From owner-freebsd-security@freebsd.org Mon Aug 14 03:32:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A38DDCE987; Mon, 14 Aug 2017 03:32:33 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 19ADF6A671; Mon, 14 Aug 2017 03:32:32 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id DD30D3DEAD; Sun, 13 Aug 2017 20:32:25 -0700 (PDT) Date: Sun, 13 Aug 2017 20:32:25 -0700 (PDT) From: Roger Marquis To: Remko Lodder cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives In-Reply-To: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> Message-ID: References: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 03:32:33 -0000 > I do not think that holds: > > > 17521 php -- multiple vulnerabilities > 17522 > 17523 > 17524 php55 > 17525 5.5.38 > 17526 > > This is an entry from svnweb, for php55, which was added in 2016(07-26). > > So this entry is there. Thus it did not disappear from VuXML at least. You are right Remko. It looks like there was a policy or at least a practice change about a year ago. Even have an archived email from Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not doing sufficient fact rechecking, So we are safe from false negatives after all. Hurray, I can stop relying on pkg-version (for this). That leaves just unpackaged base as FreeBSD's remaining audit weakness. Roger From owner-freebsd-security@freebsd.org Mon Aug 14 08:56:29 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C210DDDEB4; Mon, 14 Aug 2017 08:56:29 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1BA873FE4; Mon, 14 Aug 2017 08:56:28 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail1.elvandar.org (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 3D1FB4707BD; Mon, 14 Aug 2017 10:56:24 +0200 (CEST) Received: from [10.0.2.17] (f239026.upc-f.chello.nl [80.56.239.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail1.elvandar.org (Postfix) with ESMTPSA id 621DE20521; Mon, 14 Aug 2017 10:56:23 +0200 (CEST) From: Remko Lodder Message-Id: <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: pkg audit false negatives Date: Mon, 14 Aug 2017 10:56:26 +0200 In-Reply-To: Cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org To: Roger Marquis References: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> X-Mailer: Apple Mail (2.3273) X-Rspamd-Queue-Id: 3D1FB4707BD X-Spamd-Result: default: False [1.89 / 15.00] RBL_SPAMHAUS_PBL(2.00)[26.239.56.80.zen.spamhaus.org : 127.0.0.11] IP_SCORE(0.49)[ip: (0.24), ipnet: 80.56.0.0/16(0.34), asn: 6830(2.15), country: AT(-0.30)] HAS_ATTACHMENT(0.00)[] DMARC_NA(0.00)[FreeBSD.org] FROM_HAS_DN(0.00)[] BAYES_HAM(-3.00)[100.00%] MV_CASE(0.50)[] RCPT_COUNT_THREE(0.00)[3] R_SPF_SOFTFAIL(0.00)[~all] MID_RHS_MATCH_FROM(0.00)[] TO_DN_SOME(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] ARC_NA(0.00)[] ASN(0.00)[asn:6830, ipnet:80.56.0.0/16, country:AT] FROM_EQ_ENVFROM(0.00)[] RECEIVED_SPAMHAUS(0.00)[26.239.56.80.zen.spamhaus.org] ONCE_RECEIVED(0.10)[] RCVD_TLS_ALL(0.00)[] MIME_GOOD(-0.20)[multipart/signed,text/plain] RCVD_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] RBL_SENDERSCORE(2.00)[26.239.56.80.bl.score.senderscore.com] X-Rspamd-Server: mx2.jr-hosting.nl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 08:56:29 -0000 --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On 14 Aug 2017, at 05:32, Roger Marquis wrote: > >> I do not think that holds: >> >> >> 17521 php -- multiple vulnerabilities >> 17522 >> 17523 >> 17524 php55 >> 17525 5.5.38 >> 17526 >> >> This is an entry from svnweb, for php55, which was added in 2016(07-26). >> >> So this entry is there. Thus it did not disappear from VuXML at least. > > You are right Remko. It looks like there was a policy or at least a > practice change about a year ago. Even have an archived email from > Gerhard Schmidt who first noticed it back in Aug 2016. My fault for not > doing sufficient fact rechecking, > > So we are safe from false negatives after all. Hurray, I can stop > relying on pkg-version (for this). > > That leaves just unpackaged base as FreeBSD's remaining audit weakness. Hi, I am happy that I can reduce your worry factor a bit ;-) Can you share what the audit weakness is? freebsd-update cron checks whether or not an update is available and then emails you. If you run -RELEASE, then that means that either an EN or SA had been released.. Cheers Remko > > Roger > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZkWW6AAoJEHE1jtY/d0B5QaYQALNZD0q8/a+htTsKjsHCg97e OFolUkZ3G0WCjA2r1NnHgvKo9J6+RYsJ8tAp5s7Qk1Z3S1PLhIENxD+sU29LtY0m q0XsKzBlGpHrNQSTeo4WsUlFfKi8Q7nP97y3uFNkEDm5LSZ6Z7rbmNnOnCa2cyQX 7EXtxGn/ajK4MMRupYJ8pS5y2wdyGNwp/itmf0xPN3MVXogmVn1QKTG22RxlMGjF dlY2cUko+ZbT2d1rqnToNriERQvAYDGqq6LljsJTvr2emCRxErCEEbAQ4JYGNKO1 q5xMQpj6pM3VQWtXsBErx+qYNuVKqivVtMpQfALSdiV9nPUIM4PO/novJzS7HL02 Kv0V6+IKuYMMaMScmnAPF/k4dBGrCDgDADxprqPWL48OfCxYb734cOHi1mqRD+ya 1WXT1BfqLjFSMMOnHlDhue8B9xmldmlvOQIjo7qyrFRq2qyg3qVSZONiR72rNjAD U7prq7wL68ItcNiAm1wLI+hiA995c6fnlr3T6WuzCh/cooOT0auQf/QoNHxWlbLB fQVftM6rcHfJVcWVSGeRkcqcIf0LwQc+97CviHPS9fJALzKgQCvwVkf5oTXJR7s9 XuS1rHO2rRVluBPZVSJ/4ypUguLo294FHkY6wLZnLfjZrPAkKgNusQg/lJ94Lx46 LRgu7+BNxUwyhFiuBEbM =XLMv -----END PGP SIGNATURE----- --Apple-Mail=_1521D74B-D463-4464-9014-0ADCC789E9BB-- From owner-freebsd-security@freebsd.org Mon Aug 14 15:55:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E4C3DD2878; Mon, 14 Aug 2017 15:55:32 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D2053A89; Mon, 14 Aug 2017 15:55:31 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 02ED23E5F9; Mon, 14 Aug 2017 08:55:30 -0700 (PDT) Date: Mon, 14 Aug 2017 08:55:30 -0700 (PDT) From: Roger Marquis To: Remko Lodder cc: freebsd-security@freebsd.org, freebsd-pkg@freebsd.org Subject: Re: pkg audit false negatives In-Reply-To: <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org> Message-ID: References: <0F48B4BB-BB2C-479D-9F43-006D73C1E218@FreeBSD.org> <36CDFE51-3E9A-42EA-8182-2972CE519DDC@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2017 15:55:32 -0000 >> That leaves just unpackaged base as FreeBSD's remaining audit weakness. > > Hi, I am happy that I can reduce your worry factor a bit ;-) > > Can you share what the audit weakness is? freebsd-update cron checks > whether or not an update is available and then emails you. If you run > -RELEASE, then that means that either an EN or SA had been released.. Can you run freebsd-update on a -RELEASE system installed and maintained with buildworld/buildkernel/installkernel/installworld? Though it's been more than a year since the last time I tested freebsd-update, on Virtualbox VMs, it resulted in too many bricked systems to rely on. That may have changed but it would still be better to build a packaged base or have reproduceable builds as lighter-weight solutions to the base audit issue. Roger From owner-freebsd-security@freebsd.org Wed Aug 16 13:46:19 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9BA1ADDCAB8 for ; Wed, 16 Aug 2017 13:46:19 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [IPv6:2001:4b98:c:538::195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6BA9D84025 for ; Wed, 16 Aug 2017 13:46:19 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) X-Originating-IP: 93.26.153.77 Received: from [10.137.2.15] (77.153.26.93.rev.sfr.net [93.26.153.77]) (Authenticated sender: lists@whitewinterwolf.com) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 3955FA80D3 for ; Wed, 16 Aug 2017 15:46:18 +0200 (CEST) To: freebsd-security@freebsd.org From: "WhiteWinterWolf (Simon)" Subject: FreeBSD <= 10.3 jail SHM hole Message-ID: Date: Wed, 16 Aug 2017 15:46:16 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2017 13:46:19 -0000 AFFECTED PRODUCTS This issue affects FreeBSD from 7.0 to 10.3 included. DESCRIPTION FreeBSD jail incompletely protects the access to the IPC primitives. The 'allow.sysvipc' setting only affects IPC queues, leaving other IPC objects unprotected, making them reachable system-wide independently of the system configuration. This creates two main weaknesses: - An attacker able to execute commands in one jail can attack processes located outside of the jail by directly accessing their IPC objects. - An attacker can create a bi-directional covert-channel between two otherwise isolated jails. MITIGATION There is no mitigation measure available on vulnerable systems. This issue is fixed in FreeBSD 11.0, the fix is also planned in the upcoming FreeBSD 10.4 (the fix is already committed to the FreeBSD STABLE branch, the release is currently scheduled for October, 2017). There is no fix planned for FreeBSD 10.3. If you are relying on FreeBSD jail for security purposes, I recommend to upgrade to a fixed version. REFERENCES Details + POC: https://www.whitewinterwolf.com/posts/2017/08/02/freebsd-jail-shm-hole/ From owner-freebsd-security@freebsd.org Thu Aug 17 03:51:25 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39310DC6C73 for ; Thu, 17 Aug 2017 03:51:25 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7628983767 for ; Thu, 17 Aug 2017 03:51:20 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id v7H3qdqD008775 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 17 Aug 2017 13:52:40 +1000 (AEST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host ewsw01.hs [10.0.5.3] claimed to be [10.0.5.3] To: "freebsd-security@freebsd.org" From: Dewayne Geraghty Subject: IPSEC anomaly on FreeBSD11.1S when specifying specific port in policy rules. Message-ID: <321a4895-8c4e-8261-eedf-c93bccd696d0@heuristicsystems.com.au> Date: Thu, 17 Aug 2017 13:50:13 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-AU X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2017 03:51:25 -0000 I was about to send to @freebsd-stable until I realised that there are security implications for folks that may be using this, thinking that their confidential material is protected, which may not be entirely correct. --- Would appreciate others testing/confirming TCP over ESP as it seems to have a problem on 11.1Stable when specifying a specific port in policy. Performing this simple netcat test >From Origin 10.0.7.6 ipfw 1 zero ; echo hi | nc -4nv -w 2 10.0.7.91 5000 ; ipfw show 1 Connection to 10.0.7.91 5000 port [tcp/*] succeeded! 00001 8 736 allow esp from any to any 00001 0 0 allow udp from any to any dst-port 5000 00001 0 0 allow udp from any 5000 to any 00001 0 0 allow tcp from any to any dst-port 5000 00001 1 60 allow tcp from any 5000 to any >From Destination 10.0.7.91 ipfw 1 zero ; ipfw 2 zero ; ipfw 3 zero ; nc -l 10.0.7.91 5000 ; ipfw show 1-3 00002 0 0 allow tcp from any 5000 to any via enc0 00002 0 0 allow tcp from any 5000 to any via lo0 00002 1 60 allow tcp from any 5000 to any via white 00003 8 736 allow esp from any to any 00003 0 0 allow udp from any to any dst-port 5000 As can be observed there is a return packet that is not, but should be sent over esp. Confirmed via tcpdump on destination 11:23:53.401156 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4c), length 72 11:23:53.401182 IP 10.0.7.91.5000 > 10.0.7.6.23406: Flags [S.], seq 1954279591, ack 2061987609, win 65535, options [mss 1452,nop,wscale 6,sackOK,TS val 2210679095 ecr 2684286289], length 0 11:23:53.401381 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4d), length 72 11:23:53.401406 IP 10.0.7.91 > 10.0.7.6: ESP(spi=0x00024f0f,seq=0x19), length 72 11:23:53.402241 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4e), length 72 11:23:53.402355 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x4f), length 72 11:23:53.402369 IP 10.0.7.91 > 10.0.7.6: ESP(spi=0x00024f0f,seq=0x1a), length 72 11:23:53.402381 IP 10.0.7.91 > 10.0.7.6: ESP(spi=0x00024f0f,seq=0x1b), length 72 11:23:53.402682 IP 10.0.7.6 > 10.0.7.91: ESP(spi=0x00024f19,seq=0x50), length 72 Still on destination, the policy rules in ipsec.conf contain: # udp spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] udp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] udp -P in ipsec esp/transport/10.0.7.6-10.0.7.91/require; # tcp spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] tcp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] tcp -P in ipsec esp/transport/10.0.7.6-10.0.7.91/require; To enable traffic to transit correctly over esp, change the third rule from spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] tcp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; to spdadd 10.0.7.91/32[any] 10.0.7.6/32[any] tcp -P out ipsec esp/transport/10.0.7.91-10.0.7.6/require; While on the origin side, /etc/ipsec.conf contains: # udp 5000 spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] udp -P in ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] udp -P out ipsec esp/transport/10.0.7.6-10.0.7.91/require; # tcp 5000 spdadd 10.0.7.91/32[5000] 10.0.7.6/32[any] tcp -P in ipsec esp/transport/10.0.7.91-10.0.7.6/require; spdadd 10.0.7.6/32[any] 10.0.7.91/32[5000] tcp -P out ipsec esp/transport/10.0.7.6-10.0.7.91/require; The destination kernel has options IPSEC options IPFIREWALL while the origin kernel has options IPSEC options IPFIREWALL options IPFIREWALL_NAT The sender has been used been extensively used with ipsec since 2014, its 9.2Stable Feb22, 2014; previously as a front for strongswan et al. icmp was also used over esp using the same association rules and they worked correctly. BTW: I did send this to secteam@freebsd.org but it bounced with this explanation: http://www.openspf.org/Why?s=mfrom;id=dewayne.geraghty@heuristicsystems.com.au;ip=8.8.178.116;r=kris@pcbsd.org and my spf records are: heuristicsystems.com.au. 3600 IN TXT "v=spf1 mx ip4:203.41.22.115 -all" heuristicsystems.com.au. 3600 IN TXT "v=spf2.0/mfrom mx ip4:203.41.22.115 -all I don't think that this is the right advice??? Kind regards, Dewayne.