From owner-freebsd-security-notifications@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58C0D9ADD31 for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4E356B9A; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 4D19C1754; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:15.tcp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.4D19C1754@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:15.tcp Security Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2015-07-28 Credits: Patrick Kelsey (Norse Corporation) Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2015-1417 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. The underlying simple and potentially unreliable IP datagram communication protocol may deliver segments out of order, therefore, the TCP receiver would need to reassemble the segments into their original sequence to provide a reliable octet stream. Because the reassembly requires additional resources to keep the queued segments, historically resource exhaustion in the TCP reassembly path has been prevented by limiting the total number of segments that could belong to reassembly queues to a small fraction (1/16) of the total number of mbuf clusters in the system. VNET is a technique to virtualize the network stack, first introduced in FreeBSD 8.0. It changes global resources in the network stack into per network stack resources, so that a virtual network stack can be attached to a jailed prison and the prison can have unrestricted access to the virtual network stack. VNET is not enabled by default and has to be enabled by recompiling the kernel. II. Problem Description There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease. III. Impact An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition. As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable. IV. Workaround FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs (option VIMAGE) are not affected. The support has to be specifically compiled into a custom kernel, so its use is not common. For affected systems, the system administrators may consider reducing the net.inet.tcp.reass.maxsegments tunable to the value of kern.ipc.nmbclusters divided by one greater than the total number of VNETs that are going to be used in the system in order to prevent a Denial of Service via this vulnerability. For example, if there are 16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable should be set to kern.ipc.nmbclusters / 17. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc # gpg --verify tcp.patch.asc [FreeBSD 9.3 and 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc # gpg --verify tcp-9.3-10.1.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc # gpg --verify tcp-8.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r 7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP 4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr 2oio8OdZ8wwRuER4Jpq9 =PC1V -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4AD229ADD2E for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 40822B96; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 3F6BF1748; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:14.bsdpatch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.3F6BF1748@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:14.bsdpatch Security Advisory The FreeBSD Project Topic: shell injection vulnerability in patch(1) Category: contrib Module: patch Announced: 2015-07-28 Credits: Martin Natano Affects: FreeBSD 10.x. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) CVE Name: CVE-2015-1416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The patch(1) utility takes a patch file produced by the diff(1) program and apply the differences to an original file, producing a patched version. The patch(1) utility supports certain version control systems, namely SCCS and RCS, and attempts to get or check out the file before applying a patch, if the original file do not already exist. II. Problem Description Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands. III. Impact This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specically crafted patch file, which could be leveraged to obtain elevated privileges. IV. Workaround No workaround is available, but systems where a privileged user does not make use of patches without proper validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is not required after updating. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required after updating. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch # fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc # gpg --verify bsdpatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r285976 releng/10.1/ r285978 releng/10.2/ r285979 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F 90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78 4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab LvnW7evT5KHA0rh5B07E =JTtx -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6624F9ADD36 for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 5BA77B9E; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 5B0E11760; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:16.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.5B0E11760@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:16.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28 Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with "SSHFP" resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc # gpg --verify openssh-8.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the SSH service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn 7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0 UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS 4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W /10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6 E0SkAoNzIighyNk54U9p =6PBw -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Tue Jul 28 20:30:26 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 739519ADD3C for ; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 69875BA2; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 68DF6176B; Tue, 28 Jul 2015 20:30:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:17.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150728203026.68DF6176B@freefall.freebsd.org> Date: Tue, 28 Jul 2015 20:30:26 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 20:30:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:17.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-07-28 Credits: ISC Affects: FreeBSD 8.x and FreeBSD 9.x. Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE) 2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35) CVE Name: CVE-2015-5477 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit. III. Impact A remote attacker can trigger a crash of a name server. Both recursive and authoritative servers are affected, and the exposure can not be mitigated by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries. IV. Workaround No workaround is available, but systems that are not running BIND are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r285977 releng/8.4/ r285980 stable/9/ r285977 releng/9.3/ r285980 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1 gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6 wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7 vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k +B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V +2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM VfNsARSWl2y/t8Gnrfgx =40iD -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Thu Jul 30 10:28:58 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A9449AB6D3 for ; Thu, 30 Jul 2015 10:28:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 7F93E183; Thu, 30 Jul 2015 10:28:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 7E30F1265; Thu, 30 Jul 2015 10:28:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:16.openssh [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150730102858.7E30F1265@freefall.freebsd.org> Date: Thu, 30 Jul 2015 10:28:58 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2015 10:28:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:16.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-07-28, revised on 2015-07-30 Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE) 2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36) CVE Name: CVE-2014-2653, CVE-2015-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2015-02-25 Initial release. v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity. RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with "SSHFP" resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. OpenSSH uses PAM for password authentication by default. II. Problem Description OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653] OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts. III. Impact A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653] A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600] IV. Workaround Systems that do not use OpenSSH are not affected. There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted. System administrators can set: UsePAM no In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework. We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. SSH service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install SSH service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3, 10.1, 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc # gpg --verify openssh.patch.asc [FreeBSD 8.4] # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc # gpg --verify openssh-8.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc # fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc # gpg --verify openssh-8-errata.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the SSH service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r286067 releng/8.4/ r286068 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD) iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck 2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5 ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE r0z98qmTEPiTDi8dr+K/ =GsXJ -----END PGP SIGNATURE-----