Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1131 Several vulnerabilities in the network stack 12 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: NetBSD Operating System: NetBSD Impact/Access: Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2018-006 ================================= Topic: Several vulnerabilities in the network stack Version: NetBSD-current: source prior to Fri, Feb 9th 2018 NetBSD 7.1.2: not affected NetBSD 7.1 - 7.1.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Fri, Feb 9th 2018 NetBSD-7-1 branch: Sat, Feb 24th 2018 NetBSD-7-0 branch: Sat, Feb 24th 2018 NetBSD-7 branch: Sat, Feb 24th 2018 NetBSD-6-1 branch: Tue, Mar 13th 2018 NetBSD-6-0 branch: Tue, Mar 13th 2018 NetBSD-6 branch: Tue, Mar 13th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Several vulnerabilities were discovered in the network stack: 1) Several bugs in MPLS. 2) Memory leak in IPv6-NBR. 3) Double free in Pim6. 4) IPv4 source-routed packets allowed by default. 5) Signedness bug in PF. Technical Details ================= 1) Several possible use-after-frees existed in the MPLS code. This could cause the system to panic. 2) A memory leak existed in the IPv6-NBR entry point. An attacker could cause the kernel to run out of memory. 3) A double-free bug existed in the Pim6 (IPv6 multicast) entry point. This could cause the kernel to panic. 4) Two sysctls wrongfully allowed IPv4 source-routed packets to be accepted by the kernel. Source-routed packets are known to have several security implications. 5) A signedness bug existed in NetBSD's implementation of the PF firewall. A length check was unintentionally made unsigned, while it was expected to be signed. This could cause a read overflow (leading to a page fault) if a specially-crafted TCP-SYN packet was received while PF had a configuration of the type "pass in [...] tcp [...] modulate state". Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 ---- ---- -------- ---------- ---------- src/sys/net/if_mpls.c 1.33 1.16.2.1 1.16.6.1 1.16.10.1 src/sys/netmpls/mpls_ttl.c 1.9 1.4.4.1 1.4.8.1 1.4.12.1 src/sys/netinet6/nd6_nbr.c 1.145 1.100.2.3 1.100.2.2.2.1 1.100.2.2.6.1 src/sys/netinet6/ip6_mroute.c 1.120 1.107.2.1 1.107.6.1 1.107.10.1 src/sys/netinet/ip_input.c 1.366 1.319.2.1 1.319.6.1 1.319.10.1 src/sys/dist/pf/net/pf.c 1.78 1.72.2.1 1.72.6.1 1.72.10.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 ---- -------- ---------- ---------- src/sys/net/if_mpls.c 1.8.8.2 1.8.14.2 1.8.22.2 src/sys/netmpls/mpls_ttl.c 1.3.18.1 1.3.24.1 1.3.32.1 src/sys/netinet6/nd6_nbr.c 1.95.2.1 1.95.6.1 1.95.8.1 src/sys/netinet6/ip6_mroute.c 1.103.2.1 1.103.8.1 1.103.16.1 src/sys/netinet/ip_input.c 1.298.2.1 1.298.6.1 1.298.8.1 src/sys/dist/pf/net/pf.c 1.68.2.1 1.68.6.1 1.68.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/net/if_mpls.c # cvs update -d -P -r VERSION sys/netmpls/mpls_ttl.c # cvs update -d -P -r VERSION sys/netinet6/nd6_nbr.c # cvs update -d -P -r VERSION sys/netinet6/ip6_mroute.c # cvs update -d -P -r VERSION sys/netinet/ip_input.c # cvs update -d -P -r VERSION sys/dist/pf/net/pf.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Maxime Villard for finding and fixing issues 1) 2) 3) 4), Lucio Albornoz for reporting a problem that was discovered to be 5). Revision History ================ 2018-04-09 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJay9YUAAoJEAZJc6xMSnBu/cwQAM8lQOVwwMopocNAtLsMzdKi Ytzc++SxwDDJEdpwSvmkxfLOUJx7BbxgWYSLoaBnEvh1BPYHsVr7NxxsYlCzXQrI VcWH3Z5EqZvEKDeWmaTLLmlpSjy6+uy5mrTXKaCNwKyYiXtlxkylbW/U6rJ71vZu UGK+psQkbGGuqFH23yT70LVZ9ZHXwCTbElprpGq5Wx89ZHIgwSe6RPZb12gBQ63Y WoW0y5zLQaBzZgxSq9bqNipDpd4lwXmfpXmhWKK0eSNU+EvkV24P79rqFXfwP00Z +KJxc7U39EoS81EFu9zHYs6+eO1164NuWnB9mYCJgB+tgz3ZnDivhWWH7hKFJo44 MuhODNvoby+9eStB49lX5WjwnCMeqvX1eMmv7IgDPruGh0vQCeN+jUYHYqaVwmKb bJpvH7wX/iFizjASVTC+CtpTBrYgJJ5PkLIdGRFITo+EnSFx2PAEjiHkTuYLvKO5 j0EQHxA8OaeX6LU+or3ccNtl+EVv+62tu0dI2JZBk7MxyljlRN2/ayH5I/nVBwQS Bvqdv3Fk8tHkFZlRhaCaftGjUcO3rI0yhLttse1hzkfSWulaslEdBxfg4oa+TxvA L8VlGbhVpYFPB8CeYZKsXmKFV5YwkHPe/ZvQj2hQbhAgXBoQz83ql9s08XqtOiY9 ext9mwIu67I/Z9TioyAc =C1y0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWs7EIYx+lLeg9Ub1AQg9lhAApLpa1kEYv9iSpGdiEQfS6wXLOt9CcFAo FM3xBvZod6Ut+esNF3aOtUUb3O0yN8vowkzPWWWKBA0zvGgWdI+jvKO2rFK2O9Pr P1sSV0Q0fMiNgxT9qmUa3epKO0HIBX4gooqOefhsLNItb3E1/sB02HGh+JjK4wFW UbQR61vrbIdvD7f0mAijgXM7r/qsG5azkRb9mDjlEVEoXCAqKpqFwPp/5OxyjQhy y2k8Q2fy4ksQWguL1e+vdokLivhYLJZ0qeyVCw42xzbPeWBgW0Hbw0l/VI0y5lNp kes003bBYcEf0ktl0tW2eTk6XlvD3WEMSDAphCDhAMSh8EHg7S9CIQ8Jd57wzaSm OIySImiOM8GPbb+BgzVmbWIm6JRNlpQiItq4hhbcOcPKuAuZmxccLww1kUNrHJBz 8oloVI4P1ee5pgDAKoGLiRIf82Ng9oB3s9sI9Jf2UFLxTAPWH3jBbbuWb7WzMGFF OnEjTdyNI8e6tw1pd5qBEVV7+OUi7ePPpuSvD2LaLZkujxOiZlWXZesJgkf2rqky S18drwfA3ViKUd/nh/AuZWoK1lXWwA8iW8Y+Oz5D8xL4bf9RjBOa/c2RGGE75uKd mJ1UL/DlIXw+rQAuPLuwI+DJLYsAN3gMEfHkGnNzrTFHr0Wnwgho44yOepqCaBIy OclamK63/7g= =/f/b -----END PGP SIGNATURE-----