Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2521 NetBSD 7.0.2 addresses vulnerability 28 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mail Publisher: NetBSD Operating System: NetBSD Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-6253 Original Bulletin: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc Comment: NetBSD 7.0.2, announced on 2016-10-21 fixes CVE-2016-6253 which was addressed in this advisory, originally published on 2016-07-20. Proof of Concept code was made available by the researcher who discovered the vulnerability. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2016-006 ================================= Topic: Race condition in mail.local(8) Version: NetBSD-current: affected prior to 2016-07-19 NetBSD 7.0 - 7.0.1: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Local user may be able to own any file or append arbitrary data Fixed: NetBSD-current: 2016-07-19 NetBSD-7 branch: 2016-07-19 NetBSD-7-0 branch: 2016-07-19 NetBSD-6 branch: 2016-07-19 NetBSD-6-1 branch: 2016-07-19 NetBSD-6-0 branch: 2016-07-19 Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A race condition exists in the mail.local(8) (/usr/libexec/mail.local) program which is setuid root. That may be exploited in order to change the ownership of or append arbitrary data to an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. This vulnerability has been assigned CVE-2016-6253. Technical Details ================= The user mailbox (typically /var/mail/$USER) which is used to deliver a message, is checked using lstat(2) to verify that the file is not a symlink. Then if the file is not a symlink, it's opened. This is subject to a symlink race. An attacker has a window between the lstat(2) and open(2) calls during which she/he can create a symlink to an arbitrary file. The mail.local program then will append arbitrary data or change the ownership using fchown(2) to the file where the symlink points to. Solutions and Workarounds ========================= Potential workaround is to remove mail.local or turn off SUID bit from the file. This program was used by sendmail(8) which is no longer shipped with NetBSD (NetBSD uses postfix(1) as its MTA). Binary update of affected versions (root is required to extract): To apply a fixed version from a releng build, fetch a matching base.tgz from nyftp.netbsd.org and extract the fixed binaries: # cd /var/tmp # ftp http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<build>/<arch>/binary/sets/base.tgz # cd / # tar xzpf /var/tmp/base.tgz ./usr/libexec/mail.local with the following replacements: <rel> = the release version you are using <build> = the source date of the build. 20160719 and later will fit <arch> = your system's architecture The following instructions describe how to upgrade your mail.local(8) binaries by updating your source tree and rebuilding and installing a new version of mail.local(8). * NetBSD-current: Systems running NetBSD-current dated from before 2016-07-19 should be upgraded to NetBSD-current dated 2016-07-19 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 7.*: Systems running NetBSD 7.* sources dated from before 2016-07-19 should be upgraded from NetBSD 7.* sources dated 2016-07-19 or later. The following files/directories need to be updated from the netbsd-7, netbsd-7-0 branches: src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -r <branch_name> -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 6.*: Systems running NetBSD 6.* sources dated from before 2016-07-19 should be upgraded from NetBSD 6.* sources dated 2016-07-19 or later. The following files/directories need to be updated from the netbsd-6, netbsd-6-1 or netbsd-6-0 branches: src/libexec/mail.local To update from CVS, re-build, and re-install mail.local(8): # cd src # cvs update -r <branch_name> -d -P libexec/mail.local # cd libexec/mail.local # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Mateusz Kocielski who analyzed this problem and supplied the fixes. Coverity for providing the Coverity Scan project. Revision History ================ 2016-07-20 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA201X-NNN.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2016, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2016-006.txt.asc,v 1.1 2016/07/20 19:35:52 christos Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXj9JyAAoJEAZJc6xMSnBu+kEP/R38HaVHYQkppCI5yAP1VOAJ VdrupyCa0DRKDLBUrpO75SHykrK3z22NiBXlMlg1tyk1OOPQ3fSR7pGImoczTApX +kAjxxmHwON68MSRS3vjjE89Ldl8mSjhs4MLYHOnYF1VlaubPB/mrDhQARUm8lZX 9XuWi0rVC16B1pNSxP3CexzLyzRRtMO5Q/oQCtadBaFnUA0qg2LU6IE/WRIREVJU kZ4aqOUR57EzqkeLVqLDsh+ijAZMsEddnbF03RGxWM8Z2WtFSXTdNvM259SLj17R MV+i//FkTg84eTGDB1xxz+w8BR5hkxrY8ygRUl7mGw5jDlFlWeVp3b46HYSE00gn pTphTpz4WCVpKEbBnGKg8n2n0qw6Xs5b3BproOqLmV3YHxeBnTB2n2z9jBp0TY4J /djl8tfNuMGfN+Q8BvPShv//81iSUZ2fForQv2dsVc2vuE0ZhPnR3Hin2EBdjuAl 9alH3fYtDp6a8rVwbgO8xfr4r4n1OSRYiFMpyd7x4u9LnShVqMZnUWUigLU6WCMn CIkuxT5awQ543lQAR3BDqLO0hTAbaO42weOa79igz0f7qddH8WxnOublOENZ5FN5 dKNe2UC5GVr8L0P9O264EK3fqe2vmT5X9dZvA0Ma3SWodiFFoWRU1Yd7fmBWc2Ca SK8o8L/RjCkhzsKHGPNY =FW1+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWBLIrYx+lLeg9Ub1AQhPJw/+KLkbxu31K5hJ5M1jNub3EVmFzvg6kSCn mtqcIqkqUECR7Ztr6PvMST6qH+5nWZR6ZjA1ZY/5JnD/h6kp0h0hGPu/eiy4RHGY UInQdc0k66rnOwdXB95kPVsthKA0vjVJ7diuzNYOLVZQdsiMjEf7yxF3ATae+NR2 n+Ljr2LHR1L1aOaknQqurW7W5cEOynEGKMljVsC10JL7VuR9AuKwQi63DINtGFtw nvxKUUnCmdWArHWp2+SNhaCD1nWPrQiRVB9aT2iERg5TUYHkMJ1cQabYGWuxGKAJ RGtxgEbjFEQqGdUdtc7tr6y352TrVnNGeNnkQPiAYpsPOqs4zHIb/lb2BscM/QD3 c1lpZssah+GJAyWT+PyKVXoQP+37LN/xsL1JEOV88V1G/bZgPgInjQ8gWbYoGEQ/ fSvL2zzcu2oNLP3GtVYHhIe7JDxuD0EzwqIT695OjfhQXZtJUmk1GgZlZFrIb9Xg TyHC84vC64fTy1+OqEq6wQxl9BUE0WfUckoFCK129bcvFow9pU3ltAwl11zvr7Hq MGbCWuyAgJ0H/zdFKb2tMwzUfuN2xtZPV5KnMZkHi8nENXyoaYrlZ/Xbq24bmhZA VNbDUd855zlBoZPrRfKOpK4B4dQ2qi5bC3e9nUxnYE0nBiLLfhpgBW4ZQEml38ff D/CvvCgWSJM= =kYxR -----END PGP SIGNATURE-----