From owner-freebsd-security@freebsd.org Tue Jun 18 07:59:57 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88EF715D2A11 for ; Tue, 18 Jun 2019 07:59:57 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 90C2496CF9 for ; Tue, 18 Jun 2019 07:59:56 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=Message-ID:Subject:To:From:Date:In-Reply-To; bh=uyOFyxjNS54dGyny4sv54y6C9iu5iZ3JHZBok49mPcY=; b=EOHZSXA7PhaEwBinfJ1/FcQ4sE 26nntcGrObgT5zv1du243wkG7SUYlFLlJyj7CggWxNxPWCZYb9IbmngAvDFE/tpshaiB9I7oTWk6f mmdQEEgIdK6DNli/uvTD3r92ij8ZOaoSZ1cElSOx6CtXFYbqpWLo6iY+sE3YFTt1ZBrU=; Received: from vas by admin.sibptus.ru with local (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hd922-0007wD-HS for freebsd-security@freebsd.org; Tue, 18 Jun 2019 14:59:54 +0700 Date: Tue, 18 Jun 2019 14:59:54 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190618075954.GA30296@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.0 (2019-05-25) Sender: Victor Sudakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 07:59:57 -0000 --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear Colleagues, I've used OPIE for many years (and S/Key before that) to login to my system from untrusted terminals (cafes, libraries etc). Now I've read an opinion that OPIE is outdated (and indeed its upstream distribution is gone) and that pam_google_authenticator would be more secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270 Is that truly so? With 20 words in OPIE and only 6 digits in pam_google_authenticator, how strong is pam_google_authenticator against brute force and other attacks? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCJn6AAoJEA2k8lmbXsY0s/kH/iNPltrNpBrEdkUD7QYGH1md 1+go/ubYfs3Vnx7Irvu8oBt2eN82iBWyEF8x4K6WuGy2zbxM8VBJXoWKTwlhIjf7 8nGoxhowlJUaov17PClGy/R9meX+Z8cuwtUkwHhLS0FzaobExB7Ibf7eqCdZxoQx GCRluUtGrtOAw073Bxi8iJ5epZJyHmnWHSCABwSegvaZUv+w2Sa9olH6TI3waWIt Jx+oiTPb5CbwsEDjJwH/wxe7yRru25/ahpyEJaDdAq15UOYGzS56yIN+e1KtqHGS ln/k7Z220bXwOXWs1XdBUGWWVnpTVcRfG0eEq33RVYn0SGinkad0g5l8lwTgc0Q= =lbaj -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- From owner-freebsd-security@freebsd.org Tue Jun 18 13:02:31 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87B6115BB119 for ; Tue, 18 Jun 2019 13:02:31 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F01677399C for ; Tue, 18 Jun 2019 13:02:30 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lf1-x12a.google.com with SMTP id 136so9197150lfa.8 for ; Tue, 18 Jun 2019 06:02:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p2C38bDK25qdKH3+RH7NowoRoYVEGqB/qrsNZGZdxy0=; b=T7bGq7TUK9LSWy55WvhvqPZ99ICRuEoC3Ugd7INJ8q5s7URlNZ+cM185WLIOPqhiBd ijXCoGCipr+zIvJZUp2QNR04CnKaAawj1bUrjeYog7zGa1K736ywPlX6dXwl5G+A6qHQ DfGVNhY1Pnazkls4bYnCClTc2u5DrvA6sAj4HD9Mzs5qmdjGST6hT6BBYsRgt/B3lZc3 kbCVziz+ZHpFtoePIH272knLKJSiThCsejxJUJsi2J1pQt9RocJWCEiLF4oJPzMpy7CO sGEG3P6QCYIYVwyikzq4fl8tgdwfjTrmHPiRJrMW39XCUtV5FIACOvVdcakY+SqL4pWw KXYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p2C38bDK25qdKH3+RH7NowoRoYVEGqB/qrsNZGZdxy0=; b=pDRJpUlThlI05Tlvyyqx0IhP9RQCzefd36nVoO5/Wg/HFrIqDmYUh/XyBZrueoDhWB kTpMYqwGrZugqoNYntq1iXqIKKhlbWtFu4/CHy81MepbwdSL1JddQJZ5o60qRiDstGhP NSOX9BStBNGwYaSdjpY96NuGq7ASbfBYC+sjwJKGI7EJpX7sVolXtZvQbu8in3pKaaZQ dIbv2kLIx0GeDaoRw4d77CIcPt3oX4wyFDAjhaXyOvEo+MtVkzjYyFtylmbzpO13tAOS GKOf5x0Y/mb0uhNItf8UD4ksF5NewdhnQL8amtRHA632I9zIDgG3uGugaaGjzfDgmRmq GFWw== X-Gm-Message-State: APjAAAXZ2tK45IvwLIpTFctWi2Yj5mWhYSTnRU3vMP5G+uz9A86ZkUuH T5rii55rqMf5anG7pcEhcnQd+vSbki7W3KM1onI= X-Google-Smtp-Source: APXvYqw4woUCXuzCJ3FD1CDEAUgI9XqqWm+Stbg1kdzt2sXeYWU5/N+BtDWOCKJx/Nb7WYc5A1M/oaoaiJro3TfphFo= X-Received: by 2002:ac2:4152:: with SMTP id c18mr7843047lfi.144.1560862949560; Tue, 18 Jun 2019 06:02:29 -0700 (PDT) MIME-Version: 1.0 References: <20190618075954.GA30296@admin.sibptus.ru> In-Reply-To: <20190618075954.GA30296@admin.sibptus.ru> From: Robert Simmons Date: Tue, 18 Jun 2019 09:02:17 -0400 Message-ID: Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator To: Victor Sudakov Cc: freebsd-security@freebsd.org X-Rspamd-Queue-Id: F01677399C X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.965,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 13:02:31 -0000 Victor, To throw a new wrinkle in the equation: Google Authenticator codes can be intercepted by a phishing page. U2F protocol is even better, and can't be intercepted via phishing. There are U2F libraries in ports. https://en.wikipedia.org/wiki/Universal_2nd_Factor Cheers, Rob On Tue, Jun 18, 2019, 04:01 Victor Sudakov wrote: > Dear Colleagues, > > I've used OPIE for many years (and S/Key before that) to login to my > system from untrusted terminals (cafes, libraries etc). > > Now I've read an opinion that OPIE is outdated (and indeed its upstream > distribution is gone) and that pam_google_authenticator would be more > secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237270 > > Is that truly so? With 20 words in OPIE and only 6 digits in > pam_google_authenticator, how strong is pam_google_authenticator against > brute force and other attacks? > > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ > From owner-freebsd-security@freebsd.org Tue Jun 18 13:07:39 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D697D15BB4AA for ; Tue, 18 Jun 2019 13:07:38 +0000 (UTC) (envelope-from dan@langille.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A8734741E9 for ; Tue, 18 Jun 2019 13:07:36 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id AE5E4221FD; Tue, 18 Jun 2019 09:07:30 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 18 Jun 2019 09:07:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= from:message-id:content-type:mime-version:subject:date :in-reply-to:cc:to:references; s=fm1; bh=8B2BEYj2EIF/bSA8PDmcRLF yYFu5iwpAWYytZMvqPo8=; b=RoCphoqeL1H3cR7B7NV7jl10IvYQIpkfYrD2rRO JruP9gVhjePv5ukYuCBah0z/W3wf4X/TfG3HkhrRPEnjRphCZ7YpFHKxH0gzkrkr pL7ZvYiYUFRBWV973d8u2zJ+Lhoww4+UU5HN5FsfyJBCQ54Kl9Ayhqu4ialYmYRe SFqxaWXqKxK+QbPFOqd00z1AGkijdyGaOxAtXv7EAL1uWZ1Hb5d7lWTVSVLexcN0 cA3MfkhWpekS4i9ycgRb4L73uxs063iL3woljXZ84l6qZkoRdjGdXkY0fpEnJ/y7 BARowkKpjiaerzUzZN0bKoeJk01/9owc0go32MitswtCG+g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=8B2BEY j2EIF/bSA8PDmcRLFyYFu5iwpAWYytZMvqPo8=; b=wA1KoTVa4UWPbs9Ss5/H9l kfyjxi5SFPRgKuRq+923Xu9HIQfGwp0pJEFcv+JPcXnKZcOSjxOqXdmrulIDoePl EawUeFcJIDpfZ+yawPSJoxrwLHOFNflL/Nwsp49PApZBU7rJjleJ/ZT7j4F27wiG EGe9CdFJYDZGn0tRVnioFvGXDrskH4z+DJPQMzeUNfyvmnUpt43p0Bv/EsXvw9Bt FTEPOZPuV69+JL9gOIcEZ7tNoHxT7OsulzgwwOn9sEdFicw4itiv2cFE4wfyzbCi MRHvLR5qug7B2zgp8esV60Ew97jhtzAsODv9nCWIbAL32R4dbiwFL3UVJaaxKlng == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrtddtgddvlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculdeimdenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeen ucfhrhhomhepffgrnhcunfgrnhhgihhllhgvuceouggrnheslhgrnhhgihhllhgvrdhorh hgqeenucffohhmrghinheplhgrnhhgihhllhgvrdhorhhgpdhfrhgvvggsshgurdhorhhg pdifihhkihhpvgguihgrrdhorhhgnecukfhppedutddtrddugedrvddtgedrfeefnecurf grrhgrmhepmhgrihhlfhhrohhmpegurghnsehlrghnghhilhhlvgdrohhrghenucevlhhu shhtvghrufhiiigvpedt X-ME-Proxy: Received: from pro02.wifi.int.unixathome.org (pool-100-14-204-33.phlapa.fios.verizon.net [100.14.204.33]) by mail.messagingengine.com (Postfix) with ESMTPA id 9EB99380086; Tue, 18 Jun 2019 09:07:29 -0400 (EDT) From: Dan Langille Message-Id: Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Date: Tue, 18 Jun 2019 09:07:28 -0400 In-Reply-To: Cc: Victor Sudakov , freebsd-security@freebsd.org To: Robert Simmons References: <20190618075954.GA30296@admin.sibptus.ru> X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: A8734741E9 X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm1 header.b=RoCphoqe; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=wA1KoTVa; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.29 as permitted sender) smtp.mailfrom=dan@langille.org X-Spamd-Result: default: False [-7.14 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; MX_GOOD(-0.01)[in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[33.204.14.100.zen.spamhaus.org : 127.0.0.10]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[29.4.111.66.list.dnswl.org : 127.0.5.1]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm1,messagingengine.com:s=fm3]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE(-3.53)[ip: (-9.79), ipnet: 66.111.4.0/24(-4.74), asn: 11403(-3.08), country: US(-0.06)]; TO_MATCH_ENVRCPT_SOME(0.00)[] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 13:07:39 -0000 > On Jun 18, 2019, at 9:02 AM, Robert Simmons = wrote: >=20 > On Tue, Jun 18, 2019, 04:01 Victor Sudakov wrote: >=20 >> Dear Colleagues, >>=20 >> I've used OPIE for many years (and S/Key before that) to login to my >> system from untrusted terminals (cafes, libraries etc). >>=20 >> Now I've read an opinion that OPIE is outdated (and indeed its = upstream >> distribution is gone) and that pam_google_authenticator would be more >> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270 >>=20 >> Is that truly so? With 20 words in OPIE and only 6 digits in >> pam_google_authenticator, how strong is pam_google_authenticator = against >> brute force and other attacks? > Victor, >=20 > To throw a new wrinkle in the equation: Google Authenticator codes can = be > intercepted by a phishing page. U2F protocol is even better, and can't = be > intercepted via phishing. >=20 > There are U2F libraries in ports. >=20 > https://en.wikipedia.org/wiki/Universal_2nd_Factor >=20 > Cheers, > Rob >=20 If my Google Authenticator codes are on my phone, and I'm entering them = into my ssh session, how is a phishing page involved? =E2=80=94=20 Dan Langille http://langille .org/ From owner-freebsd-security@freebsd.org Tue Jun 18 13:09:33 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A229F15BB58D for ; Tue, 18 Jun 2019 13:09:33 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6A373742E8 for ; Tue, 18 Jun 2019 13:09:32 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x234.google.com with SMTP id i21so13080591ljj.3 for ; Tue, 18 Jun 2019 06:09:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lEq3rfr8TuCELKeVgsgpOsyxlH4kp+Wbfszdj+plQNU=; b=cmOmB699WdvwtcWCxQCKShclqkqBNk0WEcdS5vtUMSF6yNXItrWkgOIJ88uUmap432 0GzLaokGph+WR1yHQniCvtLJiI+m2K2ZNxu11PZPqszz63GQ+c7Zn7F2JdmcHgPsRCmL 6k20hrCQDppRids3a2u2tTevuVPWZVllcn0oEMxU3z8fSaxrmvX9guGTgdGC022ow8O2 BWglnpW07k5GMtF46I1L0ZRKqIi7hlhEMsNNnlF9ufqJHMNkVMTdx7Mr7lTrWvFIUCPv i8OyyrRwB8cexfptN6fY7LXSq8TKURzUfQH7KrI2oz7T9DSi+Vd+C9EOiENWXdetDHNY mANg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lEq3rfr8TuCELKeVgsgpOsyxlH4kp+Wbfszdj+plQNU=; b=LL+EalN5MJYIFmZ8ejQu1LsLfgkBxSFfaEtp+AgMfUYyptkx4DbqZf7bmhO/auG13R xdo7SSl/K50n0FiBjwD2IdZ7XD70nu4tywfuUkRAW3IhbBSHRK/lWmwXj71iFsZqk8da oX099fuX/vNKG/Y+m3+f6QeLGXocWZ5yhT2txHcwuldZtsxFYtaUq9OvxG9KcRL3Y8KX xhcf+r6lsAm8yEEgwmESXo/aP/1+UsFyvGuTFbVESR+2Xln0FJB+bPbohBKMzAo4ukZU bzVkwQd8An//qlzs6QJGHx9eTk6/iboF8Hfcwveo5pV8ZnMmCXRM3Cz0e47jrNad2ENe r3ug== X-Gm-Message-State: APjAAAUGT20dtKBo2wSWXHKSreVc2XxPVbc3p80lEab40WxrymlpksJg o85eh1WBcMLpmVGHC+Mq+5K3HGNCMJL6xfELF0I= X-Google-Smtp-Source: APXvYqxMY6tHkMrkWMdqb9svz6DIhufywjUy/lXnCvdQnWHbdPkcj9ygEQSodM34XcWypgcR3Jdk5klQ3UqDaTbx5S8= X-Received: by 2002:a2e:9a9a:: with SMTP id p26mr28622980lji.64.1560863370799; Tue, 18 Jun 2019 06:09:30 -0700 (PDT) MIME-Version: 1.0 References: <20190618075954.GA30296@admin.sibptus.ru> In-Reply-To: From: Robert Simmons Date: Tue, 18 Jun 2019 09:09:19 -0400 Message-ID: Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator To: Dan Langille Cc: Victor Sudakov , freebsd-security@freebsd.org X-Rspamd-Queue-Id: 6A373742E8 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=cmOmB699; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rsimmons0@gmail.com designates 2a00:1450:4864:20::234 as permitted sender) smtp.mailfrom=rsimmons0@gmail.com X-Spamd-Result: default: False [-5.85 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[5]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.98)[-0.981,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[4.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.86)[ip: (-9.41), ipnet: 2a00:1450::/32(-2.49), asn: 15169(-2.32), country: US(-0.06)]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 13:09:33 -0000 You are correct for SSH. On Tue, Jun 18, 2019, 09:07 Dan Langille wrote: > On Jun 18, 2019, at 9:02 AM, Robert Simmons wrote: > > On Tue, Jun 18, 2019, 04:01 Victor Sudakov wrote: > > Dear Colleagues, > > I've used OPIE for many years (and S/Key before that) to login to my > system from untrusted terminals (cafes, libraries etc). > > Now I've read an opinion that OPIE is outdated (and indeed its upstream > distribution is gone) and that pam_google_authenticator would be more > secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270 > > Is that truly so? With 20 words in OPIE and only 6 digits in > pam_google_authenticator, how strong is pam_google_authenticator against > brute force and other attacks? > > > Victor, > > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page. U2F protocol is even better, and can't be > intercepted via phishing. > > There are U2F libraries in ports. > > https://en.wikipedia.org/wiki/Universal_2nd_Factor > > Cheers, > Rob > > > > If my Google Authenticator codes are on my phone, and I'm entering them > into my ssh session, how is a phishing page involved? > > =E2=80=94 > Dan Langille > http://langille.org/ > > > > > > From owner-freebsd-security@freebsd.org Tue Jun 18 13:10:50 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A055615BB636 for ; Tue, 18 Jun 2019 13:10:50 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AC9574511 for ; Tue, 18 Jun 2019 13:10:49 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: by mail-lj1-x242.google.com with SMTP id m23so13036992lje.12 for ; Tue, 18 Jun 2019 06:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2iEWld0Of0eFsdSYXOFgR1U0R/13cE9G+Hn64FSm86Y=; b=gKx/m21ly27qBc3YRrRSnZi5+6emVnpSm1rrGScra3D9DzXWaPr07sEItM/MAFgJ3k b1fEhfCYS/fqmV1NmdXtAWe3TowAiEU3tgRWlPOljCUkas9dx04NaOx2tIQX59oh91q9 bIABY9DHkIanXphCYukZ6YvxhUNm3nh5upcQ8VXssNUkCsgctD604R1vi7KPRY45s6zt h2KODnorqigMyGTyrPjVcjBnOWzP2sJQWWppdT42PIpHTWVV1WHflyu9pGAGLtVV+jLm MwGCHLxeuoHf/c7Bs3f1KIIEZEnyetVUPoobO09lOrlhQkp3ocUw2hUrrc2biQb2O+M4 ZAkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2iEWld0Of0eFsdSYXOFgR1U0R/13cE9G+Hn64FSm86Y=; b=HYC6dEPCnkYj2uJOCjxpOXSmleuAdVs8Hq9jszMcsk3xcG6ERupMDr7+uS66qhfuuX y6ygQVLBYPaS+dmJdpu0lrE+JnHYyGGJxFFgvRDoow84K02tBUCx5/6cofpihrjiwFo1 /vEHHGXIfPVLzM+UFt0JYSPrM6BN8Eazat3M7oltG1BR4RGs4D57eOzvp75SaqDTmAt9 NQosFMxtriQ0/LupfKJBQq0/7jF6AIDlJXj7K+cHG8An/qfnGfusCSAQaFbWKMauKf2C JJb0tTxXRhDySL4yHROSmEqlGxCPwancNXOI8+6EbQ5cJAo4IWTSFhTeEM3c6KgUWcWm aWCA== X-Gm-Message-State: APjAAAUtf3HAZGJKsADeLSXs+7Aj9NtZ1g1tl7SuvI2xTrGOs+OxfCKj C4wRC9NB+KW6aZkSwGuWV64mg2jpTbaNCCyVkJU= X-Google-Smtp-Source: APXvYqyRXMAL53WOh97bOvcTOVYlFfGxt+FpnKiHcyRLmMLvYgSACLlLzsIfL6syyTPpbEiP6mAi7d+W6YKfPrIZKMI= X-Received: by 2002:a2e:9155:: with SMTP id q21mr31988234ljg.198.1560863447963; Tue, 18 Jun 2019 06:10:47 -0700 (PDT) MIME-Version: 1.0 References: <20190618075954.GA30296@admin.sibptus.ru> In-Reply-To: From: Robert Simmons Date: Tue, 18 Jun 2019 09:10:36 -0400 Message-ID: Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator To: Dan Langille Cc: Victor Sudakov , freebsd-security@freebsd.org X-Rspamd-Queue-Id: 8AC9574511 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=gKx/m21l; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rsimmons0@gmail.com designates 2a00:1450:4864:20::242 as permitted sender) smtp.mailfrom=rsimmons0@gmail.com X-Spamd-Result: default: False [-3.15 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[5]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.76)[-0.763,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.993,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-0.39)[ip: (2.93), ipnet: 2a00:1450::/32(-2.49), asn: 15169(-2.32), country: US(-0.06)]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 13:10:50 -0000 I am thinking about it from the perspective of having one single 2fa across as many systems as possible. On Tue, Jun 18, 2019, 09:09 Robert Simmons wrote: > You are correct for SSH. > > On Tue, Jun 18, 2019, 09:07 Dan Langille wrote: > >> On Jun 18, 2019, at 9:02 AM, Robert Simmons wrote: >> >> On Tue, Jun 18, 2019, 04:01 Victor Sudakov wrote: >> >> Dear Colleagues, >> >> I've used OPIE for many years (and S/Key before that) to login to my >> system from untrusted terminals (cafes, libraries etc). >> >> Now I've read an opinion that OPIE is outdated (and indeed its upstream >> distribution is gone) and that pam_google_authenticator would be more >> secure: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237270 >> >> Is that truly so? With 20 words in OPIE and only 6 digits in >> pam_google_authenticator, how strong is pam_google_authenticator against >> brute force and other attacks? >> >> >> Victor, >> >> To throw a new wrinkle in the equation: Google Authenticator codes can b= e >> intercepted by a phishing page. U2F protocol is even better, and can't b= e >> intercepted via phishing. >> >> There are U2F libraries in ports. >> >> https://en.wikipedia.org/wiki/Universal_2nd_Factor >> >> Cheers, >> Rob >> >> >> >> If my Google Authenticator codes are on my phone, and I'm entering them >> into my ssh session, how is a phishing page involved? >> >> =E2=80=94 >> Dan Langille >> http://langille.org/ >> >> >> >> >> >> From owner-freebsd-security@freebsd.org Tue Jun 18 14:33:13 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D3CD15BEB7B for ; Tue, 18 Jun 2019 14:33:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 72561800DB for ; Tue, 18 Jun 2019 14:33:02 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [192.168.43.29] ([192.168.43.29]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x5IEWxIX059065 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 18 Jun 2019 10:33:00 -0400 (EDT) (envelope-from mike@sentex.net) To: "freebsd-security@freebsd.org" From: mike tancsa Subject: TCP SACK (CVE-2019-5599) Message-ID: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> Date: Tue, 18 Jun 2019 10:33:00 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 72561800DB X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [1.12 / 15.00]; ARC_NA(0.00)[]; RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[sentex.net]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.61)[-0.611,0]; IP_SCORE(-1.73)[ipnet: 2607:f3e0::/32(-4.95), asn: 11647(-3.59), country: CA(-0.09)]; MX_GOOD(-0.01)[smtp.sentex.ca]; NEURAL_HAM_SHORT(-0.83)[-0.830,0]; SUBJ_ALL_CAPS(1.80)[24]; TO_DN_EQ_ADDR_ALL(0.00)[]; NEURAL_HAM_MEDIUM(-0.70)[-0.699,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 14:33:13 -0000 Hi all, With respect to the bugs describe in https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md * * SACK Slowness (FreeBSD 12 using the RACK TCP Stack) *Description:* It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection. *Workaround #1:* Apply the patch split_limit.patch  and set the |net.inet.tcp.rack.split_limit| sysctl to a reasonable value to limit the size of the SACK table. *Workaround #2:* Temporarily disable the RACK TCP stack. (Note that either workaround should be sufficient on its own. It is not necessary to apply both workarounds.) ** *How does I know if this is enabled in my default kernel on RELENG_12 ? There is some vague mention in various forums this is not the default on FreeBSD ? Can anyone shed more light as to how this does/does not impact FreeBSD ? * * * *    ---Mike * From owner-freebsd-security@freebsd.org Tue Jun 18 14:36:56 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C5C815BEDEF for ; Tue, 18 Jun 2019 14:36:56 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2215C8031A for ; Tue, 18 Jun 2019 14:36:54 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id 5153A1BE636 for ; Tue, 18 Jun 2019 14:36:52 +0000 (UTC) From: Stefan Bethke Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-Id: <7AC3FC6A-99CD-4C59-9822-18E4B498285D@lassitu.de> Date: Tue, 18 Jun 2019 16:36:50 +0200 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 2215C8031A X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of stb@lassitu.de designates 2a00:14b0:4200:32e0::1ea as permitted sender) smtp.mailfrom=stb@lassitu.de X-Spamd-Result: default: False [1.53 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.08)[0.084,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MX_GOOD(-0.01)[gilb.zs64.net]; NEURAL_SPAM_LONG(0.09)[0.089,0]; DMARC_NA(0.00)[lassitu.de]; NEURAL_SPAM_SHORT(0.85)[0.851,0]; IP_SCORE(0.31)[ipnet: 2000::/3(0.37), asn: 12874(1.15), country: IT(0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:12874, ipnet:2000::/3, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 14:36:56 -0000 h= ttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-= party/2019-001.md Are stock kernels/configurations affected? If so, will a fix or = workaround be incorporated? Thanks, Stefan --=20 Stefan Bethke Fon +49 151 14070811 From owner-freebsd-security@freebsd.org Tue Jun 18 14:54:24 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7367C15BFF50 for ; Tue, 18 Jun 2019 14:54:24 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id C6A24813FC for ; Tue, 18 Jun 2019 14:54:23 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from lowell-desk.be-well.ilk.org (router.lan [172.30.250.2]) by be-well.ilk.org (Postfix) with ESMTP id DF99333C22; Tue, 18 Jun 2019 10:48:14 -0400 (EDT) Received: by lowell-desk.be-well.ilk.org (Postfix, from userid 1147) id 2E005187E01; Tue, 18 Jun 2019 10:48:14 -0400 (EDT) From: Lowell Gilbert To: mike tancsa Cc: "freebsd-security\@freebsd.org" Subject: Re: TCP SACK (CVE-2019-5599) References: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> Reply-To: freebsd-security@freebsd.org Date: Tue, 18 Jun 2019 10:48:13 -0400 In-Reply-To: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> (mike tancsa's message of "Tue, 18 Jun 2019 10:33:00 -0400") Message-ID: <44o92vdk5u.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-Rspamd-Queue-Id: C6A24813FC X-Spamd-Bar: +++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [5.60 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.77)[0.775,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[ilk.org]; REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.997,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: be-well.ilk.org]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(1.00)[0.999,0]; SUBJ_ALL_CAPS(1.80)[24]; R_SPF_NA(0.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7922, ipnet:23.30.0.0/15, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.04)[ip: (0.11), ipnet: 23.30.0.0/15(0.08), asn: 7922(0.06), country: US(-0.06)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 14:54:24 -0000 mike tancsa writes: > *How does I know if this is enabled in my default kernel on RELENG_12 ? > There is some vague mention in various forums this is not the default on > FreeBSD ? Can anyone shed more light as to how this does/does not impact > FreeBSD ? If the net.inet.tcp.functions_default sysctl doesn't list "rack", you don't have to worry about it. As far as I can see from a quick look at my source tree, you would have to load a module to use it. From owner-freebsd-security@freebsd.org Tue Jun 18 14:57:19 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35E2215C0056 for ; Tue, 18 Jun 2019 14:57:19 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from mail.strugglingcoder.info (mail.strugglingcoder.info [104.236.146.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.strugglingcoder.info", Issuer "StartCom Class 1 DV Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2E3E181544 for ; Tue, 18 Jun 2019 14:57:18 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from localhost (unknown [10.2.1.3]) (Authenticated sender: hiren@strugglingcoder.info) by mail.strugglingcoder.info (Postfix) with ESMTPA id C013F71D0C; Tue, 18 Jun 2019 07:57:09 -0700 (PDT) Date: Tue, 18 Jun 2019 07:57:09 -0700 From: hiren To: mike tancsa Cc: "freebsd-security@freebsd.org" Subject: Re: TCP SACK (CVE-2019-5599) Message-ID: <20190618145709.GI52008@strugglingcoder.info> References: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="huBJOJF9BsF479P6" Content-Disposition: inline In-Reply-To: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 2E3E181544 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.03 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[strugglingcoder.info:s=dkim]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; IP_SCORE(-1.75)[ip: (-9.29), ipnet: 104.236.128.0/18(-0.52), asn: 14061(1.12), country: US(-0.06)]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mail.strugglingcoder.info]; DKIM_TRACE(0.00)[strugglingcoder.info:+]; RCPT_COUNT_TWO(0.00)[2]; SUBJ_ALL_CAPS(1.80)[24]; DMARC_POLICY_ALLOW(-0.50)[strugglingcoder.info,reject]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.97)[-0.966,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:14061, ipnet:104.236.128.0/18, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 14:57:19 -0000 --huBJOJF9BsF479P6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 06/18/19 at 10:33P, mike tancsa wrote: > Hi all, > With respect to the bugs describe in > https://github.com/Netflix/security-bulletins/blob/master/advisories/thir= d-party/2019-001.md > * > SACK Slowness (FreeBSD 12 using the RACK TCP Stack) [snip] >=20 > ** >=20 > *How does I know if this is enabled in my default kernel on RELENG_12 ? > There is some vague mention in various forums this is not the default on > FreeBSD ? Can anyone shed more light as to how this does/does not impact > FreeBSD ? RACK is one of the tcp stacks ($src/sys/netinet/tcp_stacks) and not enabled by default. So, by default, FreeBSD is not affected, afaict. This advisory is for when you do use RACK. Cheers, Hiren --huBJOJF9BsF479P6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEpOIPodh4jz8X5m8Ci5JQ4VY+3+UFAl0I+8JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEE0 RTIwRkExRDg3ODhGM0YxN0U2NkYwMjhCOTI1MEUxNTYzRURGRTUACgkQi5JQ4VY+ 3+VCwggApQi+zNlHF9fjbzHi+ksRQYB1HgdiQNVD8cCr2MqJ5PuNzR02fVPYNHWy HfluMRMQZdRiflaoRHs+oxVe/G1icIuepAIvjDFX1DSfy+EtwBm8SySDWRzrTyFf SypUigOs/EplPx0E2DfMSHDNbJzOf7WtYggE8e0KjHh2IVKTBFVg3q3300xQoNv1 abS0r9fsF2aldLul2Lns80nfwfR8rZ9tLXs8IxTGJ0FV4QXqAeuJMq6Dtm6e85en jgKqZyrXX6fecB2IDX04u/HmSQjTKzjbf3zI5mboYNgnQH5U052deve2zXUc+Igp 62dg7g0VYrgnQ+2Yb7vsxf+SE92x+g== =LTTn -----END PGP SIGNATURE----- --huBJOJF9BsF479P6-- From owner-freebsd-security@freebsd.org Tue Jun 18 14:59:44 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D085715C01EB for ; Tue, 18 Jun 2019 14:59:43 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from mail.strugglingcoder.info (mail.strugglingcoder.info [104.236.146.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.strugglingcoder.info", Issuer "StartCom Class 1 DV Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D0B2816DE for ; Tue, 18 Jun 2019 14:59:43 +0000 (UTC) (envelope-from hiren@strugglingcoder.info) Received: from localhost (unknown [10.2.1.3]) (Authenticated sender: hiren@strugglingcoder.info) by mail.strugglingcoder.info (Postfix) with ESMTPA id 766F871D32; Tue, 18 Jun 2019 07:59:41 -0700 (PDT) Date: Tue, 18 Jun 2019 07:59:41 -0700 From: hiren To: Stefan Bethke Cc: freebsd-security@freebsd.org Subject: Re: CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190618145941.GJ52008@strugglingcoder.info> References: <7AC3FC6A-99CD-4C59-9822-18E4B498285D@lassitu.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tv2SIFopg1r47n4a" Content-Disposition: inline In-Reply-To: <7AC3FC6A-99CD-4C59-9822-18E4B498285D@lassitu.de> User-Agent: Mutt/1.11.4 (2019-03-13) X-Rspamd-Queue-Id: 2D0B2816DE X-Spamd-Bar: ------- X-Spamd-Result: default: False [-7.87 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[strugglingcoder.info:s=dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; IP_SCORE(-1.78)[ip: (-9.38), ipnet: 104.236.128.0/18(-0.60), asn: 14061(1.12), country: US(-0.06)]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[strugglingcoder.info:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[strugglingcoder.info,reject]; MX_GOOD(-0.01)[cached: mail.strugglingcoder.info]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:14061, ipnet:104.236.128.0/18, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 14:59:44 -0000 --tv2SIFopg1r47n4a Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 06/18/19 at 04:36P, Stefan Bethke wrote: > https://github.com/Netflix/security-bulletins/blob/master/advisories/thir= d-party/2019-001.md >=20 > Are stock kernels/configurations affected? If so, will a fix or workaroun= d be incorporated? RACK is still not default stack so FreeBSD is not affected. Cheers, Hiren --tv2SIFopg1r47n4a Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEpOIPodh4jz8X5m8Ci5JQ4VY+3+UFAl0I/F1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEE0 RTIwRkExRDg3ODhGM0YxN0U2NkYwMjhCOTI1MEUxNTYzRURGRTUACgkQi5JQ4VY+ 3+Xckwf/S0Kewu7MjM2Mo6ZY6oQ3YQd6B43gxG4urF/g+xqMOWzgevLFyc4U7/gu YEUrmnvPk6cEKEt6DtJuE4EBjvBwNChoGz4SGjZEgFQxhcs6L91zTWVdeOKMjHiO JNZjH3AC3dkADeX7vmaKOnDT5gLb5FLoyDXOC1wDFsrjEw2aqeHEVE0Y1UbIo//l 7ks0lANdP/HiDQNTIMOOcAJboph8Q/OYZtFVYlHj0QiZQWKrNvte7xgyA2qOdP0H OoFwiYl8uPTV5RZDqLLCiAD7qPcVuh+cvQ8lAwowOYT3SpZMm7jwj6izB/5DWDh/ 21fgL7sEH3qjhc7sznMlcEP20VrHfQ== =/Org -----END PGP SIGNATURE----- --tv2SIFopg1r47n4a-- From owner-freebsd-security@freebsd.org Tue Jun 18 15:40:30 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3B0A15C11DE for ; Tue, 18 Jun 2019 15:40:30 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7D0C982DEB for ; Tue, 18 Jun 2019 15:40:29 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id dGDbhf0v7o7SQdGDdhE4lX; Tue, 18 Jun 2019 09:40:21 -0600 X-Authority-Analysis: v=2.3 cv=Go88BX9C c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=dq6fvYVFJ5YA:10 a=6I5d2MoRAAAA:8 a=FWL59_a1AAAA:20 a=YxBL1-UpAAAA:8 a=cBypSRyhoeTm9c1DUb0A:9 a=QEXdDO2ut3YA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from android-9b917f0ce39da6e6.esitwifi.local (S0106788a207e2972.gv.shawcable.net [70.66.154.233]) by spqr.komquats.com (Postfix) with ESMTPSA id C864F1650; Tue, 18 Jun 2019 08:40:18 -0700 (PDT) Date: Tue, 18 Jun 2019 08:39:55 -0700 User-Agent: K-9 Mail for Android In-Reply-To: <20190618145709.GI52008@strugglingcoder.info> References: <29d6e221-e88a-f828-0e5b-ac235691ed86@sentex.net> <20190618145709.GI52008@strugglingcoder.info> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: TCP SACK (CVE-2019-5599) To: hiren , hiren via freebsd-security , mike tancsa CC: "freebsd-security@freebsd.org" From: Cy Schubert Message-ID: <4FEA2C68-77D2-4DE7-BCD4-9D1F9343670B@cschubert.com> X-CMAE-Envelope: MS4wfDfZAS3uoIxxvhBk31ULrAg7UXrZ6FmwmpGtv7OgqiTkutFbAlvjCzGoZ8OPN1hwO2MNnAZje/IF5Fbl7ArTt7sxpFvRfG0Sx6harDyHdW49F3xphYme IGQML3qQGyjt8cJKa73u2ODaHJM/7OOiNhj7S0HSuhhBsPA/TdWhVTt0+vIs+wZDxDeKT1RpqSyqdBkI3xmniU+OQubpW6OEakR12cbA/fXRAt1BiN+vQITx VIUly9fMy64iDs6kDYk7VQ== X-Rspamd-Queue-Id: 7D0C982DEB X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-3.85 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: spqr.komquats.com]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; SUBJ_ALL_CAPS(1.80)[24]; RCVD_IN_DNSWL_LOW(-0.10)[138.136.59.64.list.dnswl.org : 127.0.5.1]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[233.154.66.70.zen.spamhaus.org : 127.0.0.11,17.125.67.70.zen.spamhaus.org : 127.0.0.11]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[]; IP_SCORE(-2.45)[ip: (-6.38), ipnet: 64.59.128.0/20(-3.25), asn: 6327(-2.52), country: CA(-0.09)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 15:40:30 -0000 On June 18, 2019 7:57:09 AM PDT, hiren via freebsd-security wrote: >On 06/18/19 at 10:33P, mike tancsa wrote: >> Hi all, >> With respect to the bugs describe in >> >https://github=2Ecom/Netflix/security-bulletins/blob/master/advisories/th= ird-party/2019-001=2Emd >> * >> SACK Slowness (FreeBSD 12 using the RACK TCP Stack) >[snip] >>=20 >> ** >>=20 >> *How does I know if this is enabled in my default kernel on RELENG_12 >? >> There is some vague mention in various forums this is not the default >on >> FreeBSD ? Can anyone shed more light as to how this does/does not >impact >> FreeBSD ? > >RACK is one of the tcp stacks ($src/sys/netinet/tcp_stacks) and not >enabled by default=2E > >So, by default, FreeBSD is not affected, afaict=2E This advisory is for >when you do use RACK=2E > >Cheers, >Hiren They post a workaround patch in their advisory=2E As RACK is their contrib= ution, I suppose one of their people who are committers might want to commi= t it=2E --=20 Pardon the typos and autocorrect, small keyboard in use=2E Cheers, Cy Schubert FreeBSD UNIX: Web: http://www=2EFreeBSD=2Eorg The need of the many outweighs the greed of the few=2E From owner-freebsd-security@freebsd.org Tue Jun 18 21:34:35 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FFD115C9498; Tue, 18 Jun 2019 21:34:35 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F04DD8F014; Tue, 18 Jun 2019 21:34:33 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd42.google.com with SMTP id e5so33397490iok.4; Tue, 18 Jun 2019 14:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=rqxBbzNIi8oXMvlT+yCrGcttlT1MewHhJcWKBIpIQK0=; b=P9EcMoqOE8ECeLmLt/XEOAxGK7TqAPKfskUjPsSg+GHImuL48MSKhIM/AknwqNqSK0 LKmFHd+BlEcPgLfKWEHbqomN84vefvq3KQSt5tQM6X7Aezy8u+ISCpOkn6C0+cMTowSo ojuqG/RiX5+rrwjmN+LwKVoTJlWBUKqGeYEH8stAPQNv6z2VyTWv/lWhhOvTGuQQlxtu VRJkf3SzaChmNKwe+oxIRFu/8Q2aWATGIKAxJFfQAMYgdUfR6o71Har8LTMDYD5ljv+F gOWQbajsVC2c4v6rxQCzY7NZti+2os6D9866aqKtbxlU+C/sJobw//tds+aLbHYYM7RT 2thQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=rqxBbzNIi8oXMvlT+yCrGcttlT1MewHhJcWKBIpIQK0=; b=YpNt355YQyUBScj6Jg9Jqgms5mGqaClm59YWLtABCIh9MSnW93NLCVtZKLagn5qJ/V 0C7DCGj1NmS9oCEPCsxUSx1whx0q8wlJQskfLYOAsVX9k0Q3dS8o+2UQWG8jrE5AqHdU aHR5ZJFjKLkwS+sjI9/PxDiAqmcV1pPoNlaV261b/NA7FMKdqIPAAuh9z0PAzc/sLuYv xf+SSR9iJJhyEZGqo0DMQTLpMuxgGjY2qaqV6m2gE4IOUyveaYoXFv0Hq8rgft/kPct/ bkGuAp8cIS3djzeUBDsny0J+y4gjMwOmD/IzcPv9UyyLZcNXJPRtBaS6w239pOFdSlY3 b8gw== X-Gm-Message-State: APjAAAUAzYvBabT1i7wi9+/eXesMXX2+vEFc0Z3+cbcQ+XtES9m3YjOg +6IZHbOnl0Jpzg++2Itl0+0UBdWdCtYxVdAgpmAX9qY/ X-Google-Smtp-Source: APXvYqxzXBJN3g5w2zgktjEXEfj7zojqNqcbT3dEkK9rReDa5INhW8axUvHCqV3SPiw7Or5o5ovaRj17qV/GKUnoE+A= X-Received: by 2002:a02:7121:: with SMTP id n33mr7299908jac.19.1560893673080; Tue, 18 Jun 2019 14:34:33 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:212a:0:0:0:0:0 with HTTP; Tue, 18 Jun 2019 14:34:32 -0700 (PDT) From: grarpamp Date: Tue, 18 Jun 2019 17:34:32 -0400 Message-ID: Subject: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, security-report@netflix.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: F04DD8F014 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=P9EcMoqO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d42 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.68 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; IP_SCORE(-0.78)[ip: (1.62), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; NEURAL_HAM_SHORT(-0.89)[-0.888,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Tue, 18 Jun 2019 21:46:45 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 21:34:35 -0000 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 NFLX-2019-001 Date Entry Created: 20190107 Preallocated to nothing? Or witheld under irresponsible disclosure thus keeping users vulnerable to leaks, parallel discovery, and exploit for at least five months more than necessary, and unaware thus unable to consider potential local mitigations? Older references... https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=freebsd https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=freebsd&search_type=all From owner-freebsd-security@freebsd.org Tue Jun 18 23:55:40 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 598C515CC47A for ; Tue, 18 Jun 2019 23:55:40 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-yb1-xb41.google.com (mail-yb1-xb41.google.com [IPv6:2607:f8b0:4864:20::b41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5195D6C68B for ; Tue, 18 Jun 2019 23:55:39 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-yb1-xb41.google.com with SMTP id c7so6810413ybs.9 for ; Tue, 18 Jun 2019 16:55:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Ek7lRwSkyoa41qSMepvJLpdyYq1iW0/qYdyt0MlSsLI=; b=GqEzbwkKyuVQd7xSSiSusXzyXd2P0ziP6pe0mZib9H6/jdsZTDgu8/9ZIOW5aaARUE Ykn6V6kuqzvEGwlTUFHZlZCqX4C5yWuoz8uL3l0rEPcL2dCjFbq9tmy5uLtQGafnyo81 lrJ5vRtkSBxgYbRUYLxKlSSbTK5iikVsJh39Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Ek7lRwSkyoa41qSMepvJLpdyYq1iW0/qYdyt0MlSsLI=; b=ixFa+hc88rit7ayxc05VN9dM05Rgpe4nG23MnPtoaXXFPCJx3fKzR+OzW+UBUdNY+9 wiwGkX3D89LriZa/WsA6Fo1/TPygY2+dU4l+OkHfVp0UBTxXAQbiiM5GYUH5NDWzoV8N U+PhBilG6NWWXnFS1YsCzlP4veTJGWKDiA9/tc1ZEng2hGKOeQcXRwO19dA/NfNiJh87 TaAeX6ZKdbJ3w1o28UfaP1HlEwazIBPNOEl5iftSlofqzA0cUEQPnXsVOshSkRcU/Tb4 Y5iF+uAzZyDO9Of/oIWZ8tcHN3Sk1HKTqwGDMPiIeShzIZQn6mRxlSYVRGdVSP+5/aQB dz4g== X-Gm-Message-State: APjAAAWPth/LUb29mbHxCtsw+7h8HF3DpvX8vB9KnaethsGtnFbe1y3N tJA2hYDFCMNlbkwtY/xS2AQF X-Google-Smtp-Source: APXvYqyk3gFlB5zeDY6+4AhsAu3KNeX0b60yduzEiy6u2pfxPkPiUG0LQjyPlD9eCWsQEHVCpM57xQ== X-Received: by 2002:a5b:64f:: with SMTP id o15mr51046473ybq.430.1560902138182; Tue, 18 Jun 2019 16:55:38 -0700 (PDT) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id h129sm4178887ywe.97.2019.06.18.16.55.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jun 2019 16:55:37 -0700 (PDT) Date: Tue, 18 Jun 2019 16:55:35 -0700 From: Gordon Tetlow To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org, security-report@netflix.com Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190618235535.GY32970@gmail.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.0 (2019-05-25) X-Rspamd-Queue-Id: 5195D6C68B X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=google header.b=GqEzbwkK; dmarc=pass (policy=none) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 2607:f8b0:4864:20::b41 as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-3.49 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_SOME(0.00)[]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; MID_RHS_MATCH_TO(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,none]; RCVD_IN_DNSWL_NONE(0.00)[1.4.b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.97)[-0.972,0]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; IP_SCORE(-0.51)[ip: (3.01), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 23:55:40 -0000 On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > NFLX-2019-001 > > Date Entry Created: 20190107 > Preallocated to nothing? > Or witheld under irresponsible disclosure thus keeping > users vulnerable to leaks, parallel discovery, and exploit > for at least five months more than necessary, and > unaware thus unable to consider potential local mitigations? Other than the inappropriate tone, there is a reasonable question here. MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide when to assign and disclose them. The 2019-01-07 date is when MITRE allocated a block of CVEs to FreeBSD, not when they are assigned to an issue. We generally get a block in the beginning of each year. If you would like to have an actual discussion around disclosure policies, I'm happy to have one, but by your tone above, I don't think there is any reason to do so. It seems unlikely you are open to debate in a fashion that would be productive. Thanks, Gordon Hat: Security Officer From owner-freebsd-security@freebsd.org Wed Jun 19 00:06:59 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DD5D15CCC87 for ; Wed, 19 Jun 2019 00:06:59 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F08E86CC92 for ; Wed, 19 Jun 2019 00:06:57 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk1-x72d.google.com with SMTP id g18so9820351qkl.3 for ; Tue, 18 Jun 2019 17:06:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ZjWGQ2+ijpBfioHVFDQ8INdyQyE53uZwPApgm2atEP0=; b=FWXc3jR0Ei+TqPT+Rdu6FN+nqlqR8JnBbrpi+kpOBJ9L17n93F6uU5NuFX4uOK2VI6 E6+LZTu7qocG9Frx6+Jzq8yQMcWZ6cfR4WdDgZ0gMNAZXDJEE/nB83HHnfc55kI00X1f kSEnV5MoVjplgkKClGnO6qKnRiJiJ2Gp9ysJI3/KFsvkqWSFhwyNMNp7+q85/Jb2aH/8 Kb+EKN7QpciIvMHrWuYktso9pc6POVp+Jxopw/3nMXt//upm6+sa3bg95BgZpz8MuXvM C7vR5enonKHtqS4kzQfssX9suNMlWwfNUS8LgKVE3elkbozmvF3yukatnxddghVKA6dV tDAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ZjWGQ2+ijpBfioHVFDQ8INdyQyE53uZwPApgm2atEP0=; b=GdN69ZDtlQE4z0TKF6bKicTq9IsCf3KIN8hSL2B7bEig80kRpP4CK4MHf7IF1dnZms RbEMn0aZbgyOM5Rno7exMgiuz4GFHUAeKJuHjsTn5LkE+ArjcFU8P46GkpL89mLk/ERc l9iH/+Yi6PZEzCaGEwdgkwznekM7BOWF35ix1SPqOZznS+i2tSahxvvDOJtCRrUeMytG fUCR65UZnMQVQzn60Gb2E2o74iN95IT30dmHO4Ft+RqGFMIuC7f/9exZMabRKrtgx33L Ggtj3c0hDG/ja7oa12bgWzAAr2bUcYyCFrCsOQYCuhAaJ2qIJse5DA4mViOub5Epqvtt DYPg== X-Gm-Message-State: APjAAAWl0C7x49lt8Mb6N5lXfnmTuJK83NsoYA8QRioDCVDQgSntfb7B Bm4pZEsKNhwhH90oR1o8QpZrTg== X-Google-Smtp-Source: APXvYqwS6Lt7Xtx7JLWCdvUoby8IdPIK+26vpb5ur3TA3HXG4C5NcXQm5dkr9+okwQLbTtoAItUFIw== X-Received: by 2002:a37:ac14:: with SMTP id e20mr95009884qkm.243.1560902817092; Tue, 18 Jun 2019 17:06:57 -0700 (PDT) Received: from mutt-hbsd ([151.196.118.239]) by smtp.gmail.com with ESMTPSA id k58sm10784251qtc.38.2019.06.18.17.06.56 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 18 Jun 2019 17:06:56 -0700 (PDT) Date: Tue, 18 Jun 2019 20:06:55 -0400 From: Shawn Webb To: Gordon Tetlow Cc: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org, security-report@netflix.com Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Message-ID: <20190619000655.2gde4u5i5ter5exu@mutt-hbsd> References: <20190618235535.GY32970@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="pvj2jtyuppcsn75u" Content-Disposition: inline In-Reply-To: <20190618235535.GY32970@gmail.com> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD HARDENEDBSD-13-CURRENT amd64 X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: F08E86CC92 X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=FWXc3jR0; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::72d as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-8.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; MX_GOOD(-0.01)[alt1.aspmx.l.google.com,aspmx.l.google.com,aspmx2.googlemail.com,alt2.aspmx.l.google.com,aspmx3.googlemail.com]; NEURAL_HAM_SHORT(-1.00)[-0.996,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.00)[ip: (-9.44), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[239.118.196.151.zen.spamhaus.org : 127.0.0.10]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[d.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[]; FREEMAIL_CC(0.00)[gmail.com] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 00:06:59 -0000 --pvj2jtyuppcsn75u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote: > On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > > https://github.com/Netflix/security-bulletins/blob/master/advisories/th= ird-party/2019-001.md > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-5599 > > NFLX-2019-001 > >=20 > > Date Entry Created: 20190107 > > Preallocated to nothing? > > Or witheld under irresponsible disclosure thus keeping > > users vulnerable to leaks, parallel discovery, and exploit > > for at least five months more than necessary, and > > unaware thus unable to consider potential local mitigations? >=20 > Other than the inappropriate tone, there is a reasonable question here. > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. >=20 > If you would like to have an actual discussion around disclosure > policies, I'm happy to have one, but by your tone above, I don't think > there is any reason to do so. It seems unlikely you are open to > debate in a fashion that would be productive. Hey Gordon, Thank you for your reply, and especially for the respectful tone. I hope to drive a further positive discussion in the goal of enhanced transparency. It appears that Netflix's advisory (as of this writing) does not include a timeline of events. Would FreeBSD be able to provide its event timeline with regards to CVE-2019-5599? Were any FreeBSD derivatives given advanced notice? If so, which ones? Thanks for your time, resources, and continued correspondence. Thanks again, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --pvj2jtyuppcsn75u Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0JfJoACgkQ/y5nonf4 4foWbBAAib8Ky5ZDh0GM/50NpFn3ws0/uHsi4F8iUmDxKJVfFdgx4dx8tlH1ZCT8 t1Aqu8sxBDFIO/cHWvGQu5BuEZbf/eDt8w8iBqpKKDdSYka2n8a2dgixUZgm2WPf MydSOlUXI1+kME59JjJ16gCk+Yuteap+bVaIqDC8d1+ERzHJ+CqHKF1NU2Qf8+2P 5Z4AdO7BznNRKCBiymGJCrmsSIXqgaNY0wqSri+OiBl6PsllcsYmFguaTpud1tcu hxhOutIFg1IRtqvyAZjAMz4eq6UOTM3OnrtFZVWGPGjE69C/T/UFvL79fu8ZR+a7 oVH7Bf7g14d1bHNOrcnUfyaAzC398fJ1SSSO6lCArB4GGBJRKPodQVMPY54esM7e 4GNyfhKP72eXqvTLXPMloC5wzRdD2hgkmkF0XqQCrW06XNjrLraOib0jhXK/lKUf MnyXJbnoV9J30Ey8OQ83S2DHyKcogL2O8wavvqxfdPpXmBJkzwn4kkPuBfDyjzU/ dshfQ4nq9XlHJxX89LRzBUpgOa9yruGklrM1c9wySkM3rD72dui/cTzQN3THA228 LWhExQgNbrnAQCwztvuSKnP8oB8oZk2JISYd0aqYcu5NVo4yxa5qUh5wveu/k9Pr scgfZ/HKlBTqp7EgL9rSdGAyNzqAutLg7LynCU8Nnw0FWHdl10g= =PwY8 -----END PGP SIGNATURE----- --pvj2jtyuppcsn75u-- From owner-freebsd-security@freebsd.org Wed Jun 19 02:05:15 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0404415CF00A for ; Wed, 19 Jun 2019 02:05:15 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FC916FEFB for ; Wed, 19 Jun 2019 02:05:13 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=snUvWgJEVdp2BhtLJsMnZJcHTXibTG4w6qF1DxuvW1I=; b=YcIGBpc5ru0pl5CZo9pnIm2JHX sCir0MJ2HAwr+VRBhCKiV0LA5gUsa4n3xJCbhMvSn8vvnbrMFkllz2k95YvkXhvIsVnhQzvisSXs9 yN6chR70lQxyAUEHtDqlTKrxeU5t9gWjeZIR7eSVffjJs7npdjIEgEf0cxzTqvdVqMHI=; Received: from vas by admin.sibptus.ru with local (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hdPyK-000GtG-Te for freebsd-security@freebsd.org; Wed, 19 Jun 2019 09:05:12 +0700 Date: Wed, 19 Jun 2019 09:05:12 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190619020512.GA64608@admin.sibptus.ru> References: <20190618075954.GA30296@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.0 (2019-05-25) Sender: Victor Sudakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 02:05:15 -0000 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Robert Simmons wrote: >=20 > To throw a new wrinkle in the equation: Google Authenticator codes can be > intercepted by a phishing page.=20 In my case, no page is involved, just the FreeOTP app on my Android phone (which is less convenient than a sheet of paper with OPIE passwords, but I can live with that). > U2F protocol is even better, and can't be > intercepted via phishing. >=20 > There are U2F libraries in ports. >=20 > https://en.wikipedia.org/wiki/Universal_2nd_Factor U2F (and Yubikey) require purchase of hardware devices. In this sense, they are not replacements for OPIE, which is a pure software solution.=20 Back to my original question. 1. Is it safe to keep OPIE in the base system? Its upstream project is gone. It is not IPv6 ready. It uses MD5. 2. If OPIE is not safe anymore, which is a good software replacement?=20 --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCZhYAAoJEA2k8lmbXsY0YtgH/3W6x6I99qbATT/cNMtd+KGq fyOHglgWJn73720MpidV6cZbTwHMhAaRISFxXRAT2VAqN/zwvrgS1rRVVgTJR7Ob NxrrzgA25YG1NbhEMdltGqSOk8oca8TRK0SY54tk3cs2YGL5Msf/Fhssbmj2iQbM evavbdBwY7DJxOojdzvOYo56sa5DYwjax9ngwHtcwJp/24f5rEgbyoGP60/mrEsn ko3UPS0P3jK7ujo9/5OtIovyjh1vCY45abb7SQ/KarrOV7VfNTJy1ISnSiPYVXWT 4mpSsfq4AOTUxnxjgzg/DN70HT6sW4QiJsL3yFvLMGFUah3ICiKnYOeMODsLqNU= =q8wU -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- From owner-freebsd-security@freebsd.org Wed Jun 19 02:58:04 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F5EB15CF9EC for ; Wed, 19 Jun 2019 02:58:04 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 452E071010 for ; Wed, 19 Jun 2019 02:58:03 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 5587C518E7; Tue, 18 Jun 2019 19:57:55 -0700 (PDT) Date: Tue, 18 Jun 2019 19:57:55 -0700 (PDT) From: Roger Marquis To: Victor Sudakov cc: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator In-Reply-To: <20190619020512.GA64608@admin.sibptus.ru> Message-ID: References: <20190618075954.GA30296@admin.sibptus.ru> <20190619020512.GA64608@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 452E071010 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-7.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-1.00)[-0.995,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 02:58:04 -0000 > In my case, no page is involved, just the FreeOTP app on my Android > phone (which is less convenient than a sheet of paper with OPIE > passwords, but I can live with that). FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require no privacy invading "push" notifications and are open source. Just wish more sites would publish numeric codes instead of gimmicky QR codes. That said there are still plenty of us who also use OPIE. The passcodes are a solid T/HOTP fallback, aren't subject to seizure by border agents having a bad day, can be easily copied and stored on paper and have zero dependencies on 3rd parties. That's not to say that OPIE should be kept in base though. There's already way too much unused legacy cruft in FreeBSD base. Ports are the right tool for that job. But OPIE is still used, can be updated relatively easily, and should be kept somewhere accessible for security-conscious end-users. To eliminate it would only benefit those with commercial interests in proprietary and hosted (vendor lock-in) MFA solutions. IMO, Roger Marquis From owner-freebsd-security@freebsd.org Wed Jun 19 01:16:55 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEF3115CE2CB; Wed, 19 Jun 2019 01:16:55 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7992B6EB7A; Wed, 19 Jun 2019 01:16:54 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd43.google.com with SMTP id w25so34243153ioc.8; Tue, 18 Jun 2019 18:16:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U/joiMjUX8/olWboWvynPJ1JX31vwkgEn3HlsIhucOQ=; b=SwRZrGMALIOLN8l9AUBjeLYfWJ50a2Ybb3RP0+EXgroUwoVygdPX2lvPCBo3po0lRs WlZPbz3JoGgw8GtvgKdP0VieouvzzdU/Z3z4vGFxPV3UO/CsMEeKUJ9H8PVkOkBS8E6W xt4DKQiXZ4RmBVZetGs2UDZMrLOZxQBNEvvQh8xiViBUJNQIrRW1PooIQB7stm5qOc2f cI2KO82t3ji2PYkQ+PZ+CsAqnW/udqEyLn0t5/qz3p8A4riBS7tghLct136A74Z8dPtr rad+WNY/xqH5TpleBV4imbTy85QQA8IjRvPikZVcqaP2ReBROTu5Q/UV9grWOicHfGMS fIXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U/joiMjUX8/olWboWvynPJ1JX31vwkgEn3HlsIhucOQ=; b=OEl9t2/KX7IOR/L7STtalMEkduhQq5GF9mGc2bUJt2gcAWV2hXttnHd0Vroe3bqTRC jj5JjX3cdjQSvVaS7qYjQClOOPvMzGQkhmrTMDWCwMlwM9RVNZ3jcIlpM3ySZG5w42v1 OGNrtFzQCJhJsIBH4sbZvlIzm9AHkX+/AyCTdtPLI7yS7a7p/0MqJCmPSY3SMkVFWk7Z t+UW0UOnGpEtXS6EQjE+KDmE+KjmwNBIFOw6IUIacyKl6cWcWQyuzXboS84A5hkxk5us xbsYA24ZyH0Qt54agrsYhVIqhu+HJL79mJhEItOFTorvaT9krmUn99ylhwX3meNxDJNV nuhw== X-Gm-Message-State: APjAAAWSn0HrcEjnXxQ3DlKyD2ocwixGY4vmhYUXWpx92P7M4QfTlAFs 6hLeOGNimprws1imalMBTq8yF6GOj1XgeIGBlsRFPBwQ X-Google-Smtp-Source: APXvYqyIBQWdLXjtrzKorXVuM37W3XzJ2EBzc76bYUPFtsR5Gg7MHVzVk0ou9BewvhuTlc7FhuoRktzAVYfiI5M57H4= X-Received: by 2002:a5d:8404:: with SMTP id i4mr22533255ion.146.1560907013503; Tue, 18 Jun 2019 18:16:53 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:212a:0:0:0:0:0 with HTTP; Tue, 18 Jun 2019 18:16:52 -0700 (PDT) In-Reply-To: <20190618235535.GY32970@gmail.com> References: <20190618235535.GY32970@gmail.com> From: grarpamp Date: Tue, 18 Jun 2019 21:16:52 -0400 Message-ID: Subject: Re: CVE-2019-5599 SACK Slowness (FreeBSD 12 using the RACK TCP Stack) To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, security-report@netflix.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 7992B6EB7A X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=SwRZrGMA; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.76 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; RCVD_IN_DNSWL_NONE(0.00)[3.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.97)[-0.966,0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(-0.78)[ip: (1.63), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-Mailman-Approved-At: Wed, 19 Jun 2019 03:41:46 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 01:16:56 -0000 On 6/18/19, Gordon Tetlow wrote: > On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: >> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 >> NFLX-2019-001 >> >> Date Entry Created: 20190107 >> Preallocated to nothing? >> Or witheld...? > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. So preallocated to nothing, ok very well, no problem, priors amended herein as such, thx. As it is not in the current .md, when was the issue discovered by Netflix / Looney? > discussion around disclosure policies In today's world of parallel discovery, leaks, sec org infiltration by adversary, surveillance, no crypto, rapid automated exploit, etc... to wait for patch, polish, and press release advert, to not disclose, afford users local action up to immediate offlining for safety and wait, to draw upon entire community pool that has time*ability to fix... is thought by many [users] as irresponsible to users. There is no tone. And of course this one isn't currently a remote or local root. But what if it was... For those interested or new, there's lots of historical discussion with and without tone that can be found on any seclist, yet is no universal.. Having just noted these... https://www.freebsd.org/security/ https://www.freebsd.org/security/charter.html https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/security/ The charter last marked current 2002... is there any actual and posted mandatory timeliness disclosure trigger component? One that gets overall reviewed for user input say every N-years? Perhaps something more security focused than the general... https://www.research.net/r/freebsd2019 Hack happily :) Netflix dedication to FreeBSD much appreciated by many too. From owner-freebsd-security@freebsd.org Wed Jun 19 03:42:58 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8FD9815D0AE3 for ; Wed, 19 Jun 2019 03:42:58 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A4DE72A98 for ; Wed, 19 Jun 2019 03:42:58 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=M29JZyLug+DskaZViN3uGD4J8dOxQEXF73wTq9UbXP0=; b=B+gV1IEdf8PLHKI0BTaPtLYCF9 o9vFrnwXm69sPW8r1lqXQkB7pkMU3HrApaoE8qszNXdY3AsEAdbUe/eo99GMhbuUBDW8OqUGVnpDq qLJjz1pwJimBcvkt5n/1mW2A18qXcVI+viJxOzquweHUrZ0ik1rUuLUcm77Zx4SU+qZw=; Received: from vas by admin.sibptus.ru with local (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hdRUv-000HVO-5d for freebsd-security@freebsd.org; Wed, 19 Jun 2019 10:42:57 +0700 Date: Wed, 19 Jun 2019 10:42:57 +0700 From: Victor Sudakov To: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190619034257.GA67083@admin.sibptus.ru> References: <20190618075954.GA30296@admin.sibptus.ru> <20190619020512.GA64608@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.0 (2019-05-25) Sender: Victor Sudakov X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 03:42:58 -0000 --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Roger Marquis wrote: > > In my case, no page is involved, just the FreeOTP app on my Android > > phone (which is less convenient than a sheet of paper with OPIE > > passwords, but I can live with that). >=20 > FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require > no privacy invading "push" notifications and are open source. =20 Would you rely on security/pam_google_authenticator+FreeOTP as the *single* authentication for ssh (not as an extra authentication factor)? In other words, as a "sufficient" PAM module? > Just wish > more sites would publish numeric codes instead of gimmicky QR codes. Oh, I love the QR codes google-authenticator generates in character-based terminals. Very stylish, and convenient to scan with the FreeOTP app. Do you know if there is a FreeOTP generator for the FreeBSD console, like /usr/bin/otp-md5 ? >=20 > That said there are still plenty of us who also use OPIE. The passcodes > are a solid T/HOTP fallback, aren't subject to seizure by border agents > having a bad day, can be easily copied and stored on paper and have zero > dependencies on 3rd parties. >=20 > That's not to say that OPIE should be kept in base though. There's > already way too much unused legacy cruft in FreeBSD base. Ports are the > right tool for that job. Is there a way to keep some software in ports, if the original project is dead? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCa9BAAoJEA2k8lmbXsY0ncgIAIp5HTggVhTDHpsww4ibnHY6 wHp96WhStUcmA6ARqbfgK79XtYreqCm/+Oeb2KSvYRigjAEk0rqicQbG9IAd/riX IBAxpX6tjVg3bl6jI33T4/dEX13hHz+vsSJIzQvwJsG9h8xBzHOWRSAKIyFM6nB9 iPl4Qs7Xb+dWfDj4uoSU7FKdnBKClrWDmJhNXSKVOKYx/inku277LxDU7W1cJthq Cthfo5D4o33NRs2no+HfxPxvzkpWs40pJJPwmF5UfSHhYett3bJXPRNbl0jWZ++B k80G/oPbPEy0hDW5w1W07uGNgKQPayA5V4MfCCpfnVLaDsxGAj4ypezmGfmwA2s= =rwJw -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi-- From owner-freebsd-security@freebsd.org Wed Jun 19 17:20:44 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DF3F515C0384 for ; Wed, 19 Jun 2019 17:20:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 865DD70C02; Wed, 19 Jun 2019 17:20:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 583FC10A68; Wed, 19 Jun 2019 17:20:43 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:08.rack Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190619172043.583FC10A68@freefall.freebsd.org> Date: Wed, 19 Jun 2019 17:20:43 +0000 (UTC) X-Rspamd-Queue-Id: 865DD70C02 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.975,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 17:20:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:08.rack Security Advisory The FreeBSD Project Topic: Resource exhaustion in non-default RACK TCP stack Category: core Module: inet Announced: 2019-06-19 Credits: Jonathan Looney (Netflix) Peter Lei (Netflix) Affects: FreeBSD 12.0 and later Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE) 2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6) CVE Name: CVE-2019-5599 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the notion of time, in addition to packet or sequence counts, to detect losses for modern TCP implementations that support per-packet timestamps and the selective acknowledgment (SACK) option. FreeBSD ships an optional implementation of RACK. Please note this is not included by default. If RACK was not specifically compiled, installed, and loaded, the system is not vulnerable. II. Problem Description While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. III. Impact An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost. IV. Workaround By default RACK is not compiled or loaded into the TCP stack. To determine if you are using RACK, check the net.inet.tcp.functions_available sysctl. If it includes a line with "rack", the RACK stack is loaded. To disable RACK, unload the kernel module with: # kldunload tcp_rack Note: it may be required to use the force flag (-f) with the kldunload. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Since the tcp_rack kernel module is not built by default, recompile, reinstall, and reload the kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc # gpg --verify rack.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile, reinstall, and reload the tcp_rack kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r349197 releng/12.0/ r349199 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK8ZxAAjT8bPjh+U0DGQEjnWvmzkMl7sDd2ISMTzKXh+WVGZ0wdwLuHqCHbBhHw POAyJ4VprY9bGFK1EkoDuA5x0MPRXV4Zbk9I9eNKmzjbvj1JW92fubr/t6ITqiNp 2BAGK6iZ61saZyZNmQvTcZZzEao1ZRqylI3OEJWUwt9nomW6RJhRbRoJvbhl9oJE Dz+ZjtZmf5oKccfkgoom8i7s4sHM1wFu+S00gYM7X/Nznv2S3B66pBYVhID30MGE TKUqDYKdX7UbO/+WsWYVVBOA8Sp7FbdWLMGXXmk7jA9cVW+YUpir7yMYzIU5Ps6R rLMQv4Rc593aznEDdvZkElW6AGMfLh4dpzqBKHbidKSZTv7q0KNQ52XJb18wD8n3 1vr4L54HKai1xfl52MvLvUP7hPjLR1jW1W6QJ5Hk3qGU4aViifStY5VfJ/8J6uuT FUi5J9szYDraT8mWlIRfZNTRnbrQX2FoLjjsouL8v9kCj+83NB92wh+vylplVzKF vlw18g6yC6USuE90OfdY9gXFRxiUWE+/Y0R0+/aEvuqSa9mMLQfolznl3zf1RaK8 GWX892iYmYYiTjN/HKttkdvfrQMYWLoW4COO+6h09VyNApQSpLikclERLnysi72M EHRUquiZdZyV7nFmQGAeW779sdSE0d6gUTvS6Ak/PTzfAhy/Vj8= =ggzB -----END PGP SIGNATURE-----