November 2005
NetBSD - Eleven Security Advisories
ID: 00994
Ref: 932/05
Date: 08 November 2005:16:24:00
Version: 1
Title: NetBSD - Eleven Security Advisories
Abstract: Describes issues with F_CLOSEM, MIT Kerberos 5 telnet client, cgd(4), CVS, AES-XCBC-MAC (IPsec AH), FreeBSD compat code , imake, OpenSSL , ntpd, SO_LINGER, ptrace()
Vendors affected: NetBSD
Operating systems affected: NetBSD
Applications affected: NetBSD
Title
=====
NetBSD - Eleven Security Advisories:
1. F_CLOSEM local denial of service [2005-003]
2. Buffer overflows in MIT Kerberos 5 telnet client [2005-004]
3. cgd(4) key destruction on unconfigure [2005-005]
4. Multiple vulnerabilities in CVS [2005-006]
5. AES-XCBC-MAC (IPsec AH) calculated using fixed key [2005-007]
6. Heap memory corruption in FreeBSD compat code [2005-008]
7. Insecure /tmp file usage when building using imake [2005-009]
8. OpenSSL "man in the middle" can force weak protocol [2005-010]
9. ntpd may start with different group id than desired [2005-011]
10. SO_LINGER argument checking DIAGNOSTIC panic [2005-012]
11. ptrace() permissions after S[UG]ID and exec() [2005-013]
Detail
======
Security advisory summaries:
1. A bug in the way the file descriptor table of a process is manipulated
can be triggered by calling the F_CLOSEM fnctl() with the parameter 0,
which means "close all opened file descriptors". The result of the bug
is that the kernel will loop endlessly, effectively locking up the computer.
2. The telnet client program in NetBSD, supporting MIT Kerberos 5
authentication, contains several buffer overflows that can be triggered
when connecting to a malicious telnet server. When exploited, these
overflows can lead to remote code execution.
3. When a cgd(4) pseudo-device is unconfigured, the driver does not clear
memory containing key material before freeing it back to other kernel
use. A process may later allocate kernel memory and receive chunks
with data previously used by the cgd driver which may contain
encryption keys.
4. CVS has multiple vulnerabilities, ranging from remote execution of
arbitrary code to denial of service. Most of the issues are when the
CVS server is running in pserver mode.
5. Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm
[RFC3566] incorrectly used a fixed key instead of the provided one.
Because a known key is used, affected Security Associations lack
integrity and data origin authentication protection, and an attacker
could send forged packets which would be accepted by the receiver.
6. Due to insufficient length checking in FreeBSD compatibility code, it is
possible for a user to cause an integer overflow, resulting in a local
denial of service and potentially local root compromise.
7. Makefiles generated with imake use an insecure temporary file in /tmp
8. A vulnerability in OpenSSL allowed a malicious man-in-the-middle to force
two endpoints of an SSL connection to negotiate using SSL 2.0, which is
known to have severe cryptographic weaknesses.
9. When started with the -u parameter, and passed a group to run as, ntpd will
use the primary group of the user and not the provided group.
10. The SO_LINGER socket option can be passed negative a linger time,
which can be used by an unprivileged user to trigger a kernel
assertion panic if the kernel is compiled with "options DIAGNOSTIC".
11. Processes running with alternate privileges gained from setuid and
setgid executables are prevented from debugger attachment by their
original owner (via ptrace). However, if these processes exec'd
without resetting their real credentials, the replacement process
could be attached to and tampered with.
Security advisory content follows:
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-003
=================================
Topic: F_CLOSEM local denial of service
Version: NetBSD-current: source prior to January 12, 2005
NetBSD 2.1: not affected
NetBSD 2.0.2: not affected
NetBSD 2.0: affected
NetBSD 1.6.*: not affected
Severity: Local Denial-of-Service
Fixed: NetBSD-current: January 12, 2005
NetBSD-2-0 branch: March 16, 2005
(2.0.2 includes the fix)
NetBSD-2 branch: March 16, 2005
(2.1 includes the fix)
Abstract
========
A bug in the way the file descriptor table of a process is manipulated
can be triggered by calling the F_CLOSEM fnctl() with the parameter 0,
which means "close all opened file descriptors".
The result of the bug is that the kernel will loop endlessly,
effectively locking up the computer.
Any local user can trigger the bug.
Technical Details
=================
The F_CLOSEM fnctl() call takes a parameter and makes the kernel close
all file descriptors of the process whose number is greater or equal to
the parameter.
fd_lastfile in the process's descriptor table keeps track of the last file
descriptor index used by the process, and its value is maintained by
find_last_set(). A change in find_last_set() that made it return 0 and not
- - -1 (like it used to) when no files were used caused an infinite loop in
the kernel, leading to local denial-of-service triggerable by any user.
Solutions and Workarounds
=========================
There is no workaround for this issue. It is recommended that users of
affected NetBSD versions upgrade their kernel.
The following instructions describe how to upgrade your kernel by updating
your source tree and rebuilding and installing a new version of the
kernel.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-01-12
should be upgraded to NetBSD-current dated 2005-01-13 or later.
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/kern/kern_descrip.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/kern/kern_descrip.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
* NetBSD 2.0:
The binary distribution of NetBSD 2.0 is vulnerable.
NetBSD 2.1 includes the fix.
Systems running NetBSD 2.0 sources dated from before
2005-01-12 should be upgraded from NetBSD 2.0 sources dated
2005-01-13 or later.
The following files need to be updated from the
netbsd-2-0 CVS branch:
sys/kern/kern_descrip.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r netbsd-2-0 sys/kern/kern_descrip.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
Thanks To
=========
Brian Marcotte, for discovering and reporting the issue.
Greg Oster and Quentin Garnier, for analysis and fixes.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-003.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-003.txt,v 1.10 2005/10/31 19:11:45 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKRj5Ru2/4N2IFAQKyJQP/cF9a8IM4ayqS2nNv0HPgL4uPvbmnHPDW
F76FTxFDfrImmkMNrdIBaj/1B/LS41+iMWTJJFGWNkqZjzXKVLuD7/rLDKGjI1Aa
WfmS7gHoZcI5p5A0x+RFtOM399sQX2/cC5a0hcGamKncBChKMNEdn3u//q/HC+4e
rpQReunJrFU=
=SfoJ
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-004
=================================
Topic: Buffer overflows in MIT Kerberos 5 telnet client
Version: NetBSD-current: source prior to April 1, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
Severity: Remote code execution if connected to malicious server
Fixed: NetBSD-current: April 1, 2005
NetBSD-3 branch: April 8, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: April 8, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: April 8, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: April 8, 2005
Abstract
========
The telnet client program in NetBSD, supporting MIT Kerberos 5
authentication, contains several buffer overflows that can be triggered
when connecting to a malicious telnet server. When exploited, these
overflows can lead to remote code execution.
Technical Details
=================
The slc_add_reply() and env_opt_add() functions in telnet.c perform
inadequate length checking. slc_add_reply() may overflow a fixed-size
data segment or BSS buffer when receiving a maliciously crafted telnet
LINEMODE suboption string. env_opt_add() may overflow a heap buffer when
receiving a maliciously crafted telnet NEW-ENVIRON suboption string.
Both overflows may lead to arbitrary code execution.
CVE: CAN-2005-0468 and CAN-2005-0469
Solutions and Workarounds
=========================
There is no workaround to this problem.
It is recommended that all NetBSD users of affected versions upgrade
their telnet binaries to a non-vulnerable version.
The following instructions describe how to upgrade your telnet
binaries by updating your source tree and rebuilding and
installing a new version of telnet.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-03-29
should be upgraded to NetBSD-current dated 2005-04-01 or later.
The following files need to be updated from the netbsd-current CVS
branch (aka HEAD):
usr.bin/telnet/telnet.c
To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P usr.bin/telnet/telnet.c
# cd usr.bin/telnet
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.0:
The binary distribution of NetBSD 2.0 is vulnerable.
NetBSD 2.1 includes the fix.
Systems running NetBSD 2.0 sources dated from before
2005-04-08 should be upgraded from NetBSD 2.0 sources dated
2005-04-09 or later.
The following files need to be updated from the
netbsd-2-0 CVS branch:
usr.bin/telnet/telnet.c
To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P -r netbsd-2-0 usr.bin/telnet/telnet.c
# cd usr.bin/telnet
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:
The binary distributions of NetBSD 1.6, 1.6.1, and 1.6.2 are vulnerable.
Systems running NetBSD 1.6 sources dated from before
2005-04-08 should be upgraded from NetBSD 1.6 sources dated
2005-04-09 or later.
NetBSD 1.6.3 will include the fix.
The following files need to be updated from the
netbsd-1-6 CVS branch:
usr.bin/telnet/telnet.c
To update from CVS, re-build, and re-install telnet:
# cd src
# cvs update -d -P -r netbsd-1-6 usr.bin/telnet/telnet.c
# cd usr.bin/telnet
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
iDEFENSE for researching this vulnerability.
MIT for alerting us about this vulnerability and providing a fix.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-004.txt,v 1.13 2005/10/31 06:36:35 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKUz5Ru2/4N2IFAQLEjQP+K/9/7qknJL6CXC0Y475wpLGzRfdQFZgn
7LX/2AfkvjWf/S4lNCJwjPFp5t2OT4b92ejAvoHTjsuBVAZXMubxk2+WPETykG6p
1UW9IujiLa/MTEYm8xTukmKA2RL+2E7Jf2n5dR0g9BM/+UZHprKgTV19SCAXzS6n
874WryZNtxE=
=iXJ4
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-005
=================================
Topic: cgd(4) key destruction on unconfigure
Version: NetBSD-current: source prior to March 19, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: not affected
NetBSD 2.0: affected
NetBSD 1.6.*: not affected
Severity: possible key compromise
Fixed: NetBSD-current: March 19, 2005
NetBSD-3 branch: March 19, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: March 20, 2005
(2.0.2 includes the fix)
NetBSD-2 branch: March 20, 2005
(2.1 includes the fix)
Abstract
========
When a cgd(4) pseudo-device is unconfigured, the driver does not clear
memory containing key material before freeing it back to other kernel
use. A process may later allocate kernel memory and receive chunks
with data previously used by the cgd driver which may contain
encryption keys.
Technical Details
=================
The cgd(4) pseudo-device provides an encrypted virtual disk, layered
on top of other disk device drivers. The encryption is done in
software, with cryptographic keys configured and supplied to the
kernel via the cgdconfig(8) program, and stored in the kernel for the
lifetime of the pseudo-device.
With any such software-based encryption scheme, there is a risk of key
disclosure via examination of kernel memory. This is inherent in the
need for the kernel to perform cryptographic operations, and
unavoidable while the disk must be accessible to user processes.
A cgd(4) device can be unconfigured, which removes the in-kernel
configuration structures and prevents any further access to the
decrypted contents of the disk via the cgd(4) driver until the key is
re-entered. However, the structures containing key material were
freed back to the kernel memory pool without having their contents
erased first. It was therefore possible that key material could still
be present in kernel memory after the user expected it to be
destroyed.
Any mechanism that allows kernel memory disclosure poses potential
security risks, and care is always taken to avoid disclosing previous
memory contents when allocating memory in the kernel and communicating
with userland; it is therefore considered unlikely that this problem
would expose stale key material to any attacker not otherwise able to
read kernel memory.
The potential exposure lies in the user expectation that the keys are
destroyed; they may therefore take steps at this time which they might
otherwise avoid while key material is live in the kernel, and which
may increase the risk of key disclosure. The most significant risk
lies in the use of BIOS suspend-to-disk mechanisms, which write out
the contents of all physical memory to disk - potentially including
uncleared cgd(4) key material.
Note that the use of such suspend-to-disk mechanisms with cgd(4)
devices is heavily discouraged for these reasons; even when the device
has been unconfigured and the key destroyed, decrypted copies of
sensitive information from the disk may remain in physical memory
pages from unrecycled kernel buffers or user applications.
The cgd(4) driver appeared in NetBSD-current prior to the 2.0 release;
this issue does not affect the NetBSD 1.6 releases or earlier.
Solutions and Workarounds
=========================
There is no workaround to this problem. The fix requires a new kernel
to be built and installed.
The following instructions describe how to upgrade your cgd driver
by updating your source tree and rebuilding and installing a new version
of the kernel.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-03-19
should be upgraded to NetBSD-current dated 2005-03-20 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
sys/dev/cgd_crypto.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/dev/cgd_crypto.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
* NetBSD 2.0 (and subsequent point releases):
The binary distribution of NetBSD 2.0 (and subsequent point
releases) is vulnerable.
NetBSD 2.1 includes the fix.
Systems running NetBSD 2.0 (and subsequent point releases) built
from sources dated before 2005-03-20 should be upgraded from
sources dated 2005-03-21 or later.
The following directories need to be updated from CVS:
sys/dev/cgd_crypto.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/dev/cgd_crypto.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
Thanks To
=========
Daniel Carosone for reporting and fixing this vulnerability.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-005.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-005.txt,v 1.8 2005/10/31 06:37:58 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKXT5Ru2/4N2IFAQIBOwP/WKQny+zcV4KTzlid5xCtyWCjxN8BdVTt
S+jhtPlGEbQz6EhhdEF36TCF6EN91Zm5mdXe4PNqNJ+nR93FVdGvTNdsgTnQoDyv
PkseuJQE7qxUqyYzc55XLDMMX+e48Nnv1Bm3HApLZesbuHojA/XD7pHcLfambtbN
HyJHJHke3TA=
=xzUO
- -----END PGP SIGNATURE-----
4.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-006
=================================
Topic: Multiple vulnerabilities in CVS
Version: NetBSD-current: source prior to August 26, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
pkgsrc: CVS packages prior to 1.11.20nb2
Severity: Remote execution of arbitrary code, denial of service and
local privilege escalation
Fixed: NetBSD-current: August 26, 2005
NetBSD-3 branch: August 26, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: August 26, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: August 26, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: August 26, 2005
(1.6.3 will include the fix)
pkgsrc: cvs-1.11.20nb2 or higher
correct the issues
Abstract
========
CVS has multiple vulnerabilities, ranging from remote execution of
arbitrary code to denial of service. Most of the issues are when the
CVS server is running in pserver mode.
Technical Details
=================
There are multiple issues, summarised in the following list:
* A heap overflow is present in the handling of "Entry" lines for CVS
servers running in pserver mode. An attacker would require write
access to the repository to exploit this.
* Problem handling malformed "Entry" lines and empty data lines,
which could lead to a denial of service (crash), modification of
critical program data or arbitrary code execution.
* Double-free vulnerability in "error_prog_name" string leading to
remote execution of arbitrary code.
* Integer overflow in the "Max-dotdot" CVS protocol command resulting
in denial of service.
* The "serve_notify" function does not correctly handle empty data
lines. Using a crafted request an attacker could potentially
execute arbitrary system commands.
* An unspecified buffer overflow leading to remote execution of
arbitrary code.
* Insecure temporary file handling in cvsbug script which can lead to
local privilege escalation.
Most of the issues are enabled when running CVS server mode (e.g. pserver).
CVE: CAN-2004-0396, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417,
CAN-2004-0418, CAN-2005-2693 and CAN-2005-0753
Solutions and Workarounds
=========================
If you run a CVS server we highly recommend you to upgrade your CVS
binary to 1.11.20, or 1.12.12 or higher. This can be accomplished by
upgrading CVS in the base distribution or alternatively, deleting your
CVS binaries and updating from pkgsrc. pkgsrc sources from 2005-08-27
in both HEAD and pkgsrc-2005Q2 contain the fix.
To check which version of CVS you are running enter "cvs -v" and look
for the version string.
The following instructions describe how to upgrade your CVS
binaries by updating your source tree and rebuilding and
installing a new version of CVS.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-08-25
should be upgraded to NetBSD-current dated 2005-08-26 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
gnu/dist/cvs
gnu/usr.bin/cvs
To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.0:
The binary distribution of NetBSD 2.0 is vulnerable.
NetBSD 2.1 and 2.0.3 include the fix.
Systems running NetBSD 2.0 sources dated from before
2005-08-25 should be upgraded from NetBSD 2.0 sources dated
2005-08-26 or later.
The following directories need to be updated from the
netbsd-2-0 CVS branch:
gnu/dist/cvs
gnu/usr.bin/cvs
To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P -r netbsd-2-0 gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:
The binary distributions of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.
NetBSD 1.6.3 will include the fix.
Systems running NetBSD 1.6 sources dated from before
2005-08-25 should be upgraded from NetBSD 1.6 sources dated
2005-08-26 or later.
NetBSD 1.6.3 will include the fix.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
gnu/dist/cvs
gnu/usr.bin/cvs
To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P -r netbsd-1-6 gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Sebastian Krahmer and
Stefan Esser Discovery and notification
Jun-ichiro "itojun" Hagino Initial research, fix and documentation
Matthias Scheler and
Takahiro Kambe Further fixes
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-006.txt,v 1.7 2005/10/31 06:40:04 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKaj5Ru2/4N2IFAQKE4wP+KuycCCEBHqibLLE2k/Cv0RjDN3F9Ld9M
gLFySxpFwfYVkHAqs9J8A37qf6e07LbPQah8k89Rcy1lxhjKYzKXRsTWScLtZJcN
aZwGspv8lKQ5NUs+mWsf3FG1nSicroLgVwDbqOOQGp21zgPIGYecUnLfZ8vuD2jI
/XHPuVAQVsk=
=PcVV
- -----END PGP SIGNATURE-----
5.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-007
=================================
Topic: AES-XCBC-MAC (IPsec AH) calculated using fixed key
Version: NetBSD-current: source prior to July 28, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.*: unaffected
Severity: Affected SAs lack integrity protection so an attacker
can forge data and have it be wrongly accepted
Fixed: NetBSD-current: July 28, 2005
NetBSD-3 branch: July 28, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: July 28, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: July 28, 2005
(2.1 includes the fix)
Abstract
========
Machines using IPsec [RFC2401] with AH and AES-XCBC-MAC algorithm
[RFC3566] incorrectly used a fixed key instead of the provided one.
Because a known key is used, affected Security Associations lack
integrity and data origin authentication protection, and an attacker
could send forged packets which would be accepted by the receiver.
Technical Details
=================
An error in the implementation of the AES-XCBC-MAC algorithm, used by
IPsec SAs for authentication, did not encrypt r_k1s in
ah_aes_xcbc_mac_init(), and only seeded it with the constant in
k1seed.
r_k1s was later passed as the encryption key to rijndaelEncrypt() by
ah_aes_xcbc_mac_loop() and ah_aes_xcbc_mac_result(), causing them to
use the same encryption key for authentication, without using the
key (set by the admin) passed from userland.
Because of this error, a receiving system using AH with AES-XCBC-MAC
checks an IPsec datagram with a fixed and known key. An attacker
could create a forged packet with a valid Integrity Check Value,
causing the receiver to accept the packet. Also, systems with this
bug would not interoperate with systems with the correct key.
If AH with AES-XCBC-MAC is used without confidentiality protection
(e.g. ESP [RFC2406]), an attacker can trivially cause data of his
choice to be received and processed. With confidentiality protection,
causing particular data to be processed is harder, but note that in
general confidentiality mechanisms do not provide effective integrity
protection.
Solutions and Workarounds
=========================
A workaround is to not use the AES-XCBC-MAC algorithm for authentication,
but it is highly recommended that any users of affected NetBSD versions
upgrade their kernel.
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version of
the kernel.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-07-28
should be upgraded to NetBSD-current dated 2005-07-29 or later.
(Systems built from the netbsd-3 branch should be upgraded to
2005-07-29 or later.)
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/sys/netinet6/ah_aesxcbcmac.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
* NetBSD 2.x:
Systems built from source along the netbsd-2 or netbsd-2-0 branches
dated from before 2005-07-28 should be upgraded from sources dated
2005-07-29 or later. This includes the binary distributions of
NetBSD 2.0 and NetBSD 2.0.2.
NetBSD 2.1 includes the fix.
The following files should be updated from CVS:
src/sys/netinet6/ah_aesxcbcmac.c
To update from CVS, verify that your sources are from the correct
branch, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/netinet6/ah_aesxcbcmac.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
* NetBSD 1.6 (and subsequent point releases) do not include
AES-XCBC-MAC and are thus unaffected.
Thanks To
=========
Yukiyo Akisada for reporting the bug to KAME.
SUZUKI Shinsuike for reporting the bug to NetBSD.
Christos Zoulas for quickly adapting the fix to NetBSD.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-007.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-007.txt,v 1.8 2005/10/31 06:41:04 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKdD5Ru2/4N2IFAQIEUQQAlpQMrJ1YeDOC4SggrVbxTgwr6HtZzSU6
Rl7F1fQybzN4tcUnYo3m20k57IKLr94SDOUI5rrL9O0qU8Oz/V7V8hI48Z82HXk9
gk2yFnWgeTYOOttSPXkEU7/ohDKibQXK6+1JTG3L3NTAAmphTBai0nxii0iNN9Vk
wdIxN4YcaqA=
=GnoS
- -----END PGP SIGNATURE-----
6.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-008
=================================
Topic: Heap memory corruption in FreeBSD compat code
Version: NetBSD-current: source prior to September 13, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
Severity: local denial of service, local root compromise
Fixed: NetBSD-current: September 13, 2005
NetBSD-3 branch: September 13, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: September 13, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: September 13, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: September 14, 2005
(1.6.3 will include the fix)
Abstract
========
Due to insufficient length checking in FreeBSD compatibility code, it is
possible for a user to cause an integer overflow, resulting in a local
denial of service and potentially local root compromise.
Solutions and Workarounds
=========================
Kernels with FreeBSD binary emulation are affected, including the
default GENERIC kernel install. There is no workaround for this
issue. Users of affected NetBSD versions are highly recommended to
upgrade their kernel.
The following instructions describe how to upgrade your kernel by updating
your source tree and rebuilding and installing a new version of
the kernel.
Systems running NetBSD of the affected branches, using sources earlier
than the fix date should be upgraded.
The following files need to be updated from CVS:
src/sys/compat/freebsd/freebsd_misc.c
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/compat/freebsd/freebsd_misc.c
# ./build.sh kernel=GENERIC
# mv /netbsd /netbsd.old
# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
# shutdown -r now
Thanks To
=========
Christer Oeberg discovered and reported this issue.
Christos Zoulas fixed the code.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-008.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-008.txt,v 1.10 2005/10/31 06:43:09 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKfj5Ru2/4N2IFAQISyAP+Oau9ytksViieV0U/1FoLqcsHQYxeDjKp
AafwviGUVMi9fB7tBw9z1Kvc/a/s4W7HzhmsAwNSRNvbpoKCiJaNC+8812/Q42Gp
vfcdy25EtZc7ALFTiOX6eBtj6WrFyHwLnT4ARukGap0sjIIqx/OLZjmMwQfx+O0j
mURB2urapu0=
=ErcI
- -----END PGP SIGNATURE-----
7.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-009
=================================
Topic: Insecure /tmp file usage when building using imake
Version: NetBSD-current: source prior to September 13, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
pkgsrc: imake package prior to 4.4.0nb2 and
xorg-imake prior to 6.8.2nb2
Severity: overwrite arbitrary files on the system
Fixed: NetBSD-current: September 12, 2005
NetBSD-3 branch: September 12, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: September 13, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: September 13, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: September 14, 2005
(1.6.3 will include the fix)
pkgsrc: imake-4.4.0nb2 and xorg-imake-6.8.2nb2
or higher correct the issue
Abstract
========
Makefiles generated with imake use an insecure temporary file in /tmp
Technical Details
=================
The issue is in the make target for generating the pre-formatted manual
page. This is for software using imake using NetBSD.cf for builds.
Malicious users can pre-generate symlinks to point to important files
(so they will be overwritten) and possibly cause a local denial of
service if the make process is run with elevated privileges.
On NetBSD, many pkgsrc packages built using imake are affected. For
example, building xvier, xmeter, transfig, tightvncviewer, xcolorsel,
magicpoint, fvwm1, xearth, xalarm, xmmix, and many others, use this make
target.
This issue has been reported to and corrected by X.org and XFree86.
Solutions and Workarounds
=========================
This issue affects only machines which build software using imake and
which also use the target to generate pre-formatted manual pages.
However, since no binary rebuilding is required in order to fix this
issue, it is recommended that all users upgrade their sources.
The following instructions describe how to update your source tree.
Source trees dated from before 2005-09-12 should be upgraded to
sources dated 2005-09-13 or later.
The following directories need to be updated from CVS:
xsrc/xfree/xc/config/cf/NetBSD.cf
To update from CVS:
# cd xsrc
# cvs update -d -P xfree/xc/config/cf/NetBSD.cf
# cp xfree/xc/config/cf/NetBSD.cf /usr/X11R6/lib/X11/config/NetBSD.cf
Thanks To
=========
The issue was discovered and reported by Jeremy C. Reed.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-009.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-009.txt,v 1.15 2005/10/31 19:07:50 gendalia Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKiD5Ru2/4N2IFAQIdSgP+MDXNbQlHPnCDcOrZufC9dVFj9E0x6/w/
bwxsLNuEx0+kWUgkX61KmrvEyuq/9AnHOCMBScMijY8L1WOWx4MXe2dQCho5LtLW
EksP2mXDWC8y11b4OkVDp5SidroZDG/IgtC9o3M8qHZ6/KOsa2H8B7fXV86QmP8U
QxUjjLhtRfs=
=zj93
- -----END PGP SIGNATURE-----
8.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-010
=================================
Topic: OpenSSL "man in the middle" can force weak protocol
Version: NetBSD-current: source prior to October 11, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.*: affected
pkgsrc: openssl packages prior to 0.9.7h
Severity: information leak due to false sense of security
Fixed: NetBSD-current: October 11, 2005
NetBSD-3 branch: October 11, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: October 11, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: October 11, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: October 11, 2005
(1.6.3 will include the fix)
pkgsrc: openssl-0.9.7h corrects this issue
Abstract
========
A vulnerability in OpenSSL allowed a malicious man-in-the-middle to force
two endpoints of an SSL connection to negotiate using SSL 2.0, which is
known to have severe cryptographic weaknesses.
This vulnerability has been assigned CVE reference CAN-2005-2969.
Technical Details
=================
OpenSSL has an option SSL_OP_MSIE_SSLV2_RSA_PADDING to work around
various bugs in third-party software that might prevent
interoperability with OpenSSL. This option is implied by the use of
SSL_OP_ALL.
The said option disables a verification step in the SSL 2.0 server
supposed to prevent active protocol-version rollback attacks; such
attacks force the use of weaker protocols.
With this verification step disabled, a man-in-the-middle can force a
client and a server to negotiate the SSL 2.0 protocol, even if both
parties support SSL 3.0 or TLS 1.0.
Solutions and Workarounds
=========================
A workaround is to completely disable SSL 2.0 in any application that
uses OpenSSL.
It is recommended that NetBSD users of vulnerable versions update
their binaries.
The following instructions describe how to upgrade your OpenSSL
binaries by updating your source tree and rebuilding and
installing a new version of OpenSSL.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-10-11
should be upgraded to NetBSD-current dated 2005-10-12 or later.
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl/ssl/s23_srvr.c
crypto/dist/openssl/crypto/opensslv.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P crypto/dist/openssl/ssl/s23_srvr.c
# cvs update -d -P crypto/dist/openssl/crypto/opensslv.h
# cd lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.*:
The binary distribution of NetBSD 2.0 is vulnerable.
Systems running NetBSD 2.0 sources dated from before
2005-10-11 should be upgraded from NetBSD 2.0 sources dated
2005-10-12 or later.
NetBSD 2.1 and 2.0.3 include the fix.
The following files need to be updated from the
netbsd-2 CVS branch:
crypto/dist/openssl/ssl/s23_srvr.c
crypto/dist/openssl/crypto/opensslv.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P -r netbsd-2 crypto/dist/openssl/ssl/s23_srvr.c
# cvs update -d -P -r netbsd-2 crypto/dist/openssl/crypto/opensslv.h
# cd lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6.*:
The binary distributions of NetBSD 1.6, 1.6.1, and 1.6.2 are vulnerable.
Systems running NetBSD 1.6 sources dated from before
2005-10-11 should be upgraded from NetBSD 1.6 sources dated
2005-10-12 or later.
NetBSD 1.6.3 will include the fix.
The following files need to be updated from the
netbsd-1-6 CVS branch:
crypto/dist/openssl/ssl/s23_srvr.c
crypto/dist/openssl/crypto/opensslv.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl/ssl/s23_srvr.c
# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl/crypto/opensslv.h
# cd lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Thanks to Yutaka Oiwa for reporting this issue to the OpenSSL team.
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-010.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-010.txt,v 1.5 2005/10/31 22:21:02 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fJ7j5Ru2/4N2IFAQJimQP/Z04xQK/iej+Hvzqu2wWjRTug9Hp608IJ
MtOck/ReIoRCGYMSsEVVBlH0nIZtdCK2scnjz4u2DWsZ8CCrGpy6tjR3TBib1zkZ
VcH2eEBc3GJk66/nnJB3+yAy/7ce1GRFtFBdcrAa5Jve4bYFIu0INsRKGOS36b4F
NaIdermbUrk=
=t3d8
- -----END PGP SIGNATURE-----
9.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-011
=================================
Topic: ntpd may start with different group id than desired
Version: NetBSD-current: source prior to October 14, 2005
NetBSD 2.1: affected
NetBSD 2.0.3: affected
NetBSD 2.0.2: affected
NetBSD 2.0.1: affected
NetBSD 1.6.*: affected
pkgsrc: ntp packages prior to 4.2.0nb7
Severity: privilege escalation
Fixed: NetBSD-current: October 14, 2005
NetBSD-3 branch: October 14, 2005
(3.0 will include the fix)
NetBSD-2.1 branch: November 1, 2005
(2.1.1 will include the fix)
NetBSD-2.0 branch: November 1, 2005
(2.0.4 will include the fix)
NetBSD-2 branch: November 1, 2005
NetBSD-1.6 branch: November 1, 2005
pkgsrc: ntp-4.2.0nb7 corrects this issue
Abstract
========
When started with the -u parameter, and passed a group to run as, ntpd will
use the primary group of the user and not the provided group.
This vulnerability has been assigned CVE reference CAN-2005-2496.
Technical Details
=================
When invoked with the ``-u user:group'' or ``-u :group'' parameter, with
the group being specified as a group name, ntpd always accessed the
``pw_gid'' member of the credentials for ``user'', instead of the ``gr_gid''
member of the credentials for ``group''.
When both a user and group were specified, this meant ntpd ran with
the group-id being set to the primary group of the user. When only a
group was specified, ntpd would access an uninitialized pointer, which
would result in undefined behavior.
In a worst case scenario, when started with ``-u :group'' it could run
with root privileges. Another vulnerability would then be required to
maliciously exploit those privileges.
Solutions and Workarounds
=========================
The default NetBSD running ntp configuration is not vulnerable to this
bug, since the ntpd user has the correct primary group id.
However, it is recommended that all users of affected versions update their
ntpd to include the fix.
The following instructions describe how to upgrade your ntpd
binaries by updating your source tree and rebuilding and
installing a new version of ntpd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-10-13
should be upgraded to NetBSD-current dated 2005-10-14 or later.
The following file needs to be updated from the
netbsd-current CVS branch (aka HEAD):
src/dist/ntp/ntpd/ntpd.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.*:
Systems running NetBSD 2.* sources dated from before
2005-11-01 should be upgraded from NetBSD 2.* sources dated
2005-11-02 or later.
The following file needs to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
dist/ntp/ntpd/ntpd.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P -r netbsd-2 dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6.*:
Systems running NetBSD 1.6 sources dated from before
2005-11-01 should be upgraded from NetBSD 1.6 sources dated
2005-11-02 or later.
NetBSD 1.6.3 will include the fix.
The following file needs to be updated from the
netbsd-1-6 CVS branch:
dist/ntp/ntpd/ntpd.c
To update from CVS, re-build, and re-install ntpd:
# cd src
# cvs update -d -P -r netbsd-1-6 dist/ntp/ntpd/ntpd.c
# cd usr.sbin/ntp
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Josh Bressers for reporting the bug to Secunia.
Adrian Portelli for reporting the bug to the NetBSD Security Officer.
Revision History
================
2005-11-01 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-011.txt,v 1.6 2005/10/31 22:21:02 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fJ+j5Ru2/4N2IFAQIYnQQAkHVFd+AP/+iNH5hp3Gz308N9G0D+boLu
FtdHGvUZ56YOQvhG+H5vTxse2TyIeV9QkZSfLRLiu+IEx6GaqZKTlOOihIxKjLJ1
Qp/EA1qjFpcGxhJyxwNT2uBKjSXD3lco0bIS94HJ0c3aBO5eRfbaOfsA9/LtjY+s
Gmg3wKQgJbc=
=L/AK
- -----END PGP SIGNATURE-----
10.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-012
=================================
Topic: SO_LINGER argument checking DIAGNOSTIC panic
Version: NetBSD-current: source prior to October 21, 2005
NetBSD 2.1: affected
NetBSD 2.0.3: affected
NetBSD 2.0: affected
NetBSD 1.6: not affected
Severity: local denial-of-service crash by unprivileged user
Fixed: NetBSD-current: October 21, 2005
NetBSD-3 branch: October 21, 2005
NetBSD-2.1 branch: October 31, 2005
(2.1.1 will include the fix)
NetBSD-2.0 branch: October 31, 2005
(2.0.4 will include the fix)
NetBSD-2 branch: October 21, 2005
Abstract
========
The SO_LINGER socket option can be passed negative a linger time,
which can be used by an unprivileged user to trigger a kernel
assertion panic if the kernel is compiled with "options DIAGNOSTIC".
Technical Details
=================
The socket option SO_LINGER, accessed through setsockopt(3), takes a
structure containing the linger time, in seconds. This linger time
argument was not being bounds checked carefully enough. If you pass a
negative linger time and enable the socket option, soclose() calls
tsleep() with a timeout of that negative time * hz. The same problem
occurs if the number of seconds times hz overflows INT_MAX.
In a DIAGNOSTIC kernel, KASSERT() in callout_reset() fires when it
receives the negative value, triggering a panic. With DIAGNOSTIC off,
this appears to be harmless.
The SO_LINGER time argument has never been properly bounds checked,
however the potential crash was introduced together with a new callout
implementation introduced in NetBSD-current at 1.6N, after the 1.6
release was branched. In that implementation, a KASSERT() was called
on all timeout values to catch cases such as this, instead of silently
bumping any negative value up to 1. Therefore, releases 1.6 and
prior, and non-DIAGNOSTIC kernels, cannot be used to trigger a crash
in this manner.
The additional consistency checks enabled by this option are somewhat
expensive, and can trigger crash dumps for analysis should they fire,
as in this case. Therefore, DIAGNOSTIC is not recommended for use on
production systems, though it may well be desirable on development or
test systems.
A number of NetBSD ports ship GENERIC or other kernel configurations
with DIAGNOSTIC enabled.
Solutions and Workarounds
=========================
Users running kernels without "options DIAGNOSTIC" are not affected,
and need take no action.
For affected systems, the kernel must be rebuilt to remove the
vulnerability - either by removing the DIAGNOSTIC option from your
kernel config, or by updating the kernel sources to include the fix
for additional bounds checking (or both).
For all affected NetBSD versions, you need to obtain fixed kernel
sources, rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/kern/uipc_socket.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.netbsd.org/guide/en/chap-kernel.html
Thanks To
=========
Nathan J. Williams for finding and fixing the issue.
Revision History
================
2005-11-01 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-012.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-012.txt,v 1.4 2005/11/02 04:34:23 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2hB4z5Ru2/4N2IFAQKmhwP/aaVSETU8tRkkvdyJJM1OR3qCp/NkdmTk
hUl+kfW/+3TVN28DxXSOxtoG/K15FJ/gY2bvYNAooK/pBem6WU+wrILsItDeTc9C
wifrPjps2gkPuNbZDF3K5NJyu/77i92VSMHWWIBIG8UFULGza5T4OvEoXTP2Fv6K
poBCPmkcTuA=
=wyTe
- -----END PGP SIGNATURE-----
11.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-013
=================================
Topic: ptrace() permissions after S[UG]ID and exec()
Version: NetBSD-current: source prior to October 21, 2005
NetBSD 2.1: affected
NetBSD 2.0.3: affected
NetBSD 2.0: affected
NetBSD 1.6: affected
Severity: privilege escalation and injection of code
Fixed: NetBSD-current: October 31, 2005
NetBSD-3 branch: October 31, 2005
NetBSD-2.1 branch: October 31, 2005
(2.1.1 will include the fix)
NetBSD-2.0 branch: October 31, 2005
(2.0.4 will include the fix)
NetBSD-2 branch: October 31, 2005
NetBSD-1.6 branch: October 31, 2005
Abstract
========
Processes running with alternate privileges gained from setuid and
setgid executables are prevented from debugger attachment by their
original owner (via ptrace). However, if these processes exec'd
without resetting their real credentials, the replacement process
could be attached to and tampered with.
Technical Details
=================
A process flag P_SUGID is used to track processes that have gained
privileges via the set-id execution bits. This flag is checked by
ptrace when deciding whether to allow debugger attachment.
When a process called exec(), this flag was being cleared, even if the
real and effective credentials were still different. This would defeat
the ptrace check for the replacement process image, and allow
inappropriate attachment by processes owned by the real uid. This
attachment could then be used to alter the behaviour of the process,
and make additional syscalls under the effective uid.
Solutions and Workarounds
=========================
A limited workaround may be to mount filesystems with the nosuid
option, or remove setuid bits or general user access from setuid
programs. This is likely to affect required functionality.
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/kern/kern_exec.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.netbsd.org/guide/en/chap-kernel.html
Thanks To
=========
Tavis Ormandy for reporting the bug and Christos Zoulas for the fix.
Revision History
================
2005-11-01 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-013.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-013.txt,v 1.3 2005/11/01 02:24:48 dan Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKEj5Ru2/4N2IFAQLlPQP+NlyGnExgcX22TlpsMYp3KebFwxch2Exr
5WhveY3jfOg6/u+Tl6zH5d1K09QCONVEILmcVHS2PLzyCG+4svQUaa3wCxTU+QH2
UOjFmOwHl46uTkuVqqi94bjQclvoejbCW6UU1cthA5sNQbXB4crBMzKtJ5gto2xZ
A7Cd62yRC/E=
=2k1u
- -----END PGP SIGNATURE-----