
  dist/bind/bin/named/client.c
  dist/bind/lib/dns/dispatch.c
  dist/bind/lib/dns/include/dns/dispatch.h

To update from CVS, re-build, and re-install bind:

  # cd src
  # cvs update -r <branch_name> dist/bind/bin/named/client.c
  # cvs update -r <branch_name> dist/bind/lib/dns/dispatch.c
  # cvs update -r <branch_name> \
   dist/bind/lib/dns/include/dns/dispatch.h
  # cd usr.sbin/bind
  # make USETOOLS=no cleandir dependall
  # make USETOOLS=no install

* NetBSD 2.*:

Systems running NetBSD 2.* sources dated from before
2007-09-12 should be upgraded from NetBSD 3.* sources dated
2007-09-13 or later.

The following files need to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 branches:
  dist/bind/bin/named/ns_forw.c
  dist/bind/bin/named/ns_func.h
  dist/bind/bin/named/ns_main.c
  dist/bind/bin/named/ns_resp.c

To update from CVS, re-build, and re-install bind:

  # cd src
  # cvs update -r <branch_name> dist/bind/bin/named/ns_forw.c
  # cvs update -r <branch_name> dist/bind/bin/named/ns_func.c
  # cvs update -r <branch_name> dist/bind/bin/named/ns_main.c
  # cvs update -r <branch_name> dist/bind/bin/named/ns_resp.c
  # cd usr.sbin/bind
  # make USETOOLS=no cleandir dependall
  # make USETOOLS=no install

Thanks To
=========

Amit Klein for discovering and reporting this problem.

Revision History
================

2007-09-13 Initial release

More Information
================

Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

$NetBSD: NetBSD-SA2007-007.txt,v 1.1 2007/09/12 21:45:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRumhsT5Ru2/4N2IFAQLQiwP/aLkPFQuSa56XdfbgYEdtWYmMAOMBvvYf
+U5hSdDK3K/02jQCkcUeHKVDOPEb3Ls21H/mMwk1AgVvI6+YW0ycPLGIMpXxgY15
Zn5WlqQtTtHkvdFHB9d0kGYVSuUxSRq0LCBEfcvk3aOQi57wuwO77O5yT+2yZJwl
ZREyrWwp7Dc=
=Oije
-----END PGP SIGNATURE-----

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.