From owner-freebsd-security@FreeBSD.ORG Tue Jun 27 20:10:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48A3E16A408; Tue, 27 Jun 2006 20:10:29 +0000 (UTC) (envelope-from mi+mx@aldan.algebra.com) Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE70D43FEC; Tue, 27 Jun 2006 20:10:28 +0000 (GMT) (envelope-from mi+mx@aldan.algebra.com) Received: from corbulon.video-collage.com (static-151-204-231-237.bos.east.verizon.net [151.204.231.237]) by aldan.algebra.com (8.13.6/8.13.6) with ESMTP id k5RKAOvB095154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 27 Jun 2006 16:10:27 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) Received: from [172.21.130.86] (mx-broadway [38.98.68.18]) by corbulon.video-collage.com (8.13.6/8.13.6) with ESMTP id k5RKAIxe087470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Jun 2006 16:10:18 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) From: Mikhail Teterin Organization: Virtual Estates, Inc. To: Pawel Worach Date: Tue, 27 Jun 2006 16:10:04 -0400 User-Agent: KMail/1.9.1 References: <200606271455.32276.mi+mx@aldan.algebra.com> <44A1816B.3030808@gmail.com> In-Reply-To: <44A1816B.3030808@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-u" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <200606271610.04604.mi+mx@aldan.algebra.com> X-Virus-Scanned: ClamAV 0.88/1564/Mon Jun 26 10:55:16 2006 on corbulon.video-collage.com X-Virus-Status: Clean X-Scanned-By: MIMEDefang 2.43 X-Mailman-Approved-At: Tue, 27 Jun 2006 21:09:40 +0000 Cc: freebsd-security@freebsd.org, net@freebsd.org Subject: Re: fetch http://localhost:6666 hangs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 20:10:29 -0000 в╕второк 27 червень 2006 15:05, Pawel Worach написав: > > I just noticed, that on my recent "6.1-STABLE #4: Thu Jun  8" amd64 > > system attempts to connect to a bogus port (like 6666) hang instead of > > failing with "Connection refused" immediately, as they on other systems. > > Using sysctl net.inet.tcp.blackhole=1 ? Yes, that's what it was... Got me thinking, though... Should the blackhole setting apply to localhost (and local IP addresses) at all? It is a security measure -- would be nicer to reduce its impact on legitimate activity... -mi From owner-freebsd-security@FreeBSD.ORG Fri Jun 30 21:06:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4774916A407 for ; Fri, 30 Jun 2006 21:06:32 +0000 (UTC) (envelope-from brendandg@mitre.org) Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE2B943D45 for ; Fri, 30 Jun 2006 21:06:31 +0000 (GMT) (envelope-from brendandg@mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id k5UL6UTa020737 for ; Fri, 30 Jun 2006 17:06:31 -0400 Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id CCA73BF00 for ; Fri, 30 Jun 2006 17:06:30 -0400 (EDT) Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id k5UL6UXP020732 for ; Fri, 30 Jun 2006 17:06:30 -0400 Received: from IMCSRV3.MITRE.ORG ([129.83.20.198]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Fri, 30 Jun 2006 17:06:30 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Jun 2006 17:06:29 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Determining vulnerability to issues described by SAs thread-index: AcaciQ5+NK8812/ySzmQI+WbzlWxpQ== From: "Dolan- Gavitt, Brendan F." To: X-OriginalArrivalTime: 30 Jun 2006 21:06:30.0547 (UTC) FILETIME=[0F298630:01C69C89] Subject: Determining vulnerability to issues described by SAs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 21:06:32 -0000 Hi, I've been trying for the past few days to come up with a method for checking a FreeBSD system to see if it is vulnerable to an issue described by a FreeBSD security advisory in some automated way, similar to the way portaudit can use VuXML to check for vulnerabilities in ports. Right now, I'm a bit stuck--there seem to be fairly major issues with all the methods I've come up with: [1] Checking the patchlevel as reported by uname -r. [2] Checking the RCS version tags in the source files listed as changed by the SA [3] Using ident on the binaries affected to extract the RCS tags of the source files used to compile them. [1] Can fail if the user updates through binary patches of the sort offered by freebsd-update; as far as I can tell, these do not affect the output of uname unless they directly patch the kernel. Worse, the patchlevel reported may be up-to-date even if the userland is still vulnerable to an issue mentioned in an SA (eg if the user does a make buildkernel but not a make buildworld). [2] Can fail if the user does not build from source to update the system. [3] Should work in all cases (aside from custom modifications to the sources, but there's really no way to handle this case), but I don't know of any way to automatically determine what binary to ident based on the list of source files given in a security advisory. All of the situations mentioned seem like they could be quite common. I'm fairly new to FreeBSD, so I may just be missing something here--is there a reliable way to determine if a system is patched according to a particular security advisory? Thanks, Brendan Dolan-Gavitt From owner-freebsd-security@FreeBSD.ORG Sat Jul 1 03:33:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54C2716A555 for ; Sat, 1 Jul 2006 03:33:23 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30F6044190 for ; Sat, 1 Jul 2006 03:13:47 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr7so.prod.shaw.ca (pd4mr7so-qfe3.prod.shaw.ca [10.0.141.84]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J1P003XIFMYJ140@l-daemon> for freebsd-security@freebsd.org; Fri, 30 Jun 2006 21:13:46 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd4mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J1P007IKFMYARD0@pd4mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 30 Jun 2006 21:13:46 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J1P004G7FMX71O0@l-daemon> for freebsd-security@freebsd.org; Fri, 30 Jun 2006 21:13:46 -0600 (MDT) Received: (qmail 929 invoked from network); Sat, 01 Jul 2006 03:13:44 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Sat, 01 Jul 2006 03:13:44 +0000 Date: Fri, 30 Jun 2006 20:13:44 -0700 From: Colin Percival In-reply-to: To: "Dolan- Gavitt, Brendan F." Message-id: <44A5E868.60508@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: Determining vulnerability to issues described by SAs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2006 03:33:23 -0000 Dolan- Gavitt, Brendan F. wrote: > I've been trying for the past few days to come up with a method for > checking a FreeBSD system to see if it is vulnerable to an issue > described by a FreeBSD security advisory in some automated way [...] Yes, this is a problem. > [1] Checking the patchlevel as reported by uname -r. > [2] Checking the RCS version tags in the source files listed as > changed by the SA > [3] Using ident on the binaries affected to extract the RCS > tags of the source files used to compile them. > > [1] Can fail if the user updates through binary patches of the sort > offered by freebsd-update; as far as I can tell, these do not affect > the output of uname unless they directly patch the kernel. Worse, the > patchlevel reported may be up-to-date even if the userland is still > vulnerable to an issue mentioned in an SA (eg if the user does a make > buildkernel but not a make buildworld). Yes. Also, the instructions contained in advisories usually involve rebuilding only the affected part(s) of FreeBSD -- we've considered having a "kernel patch number" and "userland patch number" separately, but even this wouldn't really work. > [2] Can fail if the user does not build from source to update the > system. It would also fail if people update their src tree by applying the patches distributed on http://security.freebsd.org/, since these patches don't modify the $FreeBSD$ CVS tags. > [3] Should work in all cases (aside from custom modifications to the > sources, but there's really no way to handle this case), but I don't > know of any way to automatically determine what binary to ident based > on the list of source files given in a security advisory. Most binaries do not include $FreeBSD$ tags corresponding to all of the source files used to compile them, so this approach doesn't work very well, even if the user is updating their source tree with a method which propagates the $FreeBSD$ tags. In addition, FreeBSD Update does not include updated $FreeBSD$ tags, since the new values in those tags are generated at commit time, well after the FreeBSD Update builds are run. > I'm fairly new to FreeBSD, so I may just be missing something > here--is there a reliable way to determine if a system is patched > according to a particular security advisory? In short, no. If you have any ideas, let me know. :-) Colin Percival