Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1932 rtsold(8) remote buffer overflow vulnerability 23 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rtsold Publisher: FreeBSD Operating System: FreeBSD BSD variants Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3954 Original Bulletin: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:20.rtsold.asc Comment: This advisory references vulnerabilities in products which run on platforms other than FreeBSD. It is recommended that administrators running rtsold check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:20.rtsold Security Advisory The FreeBSD Project Topic: rtsold(8) remote buffer overflow vulnerability Category: core Module: rtsold Announced: 2014-10-21 Credits: Florian Obser, Hiroki Sato Affects: FreeBSD 9.1 and later. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) CVE Name: CVE-2014-3954 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background As part of the stateless addess autoconfiguration (SLAAC) mechanism, IPv6 routers periodically broadcast router advertisement messages on attached networks to inform hosts of the correct network prefix, router address and MTU, as well as additional network parameters such as the DNS servers (RDNSS), DNS search list (DNSSL) and whether a stateful configuration service is available. Hosts that have recently joined the network can broadcast a router solicitation message to solicit an immediate advertisement instead of waiting for the next periodic advertisement. The router solicitation daemon, rtsold(8), broadcasts router solicitation messages at startup or when the state of an interface changes from passive to active. Incoming router advertisement messages are first processed by the kernel and then passed on to rtsold(8), which handles the DNS and stateful configuration options. II. Problem Description Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8). III. Impact Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash. While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult. When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements. IV. Workaround No workaround is available, but systems that do not run rtsold(8) are not affected. As a general rule, SLAAC should not be used on networks where trusted and untrusted hosts coexist in the same broadcast domain. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch # fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch.asc # gpg --verify rtsold.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/rtsold.patch c) Recompile rtsold. Execute the following commands as root: # cd /usr/src/usr.sbin/rtsold # make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service rtsold restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r273411 releng/10.0/ r273415 releng/10.1/ r273414 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3954> The latest revision of this advisory is available at <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:20.rtsold.asc> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsSoAAoJEO1n7NZdz2rn5GsP/2y0fUJYVdsZjA4VtUcLFp4Q nhjGO3I4NOXZAj3c+bWwbw/Bmg7juFVXiAdLgcpK8UuTT+0znAkEcGoG+uA9q6K1 PoFjTmXoukIqtu4sd5Gxp74+xVqY41XOuwanHNMiCbvGEbInxoCs3t56C7Ai1/9m DXhDCukNEH9JZv5qUS5L7IcosuQs2l1viU9oUA/hSfVeI9IFKp8SItDthwtLVrXe bgr50oQdCtwR3gx3Dwkg//er3JCsSJ0ixJO0bGGaqnGLPq7gwmJf8zKy10EE2fri AMpUcYMsO+MqhE+PyyuW9MJaPpX+zghZac75UYPh0EckIn8m2p6QGYXcDtZ18qR8 uq4JCk5nDARKuy7kraEuNJgFzNIBN/wVwOSqaF4n43vhmsuiKF9uzePrtEhB7xoN 7vT66EXXkCgiqQrQVJ6IH5LzoUJtYVDZTWLWU66r919qbQzYQFU7uslaGF8rgVIg HZOfEbDto3dvULmbVHkaWiyotKYSKXZROBTKvTOWVs+BX37zQgg4PGuU6CqatB8R Sltg2kxycQXoIm5XiiSL18RTgxEWb+DKfw8e/691EM1/F3XIQVNX11wJpeZwL/sf zE9TtTnmqpIBPGIe7aURgJWwX/iA4ljAqB1t5DmgIQrJMXovMXnAVMIu4L2jy+gY eRy82+SI3pc3thChv2hv =L56U - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVEinLBLndAQH1ShLAQI9RRAAkTkeLaCnHDW/Dvwam2bmZgjqjgr52S/e BOpt0Cg74ydTOhEL9MXk46Yxj8VXJ0vNfnw8Y46MfC7Uxrkwk+Q2KvjYIEb/21iw IF5hWpr+l8V6tGwMbZZgRmB1nmZDbo/DCtDo8be4EOzQcLBOIL/QEVtBkkjkup8u Ok3EsRgi3/mphqU3ZI3smf0/vep0aFfEtY8hkoRkxAbBfF9uS4Jak8ymb9PK1HUh nWaN90C5501S78cx7lYYOETNZtyjEibRD6WKkACy1GWhfO+ryT+3m4XMVSiPCX0a 6I7OPYc4Kx5FDCazE97Byo5p+aK68dquQQG/+CBdMsW8pw0R/CTV0S4LNdtiiiOu 9WlVq2QdpLgEsgHGqzVf3P0fkQgM5qtbUoS9Y33UGZJ6d1d0SDkhBsJeK/FpmjXq eyjE7s3WWorKPgUORevJbmnASOGDggFWSUsZI9n5/xNV79e0JCSF221Lo3X6JuEi SfJM+82D6gs/65YWIxVT+nNen521yupxP4edWBrxVYrdq49FjurTRK00bfIaj/8L sEVTWUJLBTSBibf8VIeU2HeEPFYJ4OTI5vtkPXdOKx73nOoX5XsnTXbYut94IH7F 8MglBznZG3Yqu3aRBbalQ0h+j4XkK2Uoa95Fgs6Xd2STa9GuDtsYs51UmOkRAe3K z08pedZ38jc= =t0va -----END PGP SIGNATURE-----