From owner-freebsd-announce@FreeBSD.ORG Tue Jan 27 19:55:08 2015 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9A16EBC0; Tue, 27 Jan 2015 19:55:08 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7B0F8D51; Tue, 27 Jan 2015 19:55:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t0RJt8Ic055440; Tue, 27 Jan 2015 19:55:08 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t0RJt8Re055438; Tue, 27 Jan 2015 19:55:08 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 27 Jan 2015 19:55:08 GMT Message-Id: <201501271955.t0RJt8Re055438@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:02.kmem X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 19:55:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:02.kmem Security Advisory The FreeBSD Project Topic: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure Category: core Module: sctp Announced: 2015-01-27 Credits: Clement LECIGNE from Google Security Team and Francisco Falcon from Core Security Technologies Affects: All supported versions of FreeBSD. Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) CVE Name: CVE-2014-8612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. SCTP allows the user to choose between multiple scheduling algorithms to optimize the sending behavior of SCTP in scenarios with different requirements. II. Problem Description Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory. III. Impact An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This smay lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r277807 releng/8.4/ r277808 stable/9/ r277807 releng/9.3/ r277808 stable/10/ r277807 releng/10.0/ r277808 releng/10.1/ r277808 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References We would like to acknowledge Clement LECIGNE from Google Security Team and Francisco Falcon from Core Security Technologies who discovered the issue independently and reported to the FreeBSD Security Team. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUx+qPAAoJEO1n7NZdz2rndPwQAJYuUZhkBqt6Lj0Wnuu220QL OwMQAVBDggfNMJj5GCMRYqniARGg53UpzBjbKyen9N7tQtjgF6ll9EcWQhUdQSSl 07iCLGkn7kAu5jRO7+S/fJLXaUBfo+KfrUakHBdrWGKD0VVp/DDMbjbzZWl8Yw0S 7g0tqSmNcR1uUbAAsSXUfN9N/8OZzkqCiDvmVcFtalw1CjFyl6XbYXxNS+/j7LrU YQBJdz9F/X/oPe19VQ36olZWzTdlSLwa/ylwNW7O6K5NdoCq73Co4IDL0gkAgtdQ s4A7h4UwEoYleRRX+g9Rbeq2tz9FwfIwSferFRF5/1thc0cVJ2e/oDq9lmzyepwa rbH8jy/TMtSKHlali8I3w6KYfqRFs6whS9Bud1b0SgrqqZizsO64BbvSzkELxHJl PMUPHHCh3w0CXnRcaxC+rY/kazPZeRzebMaxQLAV0KTEVp0aSGw7FBtEE+ldrHUd rp1bLESjTjtagr1K1UsCKKZr/t9RSHSZ1I6vfxBPUsUu7oUgd+aOmEpiyYKxna0y vS5ECCrJG4k9fsQ1emyB5NhROYCXdq2CavfWWOOi3LoUhVvh34N27HVZlqv2m3Y9 sM20xOB3dSx3ufsv19nAclVpL76Pu7fD/MNe+lhUk1KKgqx0L7vdiJfMIrafLYsR V2Rre46fapln8T+wvhQP =o9yw -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Jan 27 19:55:11 2015 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C00D4BC4; Tue, 27 Jan 2015 19:55:11 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A110CD55; Tue, 27 Jan 2015 19:55:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t0RJtBXu055474; Tue, 27 Jan 2015 19:55:11 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t0RJtBgD055472; Tue, 27 Jan 2015 19:55:11 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 27 Jan 2015 19:55:11 GMT Message-Id: <201501271955.t0RJtBgD055472@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:03.sctp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 19:55:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:03.sctp Security Advisory The FreeBSD Project Topic: SCTP stream reset vulnerability Category: core Module: sctp Announced: 2015-01-27 Credits: Gerasimos Dimitriadis Affects: All supported versions of FreeBSD. Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) CVE Name: CVE-2014-8613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. II. Problem Description The input validation of received SCTP RE_CONFIG chunks is insufficient, and can result in a NULL pointer deference later. III. Impact A remote attacker who can send a malformed SCTP packet to a FreeBSD system that serves SCTP can cause a kernel panic, resulting in a Denial of Service. IV. Workaround On FreeBSD 10.1 or later systems, the system administrator can set net.inet.sctp.reconfig_enable to 0 to disable processing of RE_CONFIG chunks. This workaround is not available on earlier FreeBSD releases, but systems that do not serve SCTP connections are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r277807 releng/8.4/ r277808 stable/9/ r277807 releng/9.3/ r277808 stable/10/ r277807 releng/10.0/ r277808 releng/10.1/ r277808 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUx+qbAAoJEO1n7NZdz2rnR98QAOWIIf7+akuopMxuVnppZKub DKCgVAJznitKoxnBtYMAOTcKdf65dQqaAgznAWBRo+USue5LIOI0jjgLuQgepoG6 eIosPiRXqvMQL6Qqx8ydwM3xiVQd+b9pMiLkh3cfljr1Oh6OV+YSRXC+HBKZXaR6 sn5kHRR7xFiwV/HsX4RoSik3qPbDl1x66jeN5jL0Wqg2qjCagK6OxGOtkIlt3pDj QrYNX/l20hXmvPjRojSEPhY+52X29/nlQjfJg/pwpsmiZJe3cqmfsh1aceUOH1Tu BOVxwE3oYWrJ8NZBa2cKReU1Sdvl1FxtlaXwkE+sRBzh1/vA7AZU6jWL7fEV1wv0 2mZYLoCrSHfBongLMohs4DQ8CCnH3iEoUBRbG9HGwlAh4s9CAre87oIdHHFWRSsg oIHxNDG+lk+yNJuOKfjDT+poyuYw7TlBfYN+ifO5UHPOEIH430FWF3B3P2oH4I/M 7VQRClaxaNiPfAJxa11IwHKWM12yrrM7483AuPqdd1r9OUnx33y1jPY0ByemXv9d LE8jJXs0cdR7zCJuV9R8Uif9xkdGLTj9emsqjaS1KxSJrSzPJaah4nkWq8BRmMXK 3xOxlIM/cGJLU+/cliDy3CqHipU4pt+S4RuAB41xx2k5g9YiAMH178xrfOgrklSH xKfAM/gz4YqESK5QPjqO =859G -----END PGP SIGNATURE-----