Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1038
Arbitrary Kernel Read with netstat -P
31 July 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: netstat
Publisher: NetBSD
Operating System: NetBSD
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
Original Bulletin:
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2013-006.txt.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2013-006
=================================
Topic: Arbitrary Kernel Read with netstat -P
Version: NetBSD-current: source prior to Jun 21st, 2013
NetBSD 6.0: affected
NetBSD 6.0.*: affected
NetBSD 6.1: affected
NetBSD 5.1: affected
NetBSD 5.2: affected
Severity: Information Disclosure
Fixed: NetBSD-current: June 20th, 2013
NetBSD-6-0 branch: July 29th, 2013
NetBSD-6-1 branch: July 29th, 2013
NetBSD-6 branch: July 29th, 2013
NetBSD-5-1 branch: July 30th, 2013
NetBSD-5-2 branch: July 30th, 2013
NetBSD-5 branch: July 30th, 2013
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
netstat -P may disclose contents of kernel memory that aren't Protocol
Control Blocks.
Technical Details
=================
netstat -P does not check whether the address it gets called with is
actually pointing to a Protocol Control Block, nor whether (if it is
a PCB) the reader should have privileges to read it. This allows a
malicious user to study arbitrary sections of kernel memory.
Solutions and Workarounds
=========================
Workaround:
Remove the setgid flag from netstat (chmod 555 /usr/bin/netstat).
Solutions:
- - - Install a new netstat binary from a daily build later than the
fix date from the same branch: fetch from
http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/
the file binary/sets/base.tgz
cd / && tar xzpf <base.tgz-path> ./usr/bin/netstat
- - - Rebuild your system with the fixes applied.
HEAD netbsd-6 netbsd-6-1 netbsd-6-0
src/usr.bin/netstat/inet.c 1.103 1.101.2.1 1.101.14.1 1.101.8.1
src/usr.bin/netstat/inet6.c 1.62 1.59.6.1 1.59.16.1 1.59.12.1
src/usr.bin/netstat/main.c 1.86 1.81.4.1 1.81.10.1 1.81.8.1
src/usr.bin/netstat/netstat.h 1.47 1.43.4.1 1.43.10.1 1.43.8.1
netbsd-5 netbsd-5-2 netbsd-5-1
src/usr.bin/netstat/inet.c 1.88.6.2 1.88.6.1.10.1 1.88.6.1.6.1
src/usr.bin/netstat/inet6.c 1.50.6.2 1.50.6.1.10.1 1.50.6.1.6.1
src/usr.bin/netstat/main.c 1.70.4.1 1.70.2.1 1.70.12.1
src/usr.bin/netstat/netstat.h 1.36.8.1 1.36.6.1 1.36.16.1
Thanks To
=========
Thanks to Beverly Schwartz for finding the problem, and informing
the NetBSD Security Officer about it.
Revision History
================
2013-07-30 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2013-006.txt,v 1.2 2013/07/30 20:44:22 tonnerre Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJR+CYEAAoJEAZJc6xMSnBuUNQP/R5ky2UAEDkRrzkuVHU0Hufr
PxOfq5U4Y34nUZQ7IOrZbieBcCuuMNnkQ+Ckm4cSlIGMo5Tv1E2+wTlssS+3A92c
3+FbDe3DYxbKrKP9oHl5AHD+eOAZ0Vx3UlrgK3qAKuEGIxoCLFbIz5LvR9sIJI2S
1Fsxp0705B1pqpkIUN+kZofNe/yFE6JSOnna5bc/inNfBNE18L4sdTGmBQdEloxz
8br2II3uVWMN/9nro8vGKG+NfuWRCr0+mLD7oQ9/csa0gSBKCd6zL7goJruNKNSk
N8js85jz6fZIOFuy8WwD2cAJ1zHAaJvoFMQ48HFOTkFzlUqV+NmmTIKZbLlgUFD5
VxzYOVt7cZLuv3tLlVJapKNLTOS3+fQrsG3iAsnc+N55M+zbd1b11STURT/H/KGv
+FhKmfsAitYTXBptRXv9masJMzfhvUo5vdSpZ3NT2z2ceQx/czW7C08JCqYDOCpd
uROm5CzIRRVHoAIqwdUBb+RcoG9ANTlok5X3SYDdmP2pZh5obXKIP8Bfy8BWusqm
Nc5wf+lix/9egzht9nOH8Hlq4ioix4kAvJZ3wW4Jfln0tCPattm55iTt0DYk7o5G
8+O4pEcccyokqZiZDihv8T1sICWgnAi7B0Rar4YixthT2Rky8C05QGlGVKZZcbyb
ep0P++Vom2F/4t1iFsyq
=ZpXK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUfimXRLndAQH1ShLAQLiCg//fVuFQ6qSKpsNt8Jb7vUaW0PDfoAXuFDR
aOwp+HDRP4z5NuxFLdgnpR4EjjY6QOT8rOlMQEIFJfkQ6nPaT4Kfwnv2J/g0Nnj8
QqWm//J4iByZ6mVdeFuR8Exch8Vlr+jFq7u+n+uSRMTgxk0RKcsqH315ng16Yxhj
4M7ynhxNmqtojcoIDRCYKfPWyiCAzS+cY4pCZO7WAJmGDtno/ky3Ze/5snf3AJaC
lSAnf3188Gmm0SHYfyZL+NP6bEKXM+syM/GK+b5pEMBfLemw2Ggc4oR8of28vp/k
1BXJrxgOXDkN0DcjuIV59RMx7686VAXpykExIabA5Dab9eG3iu8WLnN7PWuBYURA
WGZRMHxprYFTg6Jk+owr38Y1nowoE4ic7zYy0bjtFzXKIArYW5qE0JkYw08qdnaq
XKFD1bh0JCaf+e2UDcPTDZMnSI702bUvG6O00IrGr7rlFkY0RYCoYLS5KxeqY0GY
jozVvPN45A7p2mFbN7dlfTfZvO52xvU7DppqPMsFq50rQAa46VHFuJOKlMkRiOYv
/wmvEfkY0gcMgl7y5pKlyZVU06dMd0BBy1Dwd8pTK3HLLyxQbDowNYIvQY0X39/9
NiJgghUzhnBNNJcGXxdGpvbP9BO718Qy5S8+z8QI8x1DFpdDl8hc3kOAS5XcEsCB
X0mnZJTE/QA=
=3VmE
-----END PGP SIGNATURE-----