From owner-freebsd-security@FreeBSD.ORG Thu Jan 9 12:47:30 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7A075B15 for ; Thu, 9 Jan 2014 12:47:30 +0000 (UTC) Received: from melon.pingpong.net (melon.pingpong.net [79.136.116.200]) by mx1.freebsd.org (Postfix) with ESMTP id 3A60E10BA for ; Thu, 9 Jan 2014 12:47:29 +0000 (UTC) Received: from [10.0.0.167] (citron2.pingpong.net [195.178.173.68]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by melon.pingpong.net (Postfix) with ESMTPSA id 8B102329AE for ; Thu, 9 Jan 2014 13:38:03 +0100 (CET) From: Palle Girgensohn Content-Type: multipart/signed; boundary="Apple-Mail=_6CA01C96-E077-4016-8E8C-55F1BBC09D95"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: NTP security hole CVE-2013-5211? Message-Id: Date: Thu, 9 Jan 2014 13:38:02 +0100 To: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) X-Mailer: Apple Mail (2.1827) X-Mailman-Approved-At: Thu, 09 Jan 2014 13:56:52 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 12:47:30 -0000 --Apple-Mail=_6CA01C96-E077-4016-8E8C-55F1BBC09D95 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii They recommend at least 4.2.7. Any thoughts about this? Palle --Apple-Mail=_6CA01C96-E077-4016-8E8C-55F1BBC09D95 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJSzpgqAAoJEIhV+7FrxBJDTckH/AqclMXCcqUj0l2N1RRwdoKi f1L7mKf7PgACfEYFiM2ThZAZjHURSyhy2M5VqB33yaAkKqDJ6rwRnW5oEanDvdLm VkXdYVK0GqVJzFQm/QL0CGm+jm398PiW83M58/jnMb03Gdrmg2VdtwG3Dwxu9O3G U8PyxarIQNdKSG95k5+aahP+7kujKrsei//dEpP0E7vO4r4TlvjQWtp1fa1EhATh H65IIfL+eGqEDst+vcsfE/I8S80AXqTKHIQk4Q2yM/CKIJphrSi2R8iQdNs3KQYA fQwm7ugJzNQjqVwzHDlg8828Ams5wzww+c3rDASCqz51TD5+leiS9p82sX1/5yI= =qg7q -----END PGP SIGNATURE----- --Apple-Mail=_6CA01C96-E077-4016-8E8C-55F1BBC09D95-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 9 14:08:51 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77F2F6D8; Thu, 9 Jan 2014 14:08:51 +0000 (UTC) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CC3D8176B; Thu, 9 Jan 2014 14:08:50 +0000 (UTC) X-Envelope-From: eugen@grosbein.net X-Envelope-To: freebsd-security@freebsd.org Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id s09E8fDV098448; Thu, 9 Jan 2014 21:08:41 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <52CEAD69.6090000@grosbein.net> Date: Thu, 09 Jan 2014 21:08:41 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Palle Girgensohn Subject: Re: NTP security hole CVE-2013-5211? References: In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, LOCAL_FROM autolearn=no version=3.3.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eg.sd.rdtc.ru Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 14:08:51 -0000 On 09.01.2014 19:38, Palle Girgensohn wrote: > They recommend at least 4.2.7. Any thoughts about this? Other than updating ntpd, you can filter out requests to 'monlist' command with 'restrict ... noquery' option that disables some queries for the internal ntpd status, including 'monlist'. See http://support.ntp.org/bin/view/Support/AccessRestrictions for details. Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Thu Jan 9 14:18:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 78B01BC8; Thu, 9 Jan 2014 14:18:36 +0000 (UTC) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CDC161880; Thu, 9 Jan 2014 14:18:35 +0000 (UTC) X-Envelope-From: eugen@grosbein.net X-Envelope-To: freebsd-security@freebsd.org Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id s09EIT9J098520; Thu, 9 Jan 2014 21:18:29 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <52CEAFB5.5080202@grosbein.net> Date: Thu, 09 Jan 2014 21:18:29 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Palle Girgensohn Subject: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> In-Reply-To: <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, LOCAL_FROM autolearn=no version=3.3.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eg.sd.rdtc.ru Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 14:18:36 -0000 On 09.01.2014 21:12, Palle Girgensohn wrote: > Yes. But shouldn't there be a security advisory for FreeBSD specifically? Yes, it should. I've already got relevant question from a fellow which FreeBSD 9 installation got a complaint from a hoster for NTP amplification vulnerability with default /etc/ntp.conf Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Thu Jan 9 14:12:22 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4314E8C2 for ; Thu, 9 Jan 2014 14:12:22 +0000 (UTC) Received: from melon.pingpong.net (melon.pingpong.net [79.136.116.200]) by mx1.freebsd.org (Postfix) with ESMTP id 010DB1813 for ; Thu, 9 Jan 2014 14:12:21 +0000 (UTC) Received: from [10.0.0.167] (citron2.pingpong.net [195.178.173.68]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by melon.pingpong.net (Postfix) with ESMTPSA id 48E1332163; Thu, 9 Jan 2014 15:12:20 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_72276C91-126B-4117-B38D-102D6A7876C7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: NTP security hole CVE-2013-5211? From: Palle Girgensohn In-Reply-To: <52CEAD69.6090000@grosbein.net> Date: Thu, 9 Jan 2014 15:12:19 +0100 Message-Id: <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> References: <52CEAD69.6090000@grosbein.net> To: Eugene Grosbein X-Mailer: Apple Mail (2.1827) X-Mailman-Approved-At: Thu, 09 Jan 2014 14:28:20 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 14:12:22 -0000 --Apple-Mail=_72276C91-126B-4117-B38D-102D6A7876C7 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii 9 jan 2014 kl. 15:08 skrev Eugene Grosbein : > On 09.01.2014 19:38, Palle Girgensohn wrote: >> They recommend at least 4.2.7. Any thoughts about this? > > Other than updating ntpd, you can filter out requests to 'monlist' command > with 'restrict ... noquery' option that disables some queries for > the internal ntpd status, including 'monlist'. > > See http://support.ntp.org/bin/view/Support/AccessRestrictions for details. Yes. But shouldn't there be a security advisory for FreeBSD specifically? --Apple-Mail=_72276C91-126B-4117-B38D-102D6A7876C7 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJSzq5DAAoJEIhV+7FrxBJDRz4H/1zm3zUNJ1gqBoWPg+s/BcMs N2fxza4iqjsVL/1RMctTlotXkasnS5UR+yJi13L85tfMLK4W7n5n/7/PsybDDcJO Vs8F0OkUChZ4PhXzi/UHACIjhzzCq7YcuFcwdFYixvxrt7hD0/xTRzPKijT+WfFI Anus7Sx1J1kHkmPXOEkafPQUeLZHMvhbzEXL9rR2sn7uTN6dEtFpArFP3yGGRNlt en/EBSrkQHD4yIeNbpLcTTLwCYS8pi+ucKnGzggTONk4h2PkYko1ZpybCFAEDlo8 DZDqtbVbUuYQBe2CCoWamwYUKzn4ykP9L3K9lsBcDIUhg/PdLn8Eia4Ns0qyTBA= =qwhC -----END PGP SIGNATURE----- --Apple-Mail=_72276C91-126B-4117-B38D-102D6A7876C7-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 9 16:19:16 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0EEC5DA for ; Thu, 9 Jan 2014 16:19:16 +0000 (UTC) Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 61DDF149F for ; Thu, 9 Jan 2014 16:19:16 +0000 (UTC) Received: by mail-la0-f50.google.com with SMTP id el20so2304680lab.23 for ; Thu, 09 Jan 2014 08:19:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=oUrQlJK+4bcZBDJ5WhKCaM5rz9B6Bvd+SJCPSJbNEwk=; b=RF3e4t9evnIAXSDGgx126doUns8zJZ+aY+9Z9P8dNO+Dprmz11hX/FWSlT3axlbMeZ SwYmxoXX6Y5e/9oMt6GiyRPidlwTVFEfzLK2sQEvW7OAQSi05RQ9GV47CMBKMyCaWVg6 +t/kpOqAvW4mLAtN3R1AsudwTFc3+ZrTt1N8QvlHLAXJk1/Tr88KTwtkoBvBiBeQORj4 w61oeTTpnYwWRhre+ZZvxjDKcxNFXaBlFRzKspnOKUBq6eaZ009pyvH8p+/vOy+ok0nC f1zqw/23a7a43/nmNJaaHWZGqNTTUSmUT00ikFY2ODu//6ivyFQ4O+g0lWpf1zw/1JtC w78A== X-Received: by 10.112.167.42 with SMTP id zl10mr59689lbb.92.1389284354298; Thu, 09 Jan 2014 08:19:14 -0800 (PST) Received: from edge.bac.lab ([91.123.18.167]) by mx.google.com with ESMTPSA id a8sm1967993lae.5.2014.01.09.08.19.13 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jan 2014 08:19:13 -0800 (PST) Date: Thu, 9 Jan 2014 20:19:04 +0400 From: mp39590@gmail.com To: freebsd-security@freebsd.org Subject: capsicum and ping(8) Message-ID: <20140109161904.GA96816@edge.bac.lab> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline User-Agent: Mutt/1.5.22 (2013-10-16) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 16:19:17 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello. I would like to propose a patch for ping(8), which adds support for capability mode sandbox. The goals for this little project were: a) to see what problems/burdens could be faced with compartmentalization of a network utility; b) increase security level of the day-to-day application with minimal intrusion to the code. To summarize on 'a)', following changes were made in original ping to meet capsicum requirements: 1) sendto() was replaced with connect()+send() pair, since we're not allowed to issue sendto() with non-NULL destination; 2) one socket 's' was replaced with two sockets 's' for sending and 's1' for receiving. It was done for special use case, when user ping multicast or broadcast address. As connect() man page states, socket is allowed to receive messages only from address to which it was connect()'ed and this is nonsense for multicast/broadcast; 3) pr_addr() function has been slightly rewritten to support casper daemon and its cap_gethostbyaddr() function; 4) some setsockopts() were adjusted, since we use two sockets instead of one. Place for cap_enter() call was chosen to balance simplicity of the logic for entering capability mode, code changes and protection from potentially dangerous place (receiving/"parsing" packets from the network). Finally, this compartmentalization logic will apply: - If '-n' (numeric output) flag is given - enter capability mode; - Else, if build WITH_CASPER: try to communicate with it, on fail issue warning and proceed without capsicum, if cap_init() is successful all other casper errors (e. g. not being able to initialize DNS services) treated as fatal and ping aborts; - Else, if build WITHOUT_CASPER: proceed without capsicum. Also, please note, that ping has '-d' flag, which turn on SO_DEBUG setsockopt() and its behavior depends on external code (which also doesn't exist not, but could be written in future). If we enter capsicum with this option (although, I'm sure it's not widely used) this (future) external code may not work completely, since capsicum impose a lot of restrictions. I would like to ask your comments/reviews on this patch and approach. Thanks to Gleb Smirnoff, Pawel Jakub Dawidek and Robert Watson for helping me with some tricky capsicum things, which I tried to summarize here. Be well. --bg08WKrSYDhXBjb5 Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="ping_20140109.patch" Index: sbin/ping/Makefile =================================================================== --- sbin/ping/Makefile (revision 260485) +++ sbin/ping/Makefile (working copy) @@ -1,6 +1,8 @@ # @(#)Makefile 8.1 (Berkeley) 6/5/93 # $FreeBSD$ +.include + PROG= ping MAN= ping.8 BINOWN= root @@ -9,6 +11,12 @@ DPADD= ${LIBM} LDADD= -lm +.if ${MK_CASPER} != "no" +DPADD+= ${LIBCAPSICUM} ${LIBNV} +LDADD+= -lcapsicum -lnv +CFLAGS+=-DHAVE_LIBCAPSICUM +.endif + .if !defined(RELEASE_CRUNCH) CFLAGS+=-DIPSEC DPADD+= ${LIBIPSEC} Index: sbin/ping/ping.c =================================================================== --- sbin/ping/ping.c (revision 260485) +++ sbin/ping/ping.c (working copy) @@ -63,6 +63,7 @@ */ #include /* NB: we rely on this for */ +#include #include #include #include @@ -74,6 +75,11 @@ #include #include #include +#ifdef HAVE_LIBCAPSICUM +#include +#include +#include +#endif /* HAVE_LIBCAPSICUM */ #ifdef IPSEC #include @@ -157,7 +163,8 @@ struct sockaddr_in whereto; /* who to ping */ int datalen = DEFDATALEN; int maxpayload; -int s; /* socket file descriptor */ +int s; /* send socket file descriptor */ +int s1; /* receive socket file descriptor */ u_char outpackhdr[IP_MAXPACKET], *outpack; char BBELL = '\a'; /* characters written for MISSED and AUDIBLE */ char BSPACE = '\b'; /* characters written for flood */ @@ -197,8 +204,15 @@ volatile sig_atomic_t finish_up; /* nonzero if we've been told to finish up */ volatile sig_atomic_t siginfo_p; +#ifdef HAVE_LIBCAPSICUM +cap_channel_t *capdns; +#endif /* HAVE_LIBCAPSICUM */ + static void fill(char *, char *); static u_short in_cksum(u_short *, int); +#ifdef HAVE_LIBCAPSICUM +static cap_channel_t *capdns_setup(void); +#endif /* HAVE_LIBCAPSICUM */ static void check_status(void); static void finish(void) __dead2; static void pinger(void); @@ -234,7 +248,7 @@ double t; u_long alarmtimeout, ultmp; int almost_done, ch, df, hold, i, icmp_len, mib[4], preload, sockerrno, - tos, ttl; + sock1errno, tos, ttl; char ctrl[CMSG_SPACE(sizeof(struct timeval))]; char hnamebuf[MAXHOSTNAMELEN], snamebuf[MAXHOSTNAMELEN]; #ifdef IP_OPTIONS @@ -246,6 +260,8 @@ #ifdef IPSEC_POLICY_IPSEC policy_in = policy_out = NULL; #endif + cap_rights_t rights_s, rights_s1; + int cansandbox = 0; /* * Do the stuff that we need root priv's for *first*, and @@ -254,6 +270,8 @@ */ s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); sockerrno = errno; + s1 = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); + sock1errno = errno; if (setuid(getuid()) != 0) err(EX_NOPERM, "setuid() failed"); @@ -573,6 +591,19 @@ hostname = hnamebuf; } + if (s < 0) { + errno = sockerrno; + err(EX_OSERR, "socket"); + } + + if (s1 < 0) { + errno = sock1errno; + err(EX_OSERR, "socket1"); + } + + if (connect(s, (struct sockaddr *)&whereto, sizeof(whereto)) != 0) + err(1, "connect"); + if (options & F_FLOOD && options & F_INTERVAL) errx(EX_USAGE, "-f and -i: incompatible options"); @@ -593,14 +624,13 @@ ident = getpid() & 0xFFFF; - if (s < 0) { - errno = sockerrno; - err(EX_OSERR, "socket"); - } hold = 1; - if (options & F_SO_DEBUG) + if (options & F_SO_DEBUG) { (void)setsockopt(s, SOL_SOCKET, SO_DEBUG, (char *)&hold, sizeof(hold)); + (void)setsockopt(s1, SOL_SOCKET, SO_DEBUG, (char *)&hold, + sizeof(hold)); + } if (options & F_SO_DONTROUTE) (void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&hold, sizeof(hold)); @@ -612,7 +642,7 @@ buf = ipsec_set_policy(policy_in, strlen(policy_in)); if (buf == NULL) errx(EX_CONFIG, "%s", ipsec_strerror()); - if (setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, + if (setsockopt(s1, IPPROTO_IP, IP_IPSEC_POLICY, buf, ipsec_get_policylen(buf)) < 0) err(EX_CONFIG, "ipsec policy cannot be configured"); @@ -655,6 +685,33 @@ ip->ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY; ip->ip_dst = to->sin_addr; } + + if (options & F_NUMERIC) + cansandbox = 1; +#ifdef HAVE_LIBCAPSICUM + else if ((capdns = capdns_setup()) != NULL) + cansandbox = 1; +#endif /* HAVE_LIBCAPSICUM */ + + /* + * Here we enter capapility mode (see capsicum(4)). Further down + * creation of new file descriptors is forbidden. + * We must connect(2) our socket before this point. + */ + if (cansandbox == 1 && cap_enter() < 0 && errno != ENOSYS) + err(1, "cap_enter"); + + if (cap_sandboxed()) + fprintf(stderr, "capability mode sandbox enabled\n"); + + cap_rights_init(&rights_s1, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT); + if (cap_rights_limit(s1, &rights_s1) < 0 && errno != ENOSYS) + err(1, "cap_rights_limit socket1"); + + cap_rights_init(&rights_s, CAP_SEND, CAP_SETSOCKOPT); + if (cap_rights_limit(s, &rights_s) < 0 && errno != ENOSYS) + err(1, "cap_rights_limit socket"); + /* record route option */ if (options & F_RROUTE) { #ifdef IP_OPTIONS @@ -698,8 +755,11 @@ } #ifdef SO_TIMESTAMP { int on = 1; - if (setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)) < 0) + if (setsockopt(s1, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)) < 0) err(EX_OSERR, "setsockopt SO_TIMESTAMP"); + cap_rights_clear(&rights_s1, CAP_SETSOCKOPT); + if (cap_rights_limit(s1, &rights_s1) < 0 && errno != ENOSYS) + err(1, "cap_rights_limit socket1 setsockopt"); } #endif if (sweepmax) { @@ -733,12 +793,20 @@ * as well. */ hold = IP_MAXPACKET + 128; - (void)setsockopt(s, SOL_SOCKET, SO_RCVBUF, (char *)&hold, + (void)setsockopt(s1, SOL_SOCKET, SO_RCVBUF, (char *)&hold, sizeof(hold)); if (uid == 0) (void)setsockopt(s, SOL_SOCKET, SO_SNDBUF, (char *)&hold, sizeof(hold)); + /* + * We don't call setsockopt() anywhere further for 's', we don't need + * corresponding capability, drop it. + */ + cap_rights_clear(&rights_s, CAP_SETSOCKOPT); + if (cap_rights_limit(s, &rights_s) < 0 && errno != ENOSYS) + err(1, "cap_rights_limit socket setsockopt"); + if (to->sin_family == AF_INET) { (void)printf("PING %s (%s)", hostname, inet_ntoa(to->sin_addr)); @@ -820,7 +888,7 @@ if ((unsigned)s >= FD_SETSIZE) errx(EX_OSERR, "descriptor too large"); FD_ZERO(&rfds); - FD_SET(s, &rfds); + FD_SET(s1, &rfds); (void)gettimeofday(&now, NULL); timeout.tv_sec = last.tv_sec + intvl.tv_sec - now.tv_sec; timeout.tv_usec = last.tv_usec + intvl.tv_usec - now.tv_usec; @@ -834,7 +902,7 @@ } if (timeout.tv_sec < 0) timerclear(&timeout); - n = select(s + 1, &rfds, NULL, NULL, &timeout); + n = select(s1 + 1, &rfds, NULL, NULL, &timeout); if (n < 0) continue; /* Must be EINTR. */ if (n == 1) { @@ -845,7 +913,7 @@ msg.msg_controllen = sizeof(ctrl); #endif msg.msg_namelen = sizeof(from); - if ((cc = recvmsg(s, &msg, 0)) < 0) { + if ((cc = recvmsg(s1, &msg, 0)) < 0) { if (errno == EINTR) continue; warn("recvmsg"); @@ -981,9 +1049,7 @@ ip->ip_sum = in_cksum((u_short *)outpackhdr, cc); packet = outpackhdr; } - i = sendto(s, (char *)packet, cc, 0, (struct sockaddr *)&whereto, - sizeof(whereto)); - + i = send(s, (char *)packet, cc, 0); if (i < 0 || i != cc) { if (i < 0) { if (options & F_FLOOD && errno == ENOBUFS) { @@ -1604,12 +1670,21 @@ struct hostent *hp; static char buf[16 + 3 + MAXHOSTNAMELEN]; - if ((options & F_NUMERIC) || - !(hp = gethostbyaddr((char *)&ina, 4, AF_INET))) + if (options & F_NUMERIC) return inet_ntoa(ina); + +#ifdef HAVE_LIBCAPSICUM + if (capdns != NULL) + hp = cap_gethostbyaddr(capdns, (char *)&ina, 4, AF_INET); else - (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name, - inet_ntoa(ina)); +#endif /* HAVE_LIBCAPSICUM */ + hp = gethostbyaddr((char *)&ina, 4, AF_INET); + + if (hp == NULL) + return inet_ntoa(ina); + + (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name, + inet_ntoa(ina)); return(buf); } @@ -1682,6 +1757,36 @@ } } +#ifdef HAVE_LIBCAPSICUM +static cap_channel_t * +capdns_setup(void) +{ + cap_channel_t *capcas, *capdnsloc; + const char *types[1]; + int families[1]; + + capcas = cap_init(); + if (capcas == NULL) { + warn("unable to contact casperd"); + return (NULL); + } + capdnsloc = cap_service_open(capcas, "system.dns"); + /* Casper capability no longer needed. */ + cap_close(capcas); + if (capdnsloc == NULL) + err(1, "unable to open system.dns service"); + /* Limit system.dns to reverse DNS lookups. */ + types[0] = "ADDR"; + if (cap_dns_type_limit(capdnsloc, types, 1) < 0) + err(1, "unable to limit access to system.dns service"); + families[0] = AF_INET; + if (cap_dns_family_limit(capdnsloc, families, 1) < 0) + err(1, "unable to limit access to system.dns service"); + + return (capdnsloc); +} +#endif /* HAVE_LIBCAPSICUM */ + #if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) #define SECOPT " [-P policy]" #else --bg08WKrSYDhXBjb5-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 9 20:01:59 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F310F196 for ; Thu, 9 Jan 2014 20:01:58 +0000 (UTC) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 7E83C18C0 for ; Thu, 9 Jan 2014 20:01:57 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 3BCB4921; Thu, 9 Jan 2014 21:01:56 +0100 (CET) Date: Thu, 9 Jan 2014 21:02:57 +0100 From: Pawel Jakub Dawidek To: mp39590@gmail.com Subject: Re: capsicum and ping(8) Message-ID: <20140109200256.GA1658@garage.freebsd.pl> References: <20140109161904.GA96816@edge.bac.lab> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: <20140109161904.GA96816@edge.bac.lab> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 20:01:59 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 09, 2014 at 08:19:04PM +0400, mp39590@gmail.com wrote: > Hello. >=20 > I would like to propose a patch for ping(8), which adds support for > capability mode sandbox. >=20 > The goals for this little project were: >=20 > a) to see what problems/burdens could be faced with compartmentalization > of a network utility; >=20 > b) increase security level of the day-to-day application with minimal > intrusion to the code. >=20 > To summarize on 'a)', following changes were made in original ping to > meet capsicum requirements: >=20 > 1) sendto() was replaced with connect()+send() pair, since we're not > allowed to issue sendto() with non-NULL destination; >=20 > 2) one socket 's' was replaced with two sockets 's' for sending and 's1' > for receiving. It was done for special use case, when user ping > multicast or broadcast address. As connect() man page states, socket > is allowed to receive messages only from address to which it was > connect()'ed and this is nonsense for multicast/broadcast; >=20 > 3) pr_addr() function has been slightly rewritten to support casper > daemon and its cap_gethostbyaddr() function; >=20 > 4) some setsockopts() were adjusted, since we use two sockets instead of > one. >=20 > Place for cap_enter() call was chosen to balance simplicity of the logic > for entering capability mode, code changes and protection from > potentially dangerous place (receiving/"parsing" packets from the > network). Now that you added casper to the game, I'd move gethostbyname2() until after we enter the sandbox and open system.dns service, but before we limit the service to only reverse lookups. It does process network packets after all. In practise this doesn't change much currently, as casper process responsible for doing DNS lookups is not sandboxed, but in the future it might be sandboxed using different techniques and would be nice to get this extra protection for free. > Finally, this compartmentalization logic will apply: >=20 > - If '-n' (numeric output) flag is given - enter capability mode; >=20 > - Else, if build WITH_CASPER: try to communicate with it, on fail issue > warning and proceed without capsicum, if cap_init() is successful all > other casper errors (e. g. not being able to initialize DNS services) > treated as fatal and ping aborts; >=20 > - Else, if build WITHOUT_CASPER: proceed without capsicum. >=20 > Also, please note, that ping has '-d' flag, which turn on SO_DEBUG > setsockopt() and its behavior depends on external code (which also > doesn't exist not, but could be written in future). If we enter capsicum > with this option (although, I'm sure it's not widely used) this (future) > external code may not work completely, since capsicum impose a lot of > restrictions. >=20 > I would like to ask your comments/reviews on this patch and approach. >=20 > Thanks to Gleb Smirnoff, Pawel Jakub Dawidek and Robert Watson for > helping me with some tricky capsicum things, which I tried to summarize > here. >=20 > Be well. Great! The patch overall looks very nice and complete, good work. Few minor nits inline. > --- sbin/ping/ping.c (revision 260485) > +++ sbin/ping/ping.c (working copy) [...] > +int s; /* send socket file descriptor */ > +int s1; /* receive socket file descriptor */ I'd much prefer to use some more meaningful variable names. Like 'ssend' and 'srecv' or something similar. > +#ifdef HAVE_LIBCAPSICUM > +cap_channel_t *capdns; > +#endif /* HAVE_LIBCAPSICUM */ Not sure why other globals variables aren't static, but it should be static. I don't think it is used anywhere else outside this source file. > s =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); > sockerrno =3D errno; > + s1 =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); > + sock1errno =3D errno; I wonder if dup(2) would be more intuitive here. Looking at the code I expect those two sockets to be different, but they aren't. dup(2) would make that 100% clear. I'll leave it to you to decide, I don't have a strong opinion on this, really. I'd still prefer to see the explanation you gave in the e-mail why do we need those two sockets in a comment. > + if (options & F_NUMERIC) > + cansandbox =3D 1; Can you make 'cansandbox' to be of type 'bool'? > + /* > + * Here we enter capapility mode (see capsicum(4)). Further down > + * creation of new file descriptors is forbidden. This is not entirely true. You can create file descriptors with dup(2), dup2(2), fcntl(F_DUP2FD), socket(2), etc. What you can't do is to address global namespaces. I'd clarify that comment. > + cap_rights_init(&rights_s1, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT); > + if (cap_rights_limit(s1, &rights_s1) < 0 && errno !=3D ENOSYS) > + err(1, "cap_rights_limit socket1"); > + > + cap_rights_init(&rights_s, CAP_SEND, CAP_SETSOCKOPT); > + if (cap_rights_limit(s, &rights_s) < 0 && errno !=3D ENOSYS) > + err(1, "cap_rights_limit socket"); [...] > + cap_rights_clear(&rights_s1, CAP_SETSOCKOPT); > + if (cap_rights_limit(s1, &rights_s1) < 0 && errno !=3D ENOSYS) > + err(1, "cap_rights_limit socket1 setsockopt"); [...] > + /* > + * We don't call setsockopt() anywhere further for 's', we don't need > + * corresponding capability, drop it. > + */ > + cap_rights_clear(&rights_s, CAP_SETSOCKOPT); > + if (cap_rights_limit(s, &rights_s) < 0 && errno !=3D ENOSYS) > + err(1, "cap_rights_limit socket setsockopt"); This made me wonder. We have two choices here: either use cap_rights_init() first and then drop capability rights we don't need anymore with cap_rights_clear() as you did or to use cap_rights_init() twice and provide list of capability rights explicitly. I think I'm more in favour of providing capability rights explicitly. If we add some additional rights in the future to the first cap_rights_init() we may forget add them to cap_rights_clear() below. That's why I'd change the code not to use cap_rights_clear(), but add a comment above second cap_rights_init() round saying which right we are removing. As a nice side-effect this would allow us to use only one 'rights' variable. I know this is nitpicking, but the Capsicum-related changes we are doing today will serve as examples tomorrow, so I'd like them to be just right. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlLPAHAACgkQForvXbEpPzQLQACgtS4uf0zBW3WH7rDJQ8f6Rik6 zksAmwR7lEwlGAqhI2Zy+HDVzIRdvu3g =heIl -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 10 03:14:48 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 98455F7A; Fri, 10 Jan 2014 03:14:48 +0000 (UTC) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4EBEA1D81; Fri, 10 Jan 2014 03:14:48 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.7/8.14.7) with ESMTP id s0A3EjDl001292; Thu, 9 Jan 2014 22:14:45 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.7/8.14.4/Submit) id s0A3EhxI001289; Thu, 9 Jan 2014 22:14:43 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21199.26019.698585.355699@hergotha.csail.mit.edu> Date: Thu, 9 Jan 2014 22:14:43 -0500 From: Garrett Wollman To: Eugene Grosbein Subject: UNS: Re: NTP security hole CVE-2013-5211? In-Reply-To: <52CEAD69.6090000@grosbein.net> References: <52CEAD69.6090000@grosbein.net> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Thu, 09 Jan 2014 22:14:45 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hergotha.csail.mit.edu X-Mailman-Approved-At: Fri, 10 Jan 2014 03:38:06 +0000 Cc: freebsd-security@freebsd.org, Palle Girgensohn X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 03:14:48 -0000 < said: > Other than updating ntpd, you can filter out requests to 'monlist' command > with 'restrict ... noquery' option that disables some queries for > the internal ntpd status, including 'monlist'. For a "pure" client, I would suggest "restrict default ignore" ought to be the norm. (Followed by entries to unrestrict localhost over v4 and v6.) -GAWollman From owner-freebsd-security@FreeBSD.ORG Fri Jan 10 05:16:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1030273A; Fri, 10 Jan 2014 05:16:54 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E0EC015F2; Fri, 10 Jan 2014 05:16:53 +0000 (UTC) Received: from delphij-macbook.local (unknown [IPv6:2001:470:83bf:0:55fe:7829:8dd4:8880]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id C912129376; Thu, 9 Jan 2014 21:16:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1389331013; bh=X6XsrwBLH5Bw+rJ9Gg0oIBDt84/oEDD3RBTIvY50bWE=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=x3hIk51dVhcO3DeujWT3HJeLZ8KjMGwXXAlZN1oAKukfiAop/BGuXad6ObDHeSRRh 0difJUY1yzmPLennxHyhSpgQHgUDiKRwRn0M6tAMo3ie/yQQDUjsssbExheTjltD/T yV1gN96SDBSvr0g7ZsjP5Hm4JRigK7bLQDlzoSD8= Message-ID: <52CF8243.7060906@delphij.net> Date: Thu, 09 Jan 2014 21:16:51 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Garrett Wollman , Eugene Grosbein Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu> In-Reply-To: <21199.26019.698585.355699@hergotha.csail.mit.edu> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Palle Girgensohn X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 05:16:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/9/14, 7:14 PM, Garrett Wollman wrote: > < said: > >> Other than updating ntpd, you can filter out requests to >> 'monlist' command with 'restrict ... noquery' option that >> disables some queries for the internal ntpd status, including >> 'monlist'. > > For a "pure" client, I would suggest "restrict default ignore" > ought to be the norm. (Followed by entries to unrestrict localhost > over v4 and v6.) That would block clock synchronization too, unless one explicitly unrestrict all NTP servers. With pool.ntp.org, this is not really practical. The current default on head stable branches should work for most people. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSz4JDAAoJEJW2GBstM+nsBLgP/0OeSbaXbMlKduDYfZcsTNrL 1jbS3HFCBQCX96CMaYzFOvak6FBmYu5VMP0kX3OOXCvOEP0onraXOsiwxsjh+Aqw HA6JkqWlR4Qlrlnje3JAnwwS84cK+EM7HcPuvZ1aGVip4wFlxZo5d4MT48YwJfH9 fO6KOiXABAc0RLM9RDHx5P485dlRem6IVSsT2IIStPfoff0vYXoa5kKP5MI+6sOR 5NUsTKANxcGDfpLt/pGt2iTG5rOoLH+38dGqQ7803C8fG4QvO8hz9PpRaG4/tM+L LgcMPueL7aVmyRQcoAY2i2U/FSGyqNg7uTfUc4WHWsb8uj0Pmcqc3U5VXO4keE1a u8WFqL39p1lcrunmu1UWnzpe46GbQGY3CeqPm9glLs48Vi5vLfeEjPlYnEsu9YM6 pVbznQPgHSzPVLW5AAmGaKq/KO/2s5dsPHRH7Z8V2beB+/PQX3hyG+YQUCJLz12K 35TdcvTSsIbtSBNKNcJIV5OF60XoSzuveBOwM9EPhRfF0BPJElvZjtz09OevIkZK urvzybV1sV6T1qi9je1lhF6SGcS/aolejfNWOQrFq2ZTny1pyKigi5Yz8i5yhUI7 s2/sUE7YjkL0GgwTwuAqjW4lGBnSsdCVgx7tS1SnnWoyXdSUj+8dRiZApwMxXdN6 LZFUkUIAt91WUGTjwM8v =V8xs -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Jan 10 05:18:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 04D2682C; Fri, 10 Jan 2014 05:18:58 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DC8A91615; Fri, 10 Jan 2014 05:18:57 +0000 (UTC) Received: from delphij-macbook.local (unknown [IPv6:2001:470:83bf:0:55fe:7829:8dd4:8880]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 093B229474; Thu, 9 Jan 2014 21:18:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1389331137; bh=BSd54+mSPSaovn5cbpAv/OrvypGwiwntDt6zk0TruRA=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=L389wa3CcB7UPrLRcbUUb08o04NGGPz2HlhrcZ/zRh6HRZ/0RUs7lfeixCmtLhnBV iozw9fDFOLhTpbwpTt9lX/a7L1QxLlCVL4arx5CVLPvOuD+eFkhlBtkNGI1KawnJzM MNh3PmxoLEGAsrZuH3f+6LewvXd76xhLoYovdcls= Message-ID: <52CF82C0.9040708@delphij.net> Date: Thu, 09 Jan 2014 21:18:56 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Palle Girgensohn , Eugene Grosbein Subject: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> In-Reply-To: <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 05:18:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/9/14, 6:12 AM, Palle Girgensohn wrote: > > 9 jan 2014 kl. 15:08 skrev Eugene Grosbein : > >> On 09.01.2014 19:38, Palle Girgensohn wrote: >>> They recommend at least 4.2.7. Any thoughts about this? >> >> Other than updating ntpd, you can filter out requests to >> 'monlist' command with 'restrict ... noquery' option that >> disables some queries for the internal ntpd status, including >> 'monlist'. >> >> See http://support.ntp.org/bin/view/Support/AccessRestrictions >> for details. > > Yes. But shouldn't there be a security advisory for FreeBSD > specifically? We will have an advisory next week. If a NTP server is properly configured, it's likely that they are not affected (the old FreeBSD default is a little bit vague on how to properly configure the daemon, though; the new default on -CURRENT and supported -STABLE branches should be sufficient to provide protection). Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSz4K/AAoJEJW2GBstM+nsoUAQAIR/IQrDnVlWYyQfRdL8dUQV fuR0FSyE84rcaHR8GJ9D5ApWbB1GrO61VE+NkMp7wBhZ1UmSseMX8J63aXz7gEna O7Lgsigjt0CloQk5A+uoiSuKxuicy3OaO5m9dYEb9/hIt2QgLzuWJEFxYYxtzNqp 16ndCq9BXRIjqiYjcH1rTqKmHvnOGDGLNDpArVDEkqToHur72d051xDUPHBUJzir FMkuIroiucLd5fHp90L7ZkDl/g2xOFEqd6U9XIExusCDPYzA/KYZNFnEegPpAuuD GXQ6wSDIVZzqgjuzERgw8ElaQ50NUvr4FWLTV6HV7aa+Ut5UF4CeFoBYf2xO1uUu FravU2uoiOVqjir1UtNEY1yP3fXceegkT8T+4e+oCTUslSBVXsiES8iSfHQib0eK wMSwelFCflfrLwiq97GjetBS66EUn00y/U3M3RUjlx4e0FIycLi5ZYy4XMkJlM2a jXE63iynfk9N02tO3/K1a8Yrp7mIYY3drn43BOJeXL72QMumFxi81aO4NQdrBTMw X49unE6bK4RZ5Ao4SdAWP/2vJfFnYLamc3cr1fvZ14XEyEXuVygmojoPPRdYkuj7 2OfMUv2m1BUUR8P4XIe6GN3UIY+kgK+JxddCU1WmLV8lYNloP0hQD62jtrB6J4A4 OzC38C6p+35khP0bZLhO =wpEM -----END PGP SIGNATURE-----