From owner-freebsd-security@FreeBSD.ORG Mon Jul 12 18:29:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 905E91065676 for ; Mon, 12 Jul 2010 18:29:52 +0000 (UTC) (envelope-from fernan.aguero@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 255C68FC1B for ; Mon, 12 Jul 2010 18:29:51 +0000 (UTC) Received: by eyh6 with SMTP id 6so690805eyh.13 for ; Mon, 12 Jul 2010 11:29:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=Vd/fvEP3Hm76sNxyPfg6+0p4tdiHOy6dtczdPiKg8pE=; b=u5Xm4modE47fIdAGNB61tlwFbNU2u/H/hI+WxTEBp9Hydg8aOW+E7tMlr1B5jDXC7I j+NPW4B6bZauOlyeteszMibFfjYRzPHO5NxBIj7kgVHken0+7SH9eVXZ4xnyGF0/LkXC WMJ3U9C7Sf2Aqsuhr4pVkvZ/NVYppdwp4AUn8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=Q6/RF9a0eHmc+ZZ3AFBkVdi7D+KF98fT3AFOEXPNq127sRDXue64BKXNYawEPmwYAc Iuldridl6lQ3A/QGuR5Z4r0OXlJ28srmMhGicwgUxPOp9HytUVZ1o4lbcXaP+I9I/vjp SnzjvNCeGLZZL0RE71rusZo19mOaX2+ueTq5U= Received: by 10.213.32.140 with SMTP id c12mr1732548ebd.95.1278957903671; Mon, 12 Jul 2010 11:05:03 -0700 (PDT) MIME-Version: 1.0 Received: by 10.213.11.11 with HTTP; Mon, 12 Jul 2010 11:04:43 -0700 (PDT) From: Fernan Aguero Date: Mon, 12 Jul 2010 15:04:43 -0300 Message-ID: To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: disable (new)syslog rotation and raise securelevel ... possible? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 18:29:52 -0000 Hi, I'd like to harden my FreeBSD installation, and thus would like to, e.g. i) chflags sappnd /var/log/* ii) raise the securelevel of the system Is this possible? I've read elsewhere that newsyslog would not work in such a system ... what are the possible workarounds? I wouldn't bother taking the system down once a week or every other week, and manually lowering the securelevel, running newsyslog, etc. Is there a guide somewhere on how to go about this? Thanks! -- fernan From owner-freebsd-security@FreeBSD.ORG Mon Jul 12 22:53:15 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B0DB106566C for ; Mon, 12 Jul 2010 22:53:15 +0000 (UTC) (envelope-from bryan@xzibition.com) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id 29BD08FC15 for ; Mon, 12 Jul 2010 22:53:14 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=xzibition.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=W83JIt jxsb6BM6ODneiFjTjiuv2Mem/4S74f455ztE8VisRjuEvm8HViYuj1V5dCUKTr9s BnyB/mafCc6nNRPisaP1dopgqsHm9O0wkpmxPnpbr2lHonHid2TR1Wz6GTPdGZmy kLYmD8eNhfH1re8G5y3QHDsPoNCUCgaj+0P50= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=xzibition.com; h= message-id:date:from:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; s=sweb; bh= JCul4fhHObovutHGQ4b/CeMoSj0rmup9/ayr3vLrbSE=; b=p872YMBvQO232JIe 7EHphYRyDY56DsdHz5CvdeoQ7OgIffdlB+2exmhWCT8zmVzDNSqoQDw+oqJt4H2M JzUFgSHv5ywSGqJcZphE0JP5yx1s86N8Mt0NuZecA4Qe7gTX0rV59aaO21LevPpd sCLHn8SY9gO1nVnSyIRo3LEH9nI= Received: (qmail 35380 invoked from network); 12 Jul 2010 17:53:11 -0500 Received: from unknown (HELO ?192.168.0.201?) (bryan@shatow.net@74.94.87.209) by sweb.xzibition.com with ESMTPA; 12 Jul 2010 17:53:11 -0500 Message-ID: <4C3B9CD6.3010207@xzibition.com> Date: Mon, 12 Jul 2010 17:53:10 -0500 From: Bryan Drewery User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Fernan Aguero References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: disable (new)syslog rotation and raise securelevel ... possible? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 22:53:15 -0000 Fernan, You can disable newsyslog by adding newsyslog_enable="NO" to your /etc/rc.conf or /etc/rc.conf.local Also be aware that you will need to reboot with kern_securelevel_enable="NO" in one of those files, to lower the securelevel. You should also consider a remote syslog host. Bryan Fernan Aguero wrote: > Hi, > > I'd like to harden my FreeBSD installation, and thus would like to, e.g. > > i) chflags sappnd /var/log/* > ii) raise the securelevel of the system > > Is this possible? I've read elsewhere that newsyslog would not work in > such a system ... what are the possible workarounds? > > I wouldn't bother taking the system down once a week or every other > week, and manually lowering the securelevel, running newsyslog, etc. > Is there a guide somewhere on how to go about this? > > Thanks! > > From owner-freebsd-security@FreeBSD.ORG Mon Jul 12 23:41:22 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B011065673 for ; Mon, 12 Jul 2010 23:41:22 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 849CF8FC17 for ; Mon, 12 Jul 2010 23:41:22 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 201B4A5C26B; Tue, 13 Jul 2010 07:41:21 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id Wki8PVTPwTXy; Tue, 13 Jul 2010 07:41:12 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 349EEA5C228; Tue, 13 Jul 2010 07:41:10 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=GP2SvPptYARSxOSZc3QcXj0OzQ1kFunyp+1M390Y8V1OSvy6MiPkPtJvc45sIjKHj IbEXp+AHEghMNOYFs59/A== Message-ID: <4C3BA811.1000108@delphij.net> Date: Mon, 12 Jul 2010 16:41:05 -0700 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.10) Gecko/20100629 Thunderbird/3.0.5 ThunderBrowse/3.3 MIME-Version: 1.0 To: Fernan Aguero References: In-Reply-To: X-Enigmail-Version: 1.0.1 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: disable (new)syslog rotation and raise securelevel ... possible? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 23:41:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/07/12 11:04, Fernan Aguero wrote: > Hi, > > I'd like to harden my FreeBSD installation, and thus would like to, e.g. > > i) chflags sappnd /var/log/* > ii) raise the securelevel of the system > > Is this possible? I've read elsewhere that newsyslog would not work in > such a system ... what are the possible workarounds? > > I wouldn't bother taking the system down once a week or every other > week, and manually lowering the securelevel, running newsyslog, etc. > Is there a guide somewhere on how to go about this? Speaking for your question, disabling newsyslog can be done by removing the corresponding line in your /etc/crontab. However, the use of system flags is usually dangerous, I don't really consider them as very useful mechanisms for hardening your installation. Logging remotely to a dedicated and secured central logging server could be a better (as long as you have control to your internal network) alternative, since the attacker has to take down two systems, rather than one, in order to erase their foot prints. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iQEcBAEBCAAGBQJMO6gRAAoJEATO+BI/yjfByF8IAI4qPKWNJhMqgs/QAk609FTV CTTy96jBi+jUWMq8pek8G8fI1TYV2B2wOhPm8qrq5HSyqdNs+NeSS1WVLhynCu7F xK9ewsa+XBeZlASIbA2fqCT4oktASMAlD7XgMlMqbAo2nhMzyngHL+nqD6UZoC/n IomRwK30W1VTGU1YnY0pMvH5nGrK7+hBqniivwNSijy02zLzjA9mwwH+sTzcDLX9 gucpoDCdmlZcQIWHUWEHFFRoZH9VDlm1UHMmwCSZzy6QEWGiPk4nFH9+EfxMPozU seWZfrHrw1EwGaqizKDSnlMb6eVFhUWmz2hVAZqxol8Yu6JyXBAsgRXvLWI8kME= =5taC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jul 13 02:52:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F4951065678; Tue, 13 Jul 2010 02:52:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3F0578FC18; Tue, 13 Jul 2010 02:52:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6D2qACs018707; Tue, 13 Jul 2010 02:52:10 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6D2qA4v018706; Tue, 13 Jul 2010 02:52:10 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 13 Jul 2010 02:52:10 GMT Message-Id: <201007130252.o6D2qA4v018706@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-10:07.mbuf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2010 02:52:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:07.mbuf Security Advisory The FreeBSD Project Topic: Lost mbuf flag resulting in data corruption Category: core Module: kern Announced: 2010-07-13 Credits: Ming Fu Affects: FreeBSD 7.x and later. Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4) 2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE) 2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2) 2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13) CVE Name: CVE-2010-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage. Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these. II. Problem Description The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption. III. Impact This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read access to. NOTE: While systems without untrusted local users are not affected by the security aspects of this issue, the potential for data corruption implies that this should still be treated as a critical erratum. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Now reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/uipc_mbuf.c 1.174.2.4 RELENG_7_3 src/UPDATING 1.507.2.34.2.4 src/sys/conf/newvers.sh 1.72.2.16.2.6 src/sys/kern/uipc_mbuf.c 1.174.2.3.4.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.16 src/sys/conf/newvers.sh 1.72.2.9.2.17 src/sys/kern/uipc_mbuf.c 1.174.2.2.2.2 RELENG_8 src/sys/kern/uipc_mbuf.c 1.185.2.3 RELENG_8_1 src/UPDATING 1.632.2.14.2.2 src/sys/conf/newvers.sh 1.83.2.10.2.4 src/sys/kern/uipc_mbuf.c 1.185.2.2.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.7 src/sys/conf/newvers.sh 1.83.2.6.2.7 src/sys/kern/uipc_mbuf.c 1.185.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r209964 releng/7.3/ r209964 releng/7.1/ r209964 stable/8/ r209964 releng/8.0/ r209964 releng/8.1/ r209964 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI =Reds -----END PGP SIGNATURE-----