23 October 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1935 routed(8) remote denial of service vulnerability 23 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: routed Publisher: FreeBSD Operating System: FreeBSD BSD variants UNIX specific Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3955 Original Bulletin: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:21.routed.asc Comment: This advisory references vulnerabilities in products which run on platforms other than FreeBSD. It is recommended that administrators running routed check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:21.routed Security Advisory The FreeBSD Project Topic: routed(8) remote denial of service vulnerability Category: core Module: routed Announced: 2014-10-21 Credits: Hiroki Sato Affects: All supported versions of FreeBSD. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) 2014-10-21 20:20:26 UTC (stable/8, 8.4-STABLE) 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) CVE Name: CVE-2014-3955 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The routing information protocol (RIP) is an older routing protocol which, while not as capable as more recent protocols such as OSPF and BGP, is sometimes preferred for its simplicity and therefore still used as an interior gateway protocol on smaller networks. Routers in a RIP network periodically broadcast their routing table on all enabled interfaces. Neighboring routers and hosts receive these broadcasts and update their routing tables accordingly. The routed(8) daemon is a RIP implementation for FreeBSD. The rtquery(8) utility can be used to send a RIP query to a router and display the result without updating the routing table. II. Problem Description The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. III. Impact Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. IV. Workaround Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP packets with destination port 520 that did not originate on the same subnet as the destination address. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch.asc # gpg --verify routed.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/routed.patch c) Recompile routed. Execute the following commands as root: # cd /usr/src/sbin/routed # make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service routed restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/8/ r273413 releng/8.4/ r273416 stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r272872 releng/10.0/ r273415 releng/10.1/ r273414 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3955> The latest revision of this advisory is available at <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:21.routed.asc> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsSrAAoJEO1n7NZdz2rneOIQAIXaYGwNAYmVFUqa/YOtxSlQ l1ETThsuHxuDUrlkHD82uZu6yJi+HdGz1R2xBLYlxpwk/4GO3D/IdUZI0w1LgNJs JRHmAikUpCgcMh0QfyoHD9KSp3wPiQJ9Cmp6ajrjsdIdjrNbFwczoaWHHQ1MyRwp kv9OEC7t9rJkZRMuCjrSvGTQVqHFixoZUdJV42a2PNYTyWZmwE33GJ+Zgv/59mPw bzGTTI3RTuj1WUJp4MmYV3Eb8y8SnM6szUs4Wlul/uVGfEI3dXYYo3iAHQNHWpAR sUaqoVI16P5x952I9PbMA/J5wq/Nm2bVwEAsJN9NE/KPMdD1I4QzvyAlNRFCro8S C7qS4a0X75nQ+pehRqPVDdnvJbkxfdgsWP+jwVZ4e0244DQfiKWTKTd+If/cPHa8 T0z1uZ4xE/BQ0DpJiu9r/ndcm5ych6TbIkNXmGI05jQPntvSYQzhyUTEp2Rmq3IX rmre4CHWrTYT7/niTJonieErmtGDe5LrUyP2Odv13euKEsCIbSOPVnDFFhAwsAjJ zu2Tm+BPXh0lXHuq/tQ+L5lWv1uoMi9hkLxh6zhFaX4li15sS5tR+GeBXmd9h2Wp +iT5hvgxfnQPZI3Ey932J20+7LMULlkr2aV2h5NcvroolnQIehj12z0IQBelFsXN wtFPveXqXWUfV8WVNBJ1 =uHh+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVEitIRLndAQH1ShLAQLRPg//YbvJWu45gt+T3a14gzjiJWAZDo8J7PwD IWmnFeNYq/gAqR2FdNRzKtDYk81Sjm6I0fms1Wndbm+wwrcRvv2W1wdb6e7dI+zj H3ZXzgsqokl/5hkcm7C3PLJRBayq1kZiig6UID0+n4RmNvRfIDxSZ4pj3Nm3I0vY w37xkDdTrSnX3oiX2PCMcpN2YjfCSDSpj1DbEHw5Suwi8gSp5hID9c/ErHD8mjXm duoK7g/NQkqQ8FszyVV6r9EFZVCDNidDc9Gf+YAJMMK0SVYTvXTCujpyQcAiKPlb i3GSc1piMYx4qpXzkbasm9hXYwL7g4b09eirlaz4uwhxURSJ9orXSqEi2Uu/KWQV tCoH1XhPQ6DnFNmOgjCCiIF7VBkYZou3nhFsUYlUuXuy0SbDdO1V9MDK51xRod/q yY/eCllFLZJ/qsKiOWpxPmIKHoU+l0JXsid+v5HevD8C++hf/eXOo3b4AQSnxdNK B6FC78RfCRVEy9jH6aW7mVEfP4G2qZ6nxAkvxVNEm6weZEsF4aAOizcYpurRr5tf VLLYjYH+ooaUOBL54QVpV5udreN+CEQFbhoMZNhC14uNcly3CCblRHfMFvL0cEow dFLtIn3rAeGPeSmXmGdI4z3unC4cQY2VbXn20thgDW1iwuaPrUHFbLyWTOzYp481 3eNP15TUrDQ= =SYI0 -----END PGP SIGNATURE-----