Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2287 Vnode reference leak in the openat system call and buffer overflow via cmap for 4 graphics drivers 11 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: NetBSD Operating System: NetBSD Impact/Access: Root Compromise -- Existing Account Modify Arbitrary Files -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-006.txt.asc http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc Comment: This bulletin contains two (2) NetBSD security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2017-006 ================================= Topic: Vnode reference leak in the openat system call Version: NetBSD-current: source prior to Sun, July 9th 2017 NetBSD 8.0 beta: affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.4: not affected NetBSD 6.0 - 6.0.5: not affected Severity: Local privilege escalation Fixed: NetBSD-current: Sun, July 9th 2017 NetBSD-8 branch: Mon, July 10th 2017 NetBSD-7-1 branch: Mon, July 10th 2017 NetBSD-7-0 branch: Mon, July 10th 2017 NetBSD-7 branch: Mon, July 10th 2017 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An easily exercisable error path in the kernel leaves behind an unreclaimed reference to a vnode. This prevents unmounting the affected volume, allowing local denial of service. It is likely that tickling the weakness repeatedly can be used to corrupt the kernel heap and thus gain kernel-level privileges, even with securelevel enabled. Technical Details ================= When calling the openat system call using a file descriptor that does not name a directory as the starting point for path lookup, a reference to the underlying vnode is taken temporarily and then not released when the error is discovered. Performing such a call often enough results in overflowing the internal reference count and corrupting the kernel heap. Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0 ---- ---- -------- -------- ---------- ---------- sys/kern/vfs_lookup.c 1.208 1.207.2.1 1.201.4.1 1.201.12.1 1.201.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/vfs_lookup.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Mateusz Guzik for noticing the issue, and David A. Holland for deploying the fix. Revision History ================ 2017-09-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-00N.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2017, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJZsqisAAoJEAZJc6xMSnBuu4AP/0ytQhuSMf1hjvg5Gdg9TT5N 4anruzy9VY6P4PqkPVjJTv7YYlOCTtP7Svg4+CbwIjRoNNyKycUhEmBzUWpmLQL1 UaKE44lJExbD1qIL4aU5LweD+RnGQbdo9LwMC31rK8dUSKCpkc6K7yt+TnA2SMw/ a2IlJtqkX5lk+HAQ3TF32STPz+oijtEJBFjTCzWw4uLpAbvvdephuzQRR4H3d324 3iD0pcLRblpOAZ7qeOG6iCcpemMxu33T2IphsNL1Sx2JyKmqObtyRoNU8O6V7ldP L1VGIAU5cNW6+zCbvKLyTKLbze5eRuGx5x/fLbHnjlodGrdshxzIqEUVUGyD+hJJ JP1pYo3Mj/BJwnjLhv8hNWyuX6VtnEgl0B5C2U7X2K5c05DZnRvSrSHrIiGjIEoV p7LvbgLXtIEdzpOrx4kZ5DoHAVAjBm0gLrVwK1r8nSgOPmEzLpzaC3fCCL/x4cfZ JfMJvA3QbQJOpNdOexDcr1eD7VUFpZE7mE6kI8UUCpF71446A3cGpMkftSt/i6vn htDCqnmYJ10w2NtRc99VGIdgUZUM7d3as83HGKrHcTous0qKyutrB+WlEpGHIRY5 mq7gCoRqikbxBKhnYlADGJRXTk9FBw2ai08SIOsRW7SSlVNwtPq09xhT0X6NsKA0 IsQfy4QZa1g+ecssqDHg =5ckQ - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2017-004 ================================= Topic: buffer overflow via cmap for 4 graphics drivers Version: NetBSD-current: source prior to June 13th NetBSD 8.0_BETA: affected NetBSD 7.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: information leak and potential root compromise for authenticated user on affected graphics console Fixed: NetBSD-current: June 13th NetBSD-8 branch: June 15th NetBSD-7-1 branch: June 15th NetBSD-7-0 branch: June 15th NetBSD-7 branch: June 15th NetBSD-6-0 branch: June 15th NetBSD-6-1 branch: June 15th NetBSD-6 branch: June 15th Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An authenticated user on a wscons terminal with the following graphics drivers: sbd (ews4800mips) bivideo (hpcsh) sti (hppa and hp300) pm (pmax) could cause a buffer overflow when reading or writing the color map. Technical Details ================= Due to overflowable bounds checking when reading or writing the color map using the WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls, the user that owns a /dev/ttyE* (i.e. is logged in on it) could read kernel memory, or for all but bivideo, which doesn't have a writable color map, write kernel memory. Solutions and Workarounds ========================= Solution: update the kernel with one built from source past the fix date. There are no workarounds besides the obvious not allowing untrusted users at the console. Affected source files fix versions +++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 1.15.10.1 sys/arch/pmax/ibus/pm.c 1.13 1.12.22.1 sys/dev/hpc/bivideo.c 1.34 1.33.30.1 sys/dev/ic/sti.c 1.19 1.18.20.1 ++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.13.4.2 1.13.4.1.6.1 1.13.4.1.2.1 sys/arch/pmax/ibus/pm.c 1.12.4.1 1.12.16.1 1.12.8.1 sys/dev/hpc/bivideo.c1 1.33.12.1 1.33.24.1 1.33.16.1 sys/dev/ic/sti.c 1.18.2.1 1.18.14.1 1.18.6.1 ++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++ sys/arch/ews4800mips/sbd/fb_sbdio.c 1.12.2.1 1.12.16.1 1.12.8.1 sys/arch/pmax/ibus/pm.c 1.11.2.1 1.11.16.1 1.11.8.1 sys/dev/hpc/bivideo.c 1.32.14.1 1.32.22.1 1.32.20.1 sys/dev/ic/sti.c 1.16.8.2 1.16.22.1 1.16.14.1 Thanks To ========= Thanks to CTurt for reporting this set of issues. Revision History ================ 2017-09-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2017-004.txt,v 1.1 2017/09/08 14:16:20 christos Exp $ - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJZsqZUAAoJEAZJc6xMSnBulOkP+QHLJsIE+54s6iAc9p45tnT7 mLVFvATsLyb4Vu4BJ82swC0AJqpHTjUBQgAmYR+C6xHzewyd95Uimgb5C6hnpXb9 f7EcZ/9AiQzVusEp4EfjyBJB5bze9W4tbZOfLNJ41kZyoUAlg2gQdd70Oz4lW5CQ 6ENcYqXgoUqsLA2MF8lcFhAbuTaBY9vzbQOAfviGtguTCmoEZ9ZcknAnNO0G+0Kk RCnu/P333Z0X7m/vHMQ9YJQyHjSGQFii0Ssyl+FgKQw3Qdhs+SRGE7XhEDjDTBGU dm25XrdDcRFrW0YlCnEInXqMHvrjtPAfwZ9glRElgXgcU3tld1Gynz6e3u1SmL2C 76G3ZlDabovJNLRs4GOcAofEsUN4KWBxemOUFPzuMx0vM6yv+r71+DdcFYVIRgrl 6KgoqvcTGL6n2MphLKy4+dBytuIue83RSqNNhdliTLmlRy/jUWOXGWXanOjaGv/E bYKTeELHZ5uDzi4HZ6nO9qjazskUz3+CvbSmJmzDTa+FNYAbiuNHzW9jUD2wk8TE GP2bEh0lF8Sw1FY8TRKPUldr5s/STbdAGjISC/128AuT6a2S+bq+zIidIOMa4FhP etzb43qjA41t5FG01tTUW3SDmI6s1svyhzSYySFF6HsbJ2roF9zS8DFtk09pwa/k WwGwp4kZJGaJPRNplTkB =m2H9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbYAWox+lLeg9Ub1AQjsPA//aG50wzZ3wE0gxxOEddIBfc7QC/Rm/Ztk H3yTuHgKGKwvw6wGuq1wQnxxlegO6HUM0GL8GhNsx9XH6qhpQXuOfog3q3qPY2PX X8kcIygxcw6Kjk2zqj4EWsz+SXNBZyyHNpMUIVDsjcXW2IWZEUypcsMPetKJM64a Sy5rHfII+8EFqkMmVFmeEaK2XkO/QiEjNGPR7LcPzbPEFajnrm78bk3a/w9l+vmX jipgD1/jgSvgM/+4f8FA19N8rS70sabkCd+KsFHmjLBQelJl796EZfVMU2R9atHj jWTMoa8ZmqjQXwBnhuHeILiaSkCb6opym9858k5l3VAlsltv6QLUS6ty77Crt+Eo qNib/QsKQeDuF9mBlMoM0Z23k7LD1fMynunNppE4cp8U2bKQH8I0XCE0xN039BI8 xfB6uCSFcOxJagLY/RNXjGpH5rOh7CNrV9RpUBEiaFriIxIDwrqHLGtNNtjJKhSs HHhN6cKl9EQU5LJX05VrtG6GtZt9zNmcS5N08yknmop15l5KKV9U7msJSBzL4NyL ECAetdzyCRd7+5MZwu75jYL0fEqk9KJpSO6VXI/rlQCUynLECewH5z/7bsgF6Kkc dp/xQ3Q2mjQFZu+sxf5vRngyKUvfkK6hptoeJNSr4+hdggKwGp+yFkOT8iZatabP JbgssgxHR7U= =i1Vh -----END PGP SIGNATURE-----