31 July 2013
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1038 Arbitrary Kernel Read with netstat -P 31 July 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: netstat Publisher: NetBSD Operating System: NetBSD Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2013-006.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2013-006 ================================= Topic: Arbitrary Kernel Read with netstat -P Version: NetBSD-current: source prior to Jun 21st, 2013 NetBSD 6.0: affected NetBSD 6.0.*: affected NetBSD 6.1: affected NetBSD 5.1: affected NetBSD 5.2: affected Severity: Information Disclosure Fixed: NetBSD-current: June 20th, 2013 NetBSD-6-0 branch: July 29th, 2013 NetBSD-6-1 branch: July 29th, 2013 NetBSD-6 branch: July 29th, 2013 NetBSD-5-1 branch: July 30th, 2013 NetBSD-5-2 branch: July 30th, 2013 NetBSD-5 branch: July 30th, 2013 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== netstat -P may disclose contents of kernel memory that aren't Protocol Control Blocks. Technical Details ================= netstat -P does not check whether the address it gets called with is actually pointing to a Protocol Control Block, nor whether (if it is a PCB) the reader should have privileges to read it. This allows a malicious user to study arbitrary sections of kernel memory. Solutions and Workarounds ========================= Workaround: Remove the setgid flag from netstat (chmod 555 /usr/bin/netstat). Solutions: - - - Install a new netstat binary from a daily build later than the fix date from the same branch: fetch from http://nyftp.NetBSD.org/pub/NetBSD-daily/<branch>/<date>/<arch>/ the file binary/sets/base.tgz cd / && tar xzpf <base.tgz-path> ./usr/bin/netstat - - - Rebuild your system with the fixes applied. HEAD netbsd-6 netbsd-6-1 netbsd-6-0 src/usr.bin/netstat/inet.c 1.103 220.127.116.11 18.104.22.168 22.214.171.124 src/usr.bin/netstat/inet6.c 1.62 126.96.36.199 188.8.131.52 184.108.40.206 src/usr.bin/netstat/main.c 1.86 220.127.116.11 18.104.22.168 22.214.171.124 src/usr.bin/netstat/netstat.h 1.47 126.96.36.199 188.8.131.52 184.108.40.206 netbsd-5 netbsd-5-2 netbsd-5-1 src/usr.bin/netstat/inet.c 220.127.116.11 18.104.22.168.10.1 22.214.171.124.6.1 src/usr.bin/netstat/inet6.c 126.96.36.199 188.8.131.52.10.1 184.108.40.206.6.1 src/usr.bin/netstat/main.c 220.127.116.11 18.104.22.168 22.214.171.124 src/usr.bin/netstat/netstat.h 126.96.36.199 188.8.131.52 184.108.40.206 Thanks To ========= Thanks to Beverly Schwartz for finding the problem, and informing the NetBSD Security Officer about it. Revision History ================ 2013-07-30 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2013-006.txt,v 1.2 2013/07/30 20:44:22 tonnerre Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJR+CYEAAoJEAZJc6xMSnBuUNQP/R5ky2UAEDkRrzkuVHU0Hufr PxOfq5U4Y34nUZQ7IOrZbieBcCuuMNnkQ+Ckm4cSlIGMo5Tv1E2+wTlssS+3A92c 3+FbDe3DYxbKrKP9oHl5AHD+eOAZ0Vx3UlrgK3qAKuEGIxoCLFbIz5LvR9sIJI2S 1Fsxp0705B1pqpkIUN+kZofNe/yFE6JSOnna5bc/inNfBNE18L4sdTGmBQdEloxz 8br2II3uVWMN/9nro8vGKG+NfuWRCr0+mLD7oQ9/csa0gSBKCd6zL7goJruNKNSk N8js85jz6fZIOFuy8WwD2cAJ1zHAaJvoFMQ48HFOTkFzlUqV+NmmTIKZbLlgUFD5 VxzYOVt7cZLuv3tLlVJapKNLTOS3+fQrsG3iAsnc+N55M+zbd1b11STURT/H/KGv +FhKmfsAitYTXBptRXv9masJMzfhvUo5vdSpZ3NT2z2ceQx/czW7C08JCqYDOCpd uROm5CzIRRVHoAIqwdUBb+RcoG9ANTlok5X3SYDdmP2pZh5obXKIP8Bfy8BWusqm Nc5wf+lix/9egzht9nOH8Hlq4ioix4kAvJZ3wW4Jfln0tCPattm55iTt0DYk7o5G 8+O4pEcccyokqZiZDihv8T1sICWgnAi7B0Rar4YixthT2Rky8C05QGlGVKZZcbyb ep0P++Vom2F/4t1iFsyq =ZpXK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUfimXRLndAQH1ShLAQLiCg//fVuFQ6qSKpsNt8Jb7vUaW0PDfoAXuFDR aOwp+HDRP4z5NuxFLdgnpR4EjjY6QOT8rOlMQEIFJfkQ6nPaT4Kfwnv2J/g0Nnj8 QqWm//J4iByZ6mVdeFuR8Exch8Vlr+jFq7u+n+uSRMTgxk0RKcsqH315ng16Yxhj 4M7ynhxNmqtojcoIDRCYKfPWyiCAzS+cY4pCZO7WAJmGDtno/ky3Ze/5snf3AJaC lSAnf3188Gmm0SHYfyZL+NP6bEKXM+syM/GK+b5pEMBfLemw2Ggc4oR8of28vp/k 1BXJrxgOXDkN0DcjuIV59RMx7686VAXpykExIabA5Dab9eG3iu8WLnN7PWuBYURA WGZRMHxprYFTg6Jk+owr38Y1nowoE4ic7zYy0bjtFzXKIArYW5qE0JkYw08qdnaq XKFD1bh0JCaf+e2UDcPTDZMnSI702bUvG6O00IrGr7rlFkY0RYCoYLS5KxeqY0GY jozVvPN45A7p2mFbN7dlfTfZvO52xvU7DppqPMsFq50rQAa46VHFuJOKlMkRiOYv /wmvEfkY0gcMgl7y5pKlyZVU06dMd0BBy1Dwd8pTK3HLLyxQbDowNYIvQY0X39/9 NiJgghUzhnBNNJcGXxdGpvbP9BO718Qy5S8+z8QI8x1DFpdDl8hc3kOAS5XcEsCB X0mnZJTE/QA= =3VmE -----END PGP SIGNATURE-----