From owner-freebsd-security@freebsd.org Sun Jul 31 18:25:33 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C81EBAA9DF for ; Sun, 31 Jul 2016 18:25:33 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F4B1177A; Sun, 31 Jul 2016 18:25:33 +0000 (UTC) (envelope-from marquis@roble.com) Date: Sun, 31 Jul 2016 11:25:31 -0700 (PDT) From: Roger Marquis To: Martin Schroeder cc: freebsd-security@freebsd.org, security-officer@FreeBSD.org Subject: Re: freebsd-update and portsnap users still at risk of compromise In-Reply-To: <6bd80e384e443e5de73fb951e973b221@vfemail.net> References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2016 18:25:33 -0000 Question is does this warrant moving from portsnap to svn? Also have to wonder why the security team hasn't issued a vulnerability announcement. Roger > On July 18, John Leyden, security editor at The Register, tweeted a link > to a libarchive ticket that had been sitting without a response for > almost a week. > > tweet: https://twitter.com/jleyden/status/755016810865582081 > libarchive ticket: https://github.com/libarchive/libarchive/issues/743 > > The ticket creator quoted an AV researcher who was likely posting to one > of the many early-alert vendor lists in the age of infosec balkanization > (IOW, a "courtesy heads-up" to FreeBSD users forking them money): > > [QUOTE] > Our AV researchers have analyzed the following link that was cloud- > submitted as suspect: > > https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f > > The document is from an unknown author and describes "non-cryptanalytic > attacks against FreeBSD update components." The affected components are > the portsnap and freebsd-update tools, both directly and indirectly. > > From what we can tell, the text file is part of a larger stash of > documents, all with the same attack-defense style. We have other > documents, dated 2014 and 2015, detailing attacks against the update > systems of multiple Linux distributions and the corresponding defenses > against "the adversary." > > We believe this to be the work of an MITM-capable advanced threat actor. > > Full details of our findings will be released in the coming weeks. This > is a courtesy heads-up to FreeBSD users. > [/QUOTE] > > Another poster confirmed some of the attacks: > > [QUOTE] > Here via John Leyden's tweet. > > I don't have the time to test the portsnap attacks, but I can confirm > that the libarchive/tar and bspatch attacks work on our 10.x machines, > and I'm happy to test any libarchive/tar fixes. > > Judging by the painstaking amount of work put into the bspatch exploit > especially, I think it's highly unlikely that the creator lacks the > means to deploy it via mitm. Otherwise, I've never seen anything like > this in terms of apparent work/reward. It would be comical if it weren't > so horrifying. Think of all those locked-down fbsd machines that have no > external-facing daemons/services and that perform only updates. Our > telecommunications floor alone has several dozen. > > Someone needs to alert the fbsd mailing lists (-current, -security?) > pronto. I'd rather not mail them myself from work. And we should also > get more details on the linux distributions. > [/QUOTE] > > I've been analyzing the document extensively since then. The targets are > as follows: > > [1] portsnap via portsnap vulnerabilities > [2] portsnap via libarchive & tar anti-sandboxing vulnerabilities > [3] portsnap via bspatch vulnerabilities > [4] freebsd-update via bspatch vulnerabilities > > Nothing has appeared in any official FreeBSD source about [1]. The > libarchive developers have finally confirmed [2] and are presumably > working on fixes. > > A FreeBSD advisory just appeared for [3] & [4] (bspatch), but users > should be aware that running freebsd-update exposes their machines to > the very vulnerability it's correcting (a not insignificant fact that > was omitted from the advisory). Here's why: > > [QUOTE] > * The bspatch(1) utility is executed before SHA256 verification in both > * freebsd-update(8) and portsnap(8). > [/QUOTE] > > Even worse, the patch in the FreeBSD advisory is insufficient to prevent > heap corruption. I compared the patch in the FreeBSD advisory with the > "defense" patch in the document, and the former contains only a subset > of the checks in the latter. The document patch is in some ways cautious > to an insanely paranoid degree, mistrusting the error-checking stability > of system libraries and defending against compiler quirks that probably > won't exist in compiler optimization intelligence for many years, if > ever, though as a developer of clang-based static analyzers, I did take > an interest in one of the more usual integer-overflow culprits: > > ... From owner-freebsd-security@freebsd.org Sun Jul 31 21:29:39 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1C0EBAA3B1 for ; Sun, 31 Jul 2016 21:29:39 +0000 (UTC) (envelope-from mschroeder@vfemail.net) Received: from vfemail.net (onethreetwo.vfemail.net [199.16.11.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 954911DB5 for ; Sun, 31 Jul 2016 21:29:39 +0000 (UTC) (envelope-from mschroeder@vfemail.net) Received: (qmail 61617 invoked by uid 89); 31 Jul 2016 21:29:31 -0000 Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1) by localhost with (DHE-RSA-AES256-SHA encrypted) SMTP; 31 Jul 2016 21:29:29 -0000 Received: (qmail 62128 invoked by uid 89); 30 Jul 2016 05:00:24 -0000 Received: by simscan 1.3.1 ppid: 62126, pid: 62127, t: 0.1013s scanners:none Received: from unknown (HELO smtp101-2.vfemail.net) (172.16.100.61) by FreeQueue with SMTP; 30 Jul 2016 05:00:24 -0000 Received: (qmail 10072 invoked by uid 89); 30 Jul 2016 05:00:23 -0000 Received: by simscan 1.4.0 ppid: 10066, pid: 10069, t: 0.0200s scanners:none Received: from unknown (HELO www.vfemail.net) (bXNjaHJvZWRlckB2ZmVtYWlsLm5ldA==@172.16.100.92) by 172.16.100.61 with ESMTPA; 30 Jul 2016 05:00:23 -0000 Received: from bw9vnC7Ytdd+sZMiyaUD9h4AaPYVqc0D8rEhfhVYUcxFkQe59tvQoCgthrq2aoLDO4tpKB6q3EM= (ZUpxuFeS1F5w9EMlpSRSnCBlcPbKXt8k) by www.vfemail.net with HTTP (HTTP/1.1 POST); Sat, 30 Jul 2016 00:00:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sat, 30 Jul 2016 05:00:23 +0000 From: Martin Schroeder To: freebsd-security@freebsd.org Subject: Re: freebsd-update and portsnap users still at risk of compromise In-Reply-To: References: <6bd80e384e443e5de73fb951e973b221@vfemail.net> Message-ID: <8d52c11892db36d5041f7fa638e46681@vfemail.net> X-Sender: mschroeder@vfemail.net User-Agent: Roundcube Webmail/1.0.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2016 21:29:39 -0000 On 2016-07-29 09:00, Julian Elischer wrote: > > not sure if you've been contacted privately, but I believe the answer > is > "we're working on it" My concerns are as follows: 1. This is already out there, and FreeBSD users haven't been alerted that they should avoid running freebsd-update/portsnap until the problems are fixed. 2. There was no mention in the bspatch advisory that running freebsd-update to "fix" bspatch would expose systems to MITM attackers who are apparently already in operation. 3. Strangely, the "fix" in the advisory is incomplete and still permits heap corruption, even though a more complete fix is available. That's what prompted my post. If FreeBSD learned of the problem from the same source document we all did, which seems likely given the coincidental timing of an advisory for a little-known utility a week or two after that source document appeared, then surely FreeBSD had the complete fix available. ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!