From owner-freebsd-security@freebsd.org Tue Mar 6 16:41:25 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94B09F4133A; Tue, 6 Mar 2018 16:41:25 +0000 (UTC) (envelope-from emaste@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3BD7D7F261; Tue, 6 Mar 2018 16:41:25 +0000 (UTC) (envelope-from emaste@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1079) id 2CAD415B70; Tue, 6 Mar 2018 16:41:25 +0000 (UTC) Date: Tue, 6 Mar 2018 16:41:25 +0000 From: Ed Maste To: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Call for Testing: 11.1-RELEASE Meltdown/Spectre mitigation merge Message-ID: <20180306164125.GA61857@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.2 (2017-12-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 16:41:25 -0000 Background ---------- A number of issues relating to speculative execution were found last year and publicly announced January 3rd. A variety of techniques used to mitigate these issues have been committed to FreeBSD-CURRENT and have been merged to the stable/11 branch. The changes will be merged and released as an update to FreeBSD 11.1-RELEASE in the near future, but the candidate patch is now available for broader testing. The patch addresses these issues: CVE-2017-5754 (Meltdown) ------------------------ This issue relies on a speculative execution of instructions that attempt to read kernel memory, but fault. Although the architectural state is as expected (the faulting instruction is not retired), cache or other microarchitectureal state is changed and may be used to observe privileged data. The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel's data is unmapped and not accessible. A demonstration of the Meltdown vulnerability is available at https://github.com/dag-erling/meltdown. A positive result is definitive (that is, the vulnerability exists with certainty). A negative result indicates either that the CPU is not affected, or that the test is not capable of demonstrating the issue on the CPU (and may need to be modified). CVE-2017-5715 (Spectre V2) -------------------------- Spectre V2 uses branch target injection to speculatively execute kernel code at an address under an attacker's control. There are two common mitigations for Spectre V2. This patch includes a mitigation using Indirect Branch Restricted Speculation, a feature available via a microcode update from processor manufacturers. The alternate mitigation, Retpoline, is a feature available in newer compilers and is available in FreeBSD-CURRENT now. It will be made available in stable branches in the future. Patch ----- The patch against 11.1-RELEASE is available at https://people.freebsd.org/~emaste/patches/amd64_11.1_meltdown.3.patch A patched kernel will automatically enable PTI on Intel CPUs, and the status can be checked via the vm.pmap.pti sysctl: # sysctl vm.pmap.pti vm.pmap.pti: 1 The default setting can be overridden by setting loader tunable vm.pmap.pti to 1 or 0 in /boot/loader.conf. This setting takes effect only at boot. The patch includes the IBRS mitigation for Spectre V2. To use the mitigation the system must have an updated microcode; with older microcode a patched kernel will function without the mitigation. IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and the status can be checked via the hw.ibrs_active sysctl. IBRS may be enabled or disabled at runtime. Additional detail on microcode updates will follow. Limitations ----------- This patch applies only to 11.1-RELEASE. It does not include mitigations for architectures other than amd64 (x86_64). Work on other branches, architectures and vulnerabilities is ongoing, and will be available at a later date. Testing ------- We are soliciting functionality and performance results from testing this 11.1-RELEASE patch under a variety of workloads. If you have the ability to test, please apply the patch and run the system with your usual workload and follow up with details, either here or directly to me. Benchmark data from our testing will soon be shared more widely. In brief, the PTI mitigation shows on the order of a 30% impact on system call microbenchmarks, to 1% to 2% for realistic workloads. This work is supported by the FreeBSD Foundation. From owner-freebsd-security@freebsd.org Wed Mar 7 07:09:39 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78AA8F32161 for ; Wed, 7 Mar 2018 07:09:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 040B082069; Wed, 7 Mar 2018 07:09:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id D70A94469; Wed, 7 Mar 2018 07:09:38 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20180307070938.D70A94469@freefall.freebsd.org> Date: Wed, 7 Mar 2018 07:09:38 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 07:09:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:01.ipsec Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits: Maxime Villard Affects: All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 05:47:48 UTC (stable/10, 10.4-STABLE) 2018-03-07 05:53:35 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 05:53:35 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r330565 releng/10.3/ r330566 releng/10.4/ r330566 stable/11/ r329907 releng/11.1/ r330566 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhClfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cISCQ//f9bjAzuou4wlbaoVBp+csfE8qwJl0PJAs/guwO9dO/TMLrVzJ+oNtAIR VO6T7j2uC/eLD80PFsGoTpDAm4O1gqcGGX4OZm/6rE/OdqC3/UhhqpMYke0ZdNuh ugUyztXZkHuvsLgoR/peW9QqAxRRABTUWL0NPQU4YvtEpa5iOOkzNYuPQ9+dltQC SXkbGDrHgHwMHSyoZ14eRffrlwOU+bYH7tdMvDzPyr3z4NhJSTJvKBy4dohCal9F bQRjZSqsGGZ4D0T0BW88RpD3wRBj9s23bSgbcrR8tQvtwEN897S/oL0wtbFYVOQ+ p/ZgiVgV2JvB17m6Dnmt8+CQLEri+21l1NCF2rVMvMBUcZioiO3L43Z3dZNZfRb5 pknuSB6q0HEF5qE1sRIlT2WwH/6rd6VASQOb0NQRTBKNVM7ZU6+Q1PN56KjPhZmw uVREGJ6fHz/MB58fOLkyhbhvcmL7Hz1CGQwQz1Qi05Gp5T2OYP9POJyK8e/EW+Gs hiiErWezEWpVtHHfUpbudVlqlLp/Mc8LHlVOCIhnrEWH1zhgBX2Bx/WmELUerJz/ RjOKUdPTQwn8IVkXJfpj42IbxdCG8xvQN/NKWf01maa+Y2xLCtlg8H0I9/9zT80Q bLdFKjj+M5ysz+bcSR4jl3pd2WMqpidXPvOjph5JcfNWDA5131I= =Uzqo -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Mar 7 07:10:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FDDDF3222F for ; Wed, 7 Mar 2018 07:10:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BD16C820A4; Wed, 7 Mar 2018 07:10:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id B5FC6447D; Wed, 7 Mar 2018 07:10:08 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20180307071008.B5FC6447D@freefall.freebsd.org> Date: Wed, 7 Mar 2018 07:10:08 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 07:10:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:02.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2018-03-07 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6" packets. A malicious "mode 6" packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will read past the end of its buffer. [CVE-2018-7182] The ntpd(8) service can be vulnerable to Sybil attacks. If a system is configured to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer, i.e., one where the attacker knows the private symmetric key, can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. [CVE-2018-7170] The fix for NtpBug2952 was incomplete, and while it fixed one problem it created another. Specifically, it drops bad packets before updating the "received" timestamp. This means a third-party can inject a packet with a zero-origin timestamp, meaning the sender wants to reset the association, and the transmit timestamp in this bogus packet will be saved as the most recent "received" timestamp. The real remote peer does not know this value and this will disrupt the association until the association resets. [CVE-2018-7184] The NTP Protocol allows for both non-authenticated and authenticated associations, in client/server, symmetric (peer), and several broadcast modes. In addition to the basic NTP operational modes, symmetric mode and broadcast servers can support an interleaved mode of operation. In ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine that allows a non-authenticated zero-origin (reset) packet to reset an authenticated interleaved peer association. If an attacker can send a packet with a zero-origin timestamp and the source IP address of the "other side" of an interleaved association, the 'victim' ntpd will reset its association. The attacker must continue sending these packets in order to maintain the disruption of the association. [CVE-2018-7185] The ntpq(8) utility is a monitoring and control program for ntpd. The internal decodearr() function of ntpq(8) that is used to decode an array in a response string when formatted data is being displayed. This is a problem in affected versions of ntpq if a maliciously-altered ntpd returns an array result that will trip this bug, or if a bad actor is able to read an ntpq(8) request on its way to a remote ntpd server and forge and send a response before the remote ntpd sends its response. It is potentially possible that the malicious data could become injectable/executable code. [CVE-2017-7183] III. Impact Malicious remote attackers may be able to break time synchornization, or cause the ntpq(8) utility to crash. IV. Workaround No workaround is available, but systems not running ntpd(8) or ntpq(8) are not affected. Network administrators are advised to implement BCP-38 which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc # gpg --verify ntp-11.1.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc # gpg --verify ntp-10.4.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc # gpg --verify ntp-10.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r330141 releng/10.3/ r330567 releng/10.4/ r330567 stable/11/ r330106 releng/11.1/ r330567 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o= =D2ov -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Mar 7 11:35:08 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9A91F47F15 for ; Wed, 7 Mar 2018 11:35:07 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [IPv6:2a01:4f8:140:50a2::3:1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "ns.exwg.net", Issuer "Christoph Moench-Tegeder" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6023C6E151 for ; Wed, 7 Mar 2018 11:35:07 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from localhost (localhost [127.0.0.1]) by smtp.burggraben.net (Postfix) with ESMTP id CD0976002F1 for ; Wed, 7 Mar 2018 12:35:05 +0100 (CET) X-Spam-Scanned: by amavisd-new at exwg.net Received: from smtp.burggraben.net ([127.0.0.1]) by localhost (ns.burggraben.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48fVdjp7vNaz for ; Wed, 7 Mar 2018 12:35:00 +0100 (CET) Received: from elch.exwg.net (elch.exwg.net [IPv6:2001:470:7120:1:127b:44ff:fe4f:148d]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "elch.exwg.net", Issuer "Christoph Moench-Tegeder" (verified OK)) by smtp.burggraben.net (Postfix) with ESMTPS for ; Wed, 7 Mar 2018 12:35:00 +0100 (CET) Received: by elch.exwg.net (Postfix, from userid 1000) id 5D58127325; Wed, 7 Mar 2018 12:35:00 +0100 (CET) Date: Wed, 7 Mar 2018 12:35:00 +0100 From: Christoph Moench-Tegeder To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec Message-ID: <20180307113500.GA50696@elch.exwg.net> References: <20180307070938.D70A94469@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <20180307070938.D70A94469@freefall.freebsd.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 11:35:08 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, the committed patch for FreeBSD 10.4 and 10.3 does not compile: /usr/src/sys/netipsec/xform_ah.c:622:43: error: use of undeclared identifier 'buf' ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), ^ /usr/src/sys/netipsec/ipsec.h:323:51: note: expanded from macro 'DPRINTF' #define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) ^ /usr/src/sys/netipsec/xform_ah.c:625:3: error: use of undeclared identifier 'error' error =3D EACCES; ^ /usr/src/sys/netipsec/xform_ah.c:626:8: error: use of undeclared label 'bad' goto bad; ^ 3 errors generated. *** Error code 1 Looking at the code, the compiler is right - things have shifted here in between FreeBSD 10 and 11, and what's working in 11 is not good for 10... I guess we need this additional patch: --- sys/netipsec/xform_ah.c.orig 2018-03-07 12:27:58.645874000 +0100 +++ sys/netipsec/xform_ah.c 2018-03-07 12:28:47.584073000 +0100 @@ -619,11 +619,10 @@ DPRINTF(("%s: bad mbuf length %u (expecting %lu)" " for packet in SA %s/%08lx\n", __func__, m->m_pkthdr.len, (u_long) (skip + authsize + rplen), - ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); AHSTAT_INC(ahs_badauthl); - error =3D EACCES; - goto bad; + return EACCES; } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); =20 But you'd better re-check, I don't know the code here - I'm just making stuff compile :) Further, neither this (SA-18:01) nor SA-18:02's nor the Errata Note's (EN-18:01, EN-18:02) do show up in the given location: https://www.freebsd.org/security/patches/SA-18%3A01/ (and the other directories) only have the GPG signatures, but not the patches itself. Regards, Christoph --=20 Spare Space --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEoJWHwgBcrz+o94uKXDrR55w48RIFAlqfzl8ACgkQXDrR55w4 8RLQxAf/UI0BQXSvNHQQdTPgQVOQf674QoUMnzXFLS08H9yTD7gjRgAHO8Nrozvk EJuKBT5FtCv+T27C2wm+amzm55LKBGAaWEMoPU4ZLnRIkaMvOkohRtIHsF/0xiIq N+Y8FnnPor34b+5wjx0wNqCQC/mwFDcTQiwwC8TdUeIYBYIFBj8ikxwMZTePg0LH bBqFDI7ueDJLmhzJ6qm7Xxz5TySBA0Orno9nmHcFf1S02Ene+fAAQxP+dsf4rcE2 ZNNbZxj3BN+qt2TSlyemXn1Nkk9TEOrpDhGWsXkYAjUnsKvaGJF2/zym5Po43yDJ J/RMBHcMjA1X5EbRMKW1oXh28Fn39w== =bat7 -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- From owner-freebsd-security@freebsd.org Wed Mar 7 11:50:14 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AFFF2F4936D for ; Wed, 7 Mar 2018 11:50:14 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from theravensnest.org (xvm-110-62.dc2.ghst.net [46.226.110.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "theravensnest.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 39ED46EB9C for ; Wed, 7 Mar 2018 11:50:13 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from [192.168.1.65] (host86-180-174-151.range86-180.btcentralplus.com [86.180.174.151]) (authenticated bits=0) by theravensnest.org (8.15.2/8.15.2) with ESMTPSA id w27Bo5wT003046 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 7 Mar 2018 11:50:06 GMT (envelope-from theraven@FreeBSD.org) X-Authentication-Warning: mail: Host host86-180-174-151.range86-180.btcentralplus.com [86.180.174.151] claimed to be [192.168.1.65] From: David Chisnall Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:02.ntp Date: Wed, 7 Mar 2018 11:50:00 +0000 References: <20180307071008.B1366447B@freefall.freebsd.org> To: freebsd-security@freebsd.org In-Reply-To: <20180307071008.B1366447B@freefall.freebsd.org> Message-Id: <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> X-Mailer: Apple Mail (2.3273) X-Mailman-Approved-At: Wed, 07 Mar 2018 13:10:28 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 11:50:14 -0000 Were these changes and the kernel changes tested together on Xen? After = updating to -p7, I get about 10 seconds of uptime on a Xen VM before the = kernel panics with a double fault and reboots. Disabling ntpd results = in a stable system. On an AMD system without a hypervisor, I don=E2=80=99= t see any instability. David > On 7 Mar 2018, at 07:10, FreeBSD Security Advisories = wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-18:02.ntp Security = Advisory > The FreeBSD = Project >=20 > Topic: Multiple vulnerabilities of ntp >=20 > Category: contrib > Module: ntp > Announced: 2018-03-07 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) > 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) > 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) > 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) > 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) > CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, = CVE-2018-7185, > CVE-2018-7183 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > I. Background >=20 > The ntpd(8) daemon is an implementation of the Network Time Protocol = (NTP) > used to synchronize the time of a computer system to a reference time > source. >=20 > II. Problem Description >=20 > The ctl_getitem() function is used by ntpd(8) to process incoming = "mode 6" > packets. A malicious "mode 6" packet can be sent to an ntpd instance, = and > if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() = will > read past the end of its buffer. [CVE-2018-7182] >=20 > The ntpd(8) service can be vulnerable to Sybil attacks. If a system = is > configured to use a trustedkey and if one is not using the feature = introduced > in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to = specify > which IPs can serve time, a malicious authenticated peer, i.e., one = where the > attacker knows the private symmetric key, can create arbitrarily-many > ephemeral associations in order to win the clock selection of ntpd and = modify > a victim's clock. [CVE-2018-7170] >=20 > The fix for NtpBug2952 was incomplete, and while it fixed one problem = it > created another. Specifically, it drops bad packets before updating = the > "received" timestamp. This means a third-party can inject a packet = with > a zero-origin timestamp, meaning the sender wants to reset the = association, > and the transmit timestamp in this bogus packet will be saved as the = most > recent "received" timestamp. The real remote peer does not know this > value and this will disrupt the association until the association = resets. > [CVE-2018-7184] >=20 > The NTP Protocol allows for both non-authenticated and authenticated > associations, in client/server, symmetric (peer), and several = broadcast > modes. In addition to the basic NTP operational modes, symmetric mode = and > broadcast servers can support an interleaved mode of operation. In > ntp-4.2.8p4, a bug was inadvertently introduced into the protocol = engine that > allows a non-authenticated zero-origin (reset) packet to reset an > authenticated interleaved peer association. If an attacker can send a = packet > with a zero-origin timestamp and the source IP address of the "other = side" of > an interleaved association, the 'victim' ntpd will reset its = association. > The attacker must continue sending these packets in order to maintain = the > disruption of the association. [CVE-2018-7185] >=20 > The ntpq(8) utility is a monitoring and control program for ntpd. The > internal decodearr() function of ntpq(8) that is used to decode an = array in > a response string when formatted data is being displayed. This is a = problem > in affected versions of ntpq if a maliciously-altered ntpd returns an = array > result that will trip this bug, or if a bad actor is able to read an = ntpq(8) > request on its way to a remote ntpd server and forge and send a = response > before the remote ntpd sends its response. It is potentially possible = that > the malicious data could become injectable/executable code. = [CVE-2017-7183] >=20 > III. Impact >=20 > Malicious remote attackers may be able to break time synchornization, > or cause the ntpq(8) utility to crash. >=20 > IV. Workaround >=20 > No workaround is available, but systems not running ntpd(8) or ntpq(8) = are > not affected. Network administrators are advised to implement BCP-38 = which > helps to reduce risk associated with the attacks. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. >=20 > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. >=20 > 2) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 11.1] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch > # fetch = https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc > # gpg --verify ntp-11.1.patch.asc >=20 > [FreeBSD 10.4] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch > # fetch = https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc > # gpg --verify ntp-10.4.patch.asc >=20 > [FreeBSD 10.3] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch > # fetch = https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc > # gpg --verify ntp-10.3.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile the operating system using buildworld and installworld as > described in . >=20 > Restart the applicable daemons, or reboot the system. >=20 > VI. Correction details >=20 > The following list contains the correction revision numbers for each > affected branch. >=20 > Branch/path = Revision > - = ------------------------------------------------------------------------- > stable/10/ = r330141 > releng/10.3/ = r330567 > releng/10.4/ = r330567 > stable/11/ = r330106 > releng/11.1/ = r330567 > - = ------------------------------------------------------------------------- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > = >=20 > >=20 > >=20 > >=20 > >=20 > >=20 > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- >=20 > iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD > MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n > 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 > iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM > zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M > UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 > a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn > L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 > PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK > UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY > Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 > iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE > VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o=3D > =3DD2ov > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed Mar 7 13:30:07 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F224CF2BDE1 for ; Wed, 7 Mar 2018 13:30:06 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 89ACF731D7; Wed, 7 Mar 2018 13:30:06 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mail2.jr-hosting.nl (dolgan.elvandar.org [176.9.38.89]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id 153A14709E2; Wed, 7 Mar 2018 14:30:04 +0100 (CET) Received: from [172.20.20.62] (unknown [178.22.83.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.jr-hosting.org (Postfix) with ESMTPSA id DE22E1A6B05; Wed, 7 Mar 2018 14:30:03 +0100 (CET) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_99A9E81D-CD69-4994-88DA-FC45E55F3C05"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:02.ntp Date: Wed, 7 Mar 2018 14:30:03 +0100 In-Reply-To: <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> Cc: freebsd-security@freebsd.org To: David Chisnall References: <20180307071008.B1366447B@freefall.freebsd.org> <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> X-Mailer: Apple Mail (2.3445.5.20) X-Rspamd-Queue-Id: 153A14709E2 X-Spamd-Result: default: False [-6.49 / 15.00] RCVD_NO_TLS_LAST(0.00)[] ARC_NA(0.00)[] RCVD_IN_DNSWL_LOW(0.00)[89.38.9.176.list.dnswl.org : 127.0.6.1] HAS_ATTACHMENT(0.00)[] R_SPF_SOFTFAIL(0.00)[~all] IP_SCORE(-3.78)[ip: (-9.68), ipnet: 176.9.0.0/16(-4.80), asn: 24940(-3.99), country: DE(-0.46)] RCVD_VIA_SMTP_AUTH(0.00)[] FROM_EQ_ENVFROM(0.00)[] MX_GOOD(-0.01)[cached: mx1.FreeBSD.org] MIME_GOOD(-0.20)[multipart/signed,text/plain] RCPT_COUNT_TWO(0.00)[2] DMARC_NA(0.00)[FreeBSD.org] TO_DN_SOME(0.00)[] ASN(0.00)[asn:24940, ipnet:176.9.0.0/16, country:DE] BAYES_HAM(-3.00)[100.00%] MV_CASE(0.50)[] R_DKIM_NA(0.00)[] FROM_HAS_DN(0.00)[] MID_RHS_MATCH_FROM(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Server: glamredhel.elvandar.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 13:30:07 -0000 --Apple-Mail=_99A9E81D-CD69-4994-88DA-FC45E55F3C05 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 7 Mar 2018, at 12:50, David Chisnall wrote: >=20 > Were these changes and the kernel changes tested together on Xen? = After updating to -p7, I get about 10 seconds of uptime on a Xen VM = before the kernel panics with a double fault and reboots. Disabling = ntpd results in a stable system. On an AMD system without a hypervisor, = I don=E2=80=99t see any instability. >=20 > David >=20 >>=20 Hi David, We have no Xen setup as far as I know so in short; these changes were = not tested on Xen as far as I know. Cheers Remko --Apple-Mail=_99A9E81D-CD69-4994-88DA-FC45E55F3C05 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUZm6tSR1fPPy/V/fqMPbslnzjLAFAlqf6VsACgkQqMPbslnz jLDKvw//Rw0SiI6pUyEdAgCue+Z7q6n9ZWXrd/222Z4Akn2A6vDHbuC9eLGnRltr WltJhVEhpClqNsU43vl1WaWMhOJHSlTPAAd7rIVKJF1ONl2WRJYpnankX5u52Uvm ynWCxEX9z489DgWUs/jnQgNXlz7xUZWecdaV+AlR9BRMK90lUk+AAADwxLxXSt54 KeTV8sgQTUhEC0dCyhwIxG4nf3khpNCZG5xZoJJES0TPoLwRwFCds/iMl6eAwhBM XqLLSZKpCLfsBUyp4CLObgahoYOR/MOxxmEscaH4eGvOYg6VJ0zGAhPPaRvcY0cq jJJuHAi3RknTVNtRbQCPXEblBGYOYRch3a3en2XXWnd7A+h9XhOGVliiEhOgEWaU j1gjDVvqn6WVwgWItty5npZ3ISpcp1CQM+T6efcY+ipgloP4891h2E/YR5j1f+8t Rab8sTzvGcVrdGblo8mn0io7plc1QBXJFpnKzPe2+tbvVq/Q2/rXe02Nc/PCWog0 qW+SCLHDz3zAS4LEVtMyhUc6iDZCyDCqnZujNL4+T/HuGI3Tq2Bkl4afzfri3rFf 3mxGYiiTwQDuVlFzxihVo1yOKw4r+PFuYVrGwfCDADCKz+hsqWv9LZ7AEWVCywHq ajmnJlOtrpWUYOVhYFJn5U/CwpLd1bmr4OceJ8M8wlIQAA+dsvs= =idgF -----END PGP SIGNATURE----- --Apple-Mail=_99A9E81D-CD69-4994-88DA-FC45E55F3C05-- From owner-freebsd-security@freebsd.org Wed Mar 7 14:01:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA618F2EE52 for ; Wed, 7 Mar 2018 14:01:08 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no [IPv6:2001:700:1100:1:200:ff:fe00:b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.fagskolen.gjovik.no", Issuer "Fagskolen i Gj??vik" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 63E7875417 for ; Wed, 7 Mar 2018 14:01:07 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from mail.fig.ol.no (localhost [127.0.0.1]) by mail.fig.ol.no (8.15.2/8.15.2) with ESMTPS id w27E0wP5027228 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 7 Mar 2018 15:00:58 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) Received: from localhost (trond@localhost) by mail.fig.ol.no (8.15.2/8.15.2/Submit) with ESMTP id w27E0w9a027225 for ; Wed, 7 Mar 2018 15:00:58 +0100 (CET) (envelope-from trond@fagskolen.gjovik.no) X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs Date: Wed, 7 Mar 2018 15:00:58 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= Sender: Trond.Endrestol@fagskolen.gjovik.no To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:02.ntp In-Reply-To: Message-ID: References: <20180307071008.B1366447B@freefall.freebsd.org> <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> User-Agent: Alpine 2.21 (BSF 202 2017-01-01) Organization: Fagskolen Innlandet OpenPGP: url=http://fig.ol.no/~trond/trond.key MIME-Version: 1.0 X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.fig.ol.no Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 14:01:09 -0000 On Wed, 7 Mar 2018 14:30+0100, Remko Lodder wrote: > > On 7 Mar 2018, at 12:50, David Chisnall wrote: > > > > Were these changes and the kernel changes tested together on Xen? > > After updating to -p7, I get about 10 seconds of uptime on a Xen > > VM before the kernel panics with a double fault and reboots. > > Disabling ntpd results in a stable system. On an AMD system > > without a hypervisor, I don’t see any instability. > > Hi David, > > We have no Xen setup as far as I know so in short; these changes were not tested on Xen as far as I know. > > Cheers > Remko Here's one of my systems, running ntpd on stable/11 r330228 on XenServer 7.3, and there have been no issues so far. Timekeeping is as good as can be expected. The XenServer host has Intel CPUs. $ uname -aKU FreeBSD somehost 11.1-STABLE FreeBSD 11.1-STABLE #0 r330228: Thu Mar 1 10:58:45 CET 2018 root@somehost:/usr/obj/usr/src/sys/XENGUEST amd64 1101511 1101511 $ w | head -1 2:18p.m. up 5 days, 1:23, 1 user, load averages: 0,18 0,20 0,17 Note, I run a custom kernel eliminating most of the unneeded stuff when running as a/an Xen guest, see https://ximalas.info/~trond/create-zfs/canmount/XENGUEST-amd64-stable-11 for details. -- Trond. From owner-freebsd-security@freebsd.org Wed Mar 7 13:29:29 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B58CBF2BCF1 for ; Wed, 7 Mar 2018 13:29:29 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from smtp-out.elvandar.org (smtp-out.elvandar.org [IPv6:2a01:7c8:aaba:ae::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46A127318B; Wed, 7 Mar 2018 13:29:29 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mail2.jr-hosting.nl (mail-out.elvandar.org [IPv6:2a01:4f8:150:4451::2:25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-out.elvandar.org (Postfix) with ESMTPS id C1B1E4709A7; Wed, 7 Mar 2018 14:29:26 +0100 (CET) Received: from [172.20.20.62] (unknown [178.22.83.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.jr-hosting.org (Postfix) with ESMTPSA id B4DC81A6AAA; Wed, 7 Mar 2018 14:29:24 +0100 (CET) From: Remko Lodder Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_0426FA00-4B9E-486B-812A-82755615EBCB"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:02.ntp Date: Wed, 7 Mar 2018 14:29:23 +0100 In-Reply-To: <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> Cc: freebsd-security@freebsd.org To: David Chisnall References: <20180307071008.B1366447B@freefall.freebsd.org> <3E55483F-40C9-478D-8539-B5B6C3C60FEA@FreeBSD.org> X-Mailer: Apple Mail (2.3445.5.20) X-Spamd-Result: default: False [-2.51 / 15.00] ARC_NA(0.00)[] HAS_ATTACHMENT(0.00)[] RCVD_VIA_SMTP_AUTH(0.00)[] FROM_EQ_ENVFROM(0.00)[] MX_GOOD(-0.01)[cached: mx1.elvandar.org] MIME_GOOD(-0.20)[multipart/signed,text/plain] RCPT_COUNT_TWO(0.00)[2] DMARC_POLICY_SOFTFAIL(0.10)[elvandar.org : No valid SPF, No valid DKIM,none] ONCE_RECEIVED(0.10)[] RCVD_COUNT_ONE(0.00)[1] BAYES_HAM(-3.00)[100.00%] MV_CASE(0.50)[] R_DKIM_NA(0.00)[] FROM_HAS_DN(0.00)[] TO_DN_SOME(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] MID_RHS_MATCH_FROM(0.00)[] RCVD_TLS_ALL(0.00)[] X-Rspamd-Server: glamredhel.elvandar.org X-Mailman-Approved-At: Wed, 07 Mar 2018 14:31:05 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 13:29:30 -0000 --Apple-Mail=_0426FA00-4B9E-486B-812A-82755615EBCB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 7 Mar 2018, at 12:50, David Chisnall wrote: >=20 > Were these changes and the kernel changes tested together on Xen? = After updating to -p7, I get about 10 seconds of uptime on a Xen VM = before the kernel panics with a double fault and reboots. Disabling = ntpd results in a stable system. On an AMD system without a hypervisor, = I don=E2=80=99t see any instability. >=20 > David >=20 >>=20 Hi David, We have no Xen setup as far as I know so in short; these changes were = not tested on Xen as far as I know. Cheers Remko --Apple-Mail=_0426FA00-4B9E-486B-812A-82755615EBCB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUZm6tSR1fPPy/V/fqMPbslnzjLAFAlqf6TMACgkQqMPbslnz jLAqGRAAr3dl81D0M/JVIumsz4FemhPKn+zarf6Hf8jZjmj8hp+Bbho1mjwOK5Cg l4ogOFKR06H0aYJb3CROXYA8D9TNsH6aYV8FfvWHofPauS4VzoguIjUg8a/ZVxKr z+9szqVgQcDYCpIkOoMIy9fxzV1dpIp3JBLU+z+aezA+Tvy5Sy/ybtuiUeek+E2E Txbi0K2v2JgLCLxZnJ+BgElEf1SpNvClz6QdNjLxM4MO0R3iv/smdGTm757VgWEe KRN7hvFXzROXe7UMtrcnHQOddi1nHl9WOTy4kas9YVulaBC9I4XmM7tFHKHLLgH6 RC7BpMztjczK/ntxo95zbJsrUngKk0wvVmEzttMTEekCHC6WMNn6jb0PD6pZY8j6 xpeOL/3MJV+N+Sx/bqiWUWJ0gC7U4+Yc4U7YhUeFH3Hsgz4JmfD/N989FFJedJIA L/SayNdZTR39rWfdYCbcGrWpHM6ZDeRjQQ8V8/xXpPncrZpQuh5MjLcgmsl6zqjP gHU8vwcV1nfG82dO5j6qbcerlEVUvDexjlwe9ihYDFbto+lKUzB/aAiMyr4SudXa crT8E/v/NAwOLClTs/Nqdy4d3vxvO13wHIY+aoDff5dSkmxZOJc1DzHUC7CXBNX+ +s02esfTeQrrT5EuWMRn5S4pSy64yuXBX5dO6yVusXFejAosh7A= =YlTy -----END PGP SIGNATURE----- --Apple-Mail=_0426FA00-4B9E-486B-812A-82755615EBCB-- From owner-freebsd-security@freebsd.org Wed Mar 7 14:41:15 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4CB4F32393 for ; Wed, 7 Mar 2018 14:41:14 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 411CD7752C for ; Wed, 7 Mar 2018 14:41:14 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: by mail-wm0-x22b.google.com with SMTP id 188so5166073wme.1 for ; Wed, 07 Mar 2018 06:41:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=p6m7g8-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VIcvfvYPHkyJ3e2NUIYP2z37d+kQHVIOxfdfDM6Yc1o=; b=jcT/CaHcOdgq6ij8gpA81m8vG0/xAcoKbmUv2HVMBAaxQZpdNDK43b2K1WQ1yMCfGW ssZeJKOd5wTzlm0rPio5YP6exPsLNOgeKEdrPuJv+8lZvdPsY4F2VUXamX3TeiyGmK4W O8nF2ABE2hFVQ+JXpJ2UQI5oqzlhSI2+H3MazZCkqu2jsIbHvJKHNQ3Ut1pbfhiAtCyS yLiYXwVIk20dZREy0MYgMTDJXvdW7CP9S2V9dI0kRMHgLnUBIX6Q4PKAAEHqKbeu/BTe ryr+gFeP2NKiCELEqRtzHPFXa/V0UOX7UVLm+LKREQbQkJMDbGgcFMPhN0zECPH9mbFM 43kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VIcvfvYPHkyJ3e2NUIYP2z37d+kQHVIOxfdfDM6Yc1o=; b=WDIUmP1h/PyFXjq5dkHV/X8wk59jAwTGGVRxXSAo7ko86+3IkYsKWDioFHs6GcLJFa x9H2dynLNtQ5dxr3RVhFluTwhmvE6qi9VFq3eNWp36Ddof4T+95+3IRaWMUaWz4d3Axf i8/OxTBg/9Y23LY/DRILA173WgAgKx2vHAb3415SeHw8K3kN+DfxLpssXyKxgMlB2Q1D U/AmpZG6vIMupAVZttKoChqgaer/vLDXDfpHR6oEQ/m5yuioH2YbAAo3uwuRAaflhW9i Zl6yHkCqTNPbeg/OAv1SGGsByR663vLrDr5tHJIn26TIFW3YWP5XtlfTAfbePprSuF8G WEuA== X-Gm-Message-State: APf1xPDi3vth2aGw0XSdf7h80aoDCNmHaUCBjwcnJoqBXBhr0G88KoMs +ViBoouTRoFNVX3EWf/RmmetTnliBRrzq82ve+7R3Q== X-Google-Smtp-Source: AG47ELtQSSaAT4PpybjitbjM1ToXA6MvsywWVYaK+k64/pStuuSf3NflY8kZLJLIkoLg7ZSFkqV+nfkjQlja51ZDMik= X-Received: by 10.80.181.228 with SMTP id a91mr27398929ede.138.1520433672877; Wed, 07 Mar 2018 06:41:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.178.197 with HTTP; Wed, 7 Mar 2018 06:40:32 -0800 (PST) X-Originating-IP: [108.48.199.86] In-Reply-To: <20180307071008.BB2B6447F@freefall.freebsd.org> References: <20180307071008.BB2B6447F@freefall.freebsd.org> From: "Philip M. Gollucci" Date: Wed, 7 Mar 2018 09:40:32 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 14:41:15 -0000 The links are 404ing On Wed, Mar 7, 2018 at 2:10 AM, FreeBSD Security Advisories < security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================ > ================= > FreeBSD-SA-18:02.ntp Security > Advisory > The FreeBSD > Project > > Topic: Multiple vulnerabilities of ntp > > Category: contrib > Module: ntp > Announced: 2018-03-07 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) > 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) > 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) > 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) > 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) > CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185, > CVE-2018-7183 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6" > packets. A malicious "mode 6" packet can be sent to an ntpd instance, and > if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will > read past the end of its buffer. [CVE-2018-7182] > > The ntpd(8) service can be vulnerable to Sybil attacks. If a system is > configured to use a trustedkey and if one is not using the feature > introduced > in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to > specify > which IPs can serve time, a malicious authenticated peer, i.e., one where > the > attacker knows the private symmetric key, can create arbitrarily-many > ephemeral associations in order to win the clock selection of ntpd and > modify > a victim's clock. [CVE-2018-7170] > > The fix for NtpBug2952 was incomplete, and while it fixed one problem it > created another. Specifically, it drops bad packets before updating the > "received" timestamp. This means a third-party can inject a packet with > a zero-origin timestamp, meaning the sender wants to reset the association, > and the transmit timestamp in this bogus packet will be saved as the most > recent "received" timestamp. The real remote peer does not know this > value and this will disrupt the association until the association resets. > [CVE-2018-7184] > > The NTP Protocol allows for both non-authenticated and authenticated > associations, in client/server, symmetric (peer), and several broadcast > modes. In addition to the basic NTP operational modes, symmetric mode and > broadcast servers can support an interleaved mode of operation. In > ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine > that > allows a non-authenticated zero-origin (reset) packet to reset an > authenticated interleaved peer association. If an attacker can send a > packet > with a zero-origin timestamp and the source IP address of the "other side" > of > an interleaved association, the 'victim' ntpd will reset its association. > The attacker must continue sending these packets in order to maintain the > disruption of the association. [CVE-2018-7185] > > The ntpq(8) utility is a monitoring and control program for ntpd. The > internal decodearr() function of ntpq(8) that is used to decode an array in > a response string when formatted data is being displayed. This is a > problem > in affected versions of ntpq if a maliciously-altered ntpd returns an array > result that will trip this bug, or if a bad actor is able to read an > ntpq(8) > request on its way to a remote ntpd server and forge and send a response > before the remote ntpd sends its response. It is potentially possible that > the malicious data could become injectable/executable code. [CVE-2017-7183] > > III. Impact > > Malicious remote attackers may be able to break time synchornization, > or cause the ntpq(8) utility to crash. > > IV. Workaround > > No workaround is available, but systems not running ntpd(8) or ntpq(8) are > not affected. Network administrators are advised to implement BCP-38 which > helps to reduce risk associated with the attacks. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 11.1] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc > # gpg --verify ntp-11.1.patch.asc > > [FreeBSD 10.4] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc > # gpg --verify ntp-10.4.patch.asc > > [FreeBSD 10.3] > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch > # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc > # gpg --verify ntp-10.3.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart the applicable daemons, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------ > ------------- > stable/10/ r330141 > releng/10.3/ r330567 > releng/10.4/ r330567 > stable/11/ r330106 > releng/11.1/ r330567 > - ------------------------------------------------------------ > ------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > February_2018_ntp_4_2_8p11_NTP_S> > > > > > > > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD > MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n > 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 > iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM > zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M > UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 > a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn > L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 > PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK > UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY > Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 > iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE > VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o= > =D2ov > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security- > notifications-unsubscribe@freebsd.org" > -- --------------------------------------------------------------------------------- 4096R/D21D2752 ECDF B597 B54B 7F92 753E E0EA F699 A450 D21D 2752 Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Cloud Technology, Capital One What doesn't kill us can only make us stronger; Except it almost kills you. From owner-freebsd-security@freebsd.org Wed Mar 7 15:13:15 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B1337F359C3 for ; Wed, 7 Mar 2018 15:13:15 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pg0-x231.google.com (mail-pg0-x231.google.com [IPv6:2607:f8b0:400e:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3527779DCE for ; Wed, 7 Mar 2018 15:13:15 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pg0-x231.google.com with SMTP id r26so972045pgv.13 for ; Wed, 07 Mar 2018 07:13:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1JJECI08jTWJpJPKr6UdW2zVpo1QD1ZcxgdJvqpHiwY=; b=MEBrOK1974VQh0xlyWqfhWgV0duu7DKIYwDjRC65cV44UnxDXcpEJKaEsPhoz2pfnz xLwLhBA/OVh5zVC+GtfloMKBoRJKkG+XZ9tZSbxAsKnFkHSjnVUzRjewP5XheOn6xERF sbQcg04gYexXXpAtI8Yxa68ai1D9QDDTbeyJ0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1JJECI08jTWJpJPKr6UdW2zVpo1QD1ZcxgdJvqpHiwY=; b=WZJXx/2/m3XMwn1tmM1sb6g+4PKG2Dy9skdIGPmH2svWSdWDIVczVX+QLzuOMc/H2p utm43FFJCZK9v0olSGN7HC6RAAvnClWaV7m7YgcL5MlGZNQFC8b1G+sP1cNjOuyxQ1NA Gjik4Dr3HDlUuKCTnRoUbtq42NeF6huEQM/nxQtB8wYxij3qw5kAk5A2CwTQoBpQM6dR g2nKLeueqPn12aKvwrFx80wFW8GMZe9MyDRKcgrnRV3d/QRzngXJLe7e0DsYsABreU8t rBU3lmTDJlqUcvJr4jb4Ln5SGmCQ83PXQnX4weNKSVmQDDtVI8yl+f1vRtklRpQK4WeF DVOQ== X-Gm-Message-State: APf1xPBgEtvRTBc6nzdzIsA/P6ekGD3sbcYpzepqUKLeiD/mJStDcbuZ //1KKAEmHMqkABFDl21cna7EClJALg== X-Google-Smtp-Source: AG47ELs5aB4XAFdpcRkqM93kKzPZdiaQSrz2vf7tZRNK2heI6yCkk1H7TB6/nudVSXREqCoM61xuqA== X-Received: by 10.99.176.68 with SMTP id z4mr17967764pgo.74.1520435593457; Wed, 07 Mar 2018 07:13:13 -0800 (PST) Received: from [10.0.1.136] (cpe-75-80-118-20.san.res.rr.com. [75.80.118.20]) by smtp.gmail.com with ESMTPSA id 76sm37670456pfp.53.2018.03.07.07.13.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Mar 2018 07:13:12 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp From: Gordon Tetlow X-Mailer: iPhone Mail (15D100) In-Reply-To: Date: Wed, 7 Mar 2018 07:13:11 -0800 Cc: freebsd-security@freebsd.org, FreeBSD Security Advisories Content-Transfer-Encoding: quoted-printable Message-Id: <519359A9-A123-478C-A57D-51A1D8F528CA@tetlows.org> References: <20180307071008.BB2B6447F@freefall.freebsd.org> To: "Philip M. Gollucci" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 15:13:16 -0000 Sorry about that. I thought I had everything but I missed that piece. They s= hould be coming shortly. That said, I=E2=80=99m seeing reports of the ipsec patches for 10.x not comp= iling. Will look into that shortly.=20 Gordon > On Mar 7, 2018, at 06:40, Philip M. Gollucci wrote:= >=20 > The links are 404ing >=20 > On Wed, Mar 7, 2018 at 2:10 AM, FreeBSD Security Advisories < > security-advisories@freebsd.org> wrote: >=20 >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >>=20 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> FreeBSD-SA-18:02.ntp Security >> Advisory >> The FreeBSD >> Project >>=20 >> Topic: Multiple vulnerabilities of ntp >>=20 >> Category: contrib >> Module: ntp >> Announced: 2018-03-07 >> Credits: Network Time Foundation >> Affects: All supported versions of FreeBSD. >> Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE) >> 2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7) >> 2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE) >> 2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6) >> 2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27) >> CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-718= 5, >> CVE-2018-7183 >>=20 >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and the >> following sections, please visit . >>=20 >> I. Background >>=20 >> The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP= ) >> used to synchronize the time of a computer system to a reference time >> source. >>=20 >> II. Problem Description >>=20 >> The ctl_getitem() function is used by ntpd(8) to process incoming "mode 6= " >> packets. A malicious "mode 6" packet can be sent to an ntpd instance, an= d >> if the ntpd instance is from 4.2.8p6 through 4.2.8p10, ctl_getitem() will= >> read past the end of its buffer. [CVE-2018-7182] >>=20 >> The ntpd(8) service can be vulnerable to Sybil attacks. If a system is >> configured to use a trustedkey and if one is not using the feature >> introduced >> in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to >> specify >> which IPs can serve time, a malicious authenticated peer, i.e., one where= >> the >> attacker knows the private symmetric key, can create arbitrarily-many >> ephemeral associations in order to win the clock selection of ntpd and >> modify >> a victim's clock. [CVE-2018-7170] >>=20 >> The fix for NtpBug2952 was incomplete, and while it fixed one problem it >> created another. Specifically, it drops bad packets before updating the >> "received" timestamp. This means a third-party can inject a packet with >> a zero-origin timestamp, meaning the sender wants to reset the associatio= n, >> and the transmit timestamp in this bogus packet will be saved as the most= >> recent "received" timestamp. The real remote peer does not know this >> value and this will disrupt the association until the association resets.= >> [CVE-2018-7184] >>=20 >> The NTP Protocol allows for both non-authenticated and authenticated >> associations, in client/server, symmetric (peer), and several broadcast >> modes. In addition to the basic NTP operational modes, symmetric mode an= d >> broadcast servers can support an interleaved mode of operation. In >> ntp-4.2.8p4, a bug was inadvertently introduced into the protocol engine >> that >> allows a non-authenticated zero-origin (reset) packet to reset an >> authenticated interleaved peer association. If an attacker can send a >> packet >> with a zero-origin timestamp and the source IP address of the "other side= " >> of >> an interleaved association, the 'victim' ntpd will reset its association.= >> The attacker must continue sending these packets in order to maintain the= >> disruption of the association. [CVE-2018-7185] >>=20 >> The ntpq(8) utility is a monitoring and control program for ntpd. The >> internal decodearr() function of ntpq(8) that is used to decode an array i= n >> a response string when formatted data is being displayed. This is a >> problem >> in affected versions of ntpq if a maliciously-altered ntpd returns an arr= ay >> result that will trip this bug, or if a bad actor is able to read an >> ntpq(8) >> request on its way to a remote ntpd server and forge and send a response >> before the remote ntpd sends its response. It is potentially possible th= at >> the malicious data could become injectable/executable code. [CVE-2017-718= 3] >>=20 >> III. Impact >>=20 >> Malicious remote attackers may be able to break time synchornization, >> or cause the ntpq(8) utility to crash. >>=20 >> IV. Workaround >>=20 >> No workaround is available, but systems not running ntpd(8) or ntpq(8) ar= e >> not affected. Network administrators are advised to implement BCP-38 whi= ch >> helps to reduce risk associated with the attacks. >>=20 >> V. Solution >>=20 >> Perform one of the following: >>=20 >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. >>=20 >> The ntpd service has to be restarted after the update. A reboot is >> recommended but not required. >>=20 >> 2) To update your vulnerable system via a binary patch: >>=20 >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >>=20 >> # freebsd-update fetch >> # freebsd-update install >>=20 >> The ntpd service has to be restarted after the update. A reboot is >> recommended but not required. >>=20 >> 3) To update your vulnerable system via a source code patch: >>=20 >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >>=20 >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >>=20 >> [FreeBSD 11.1] >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-11.1.patch.asc >> # gpg --verify ntp-11.1.patch.asc >>=20 >> [FreeBSD 10.4] >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.4.patch.asc >> # gpg --verify ntp-10.4.patch.asc >>=20 >> [FreeBSD 10.3] >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch >> # fetch https://security.FreeBSD.org/patches/SA-18:02/ntp-10.3.patch.asc >> # gpg --verify ntp-10.3.patch.asc >>=20 >> b) Apply the patch. Execute the following commands as root: >>=20 >> # cd /usr/src >> # patch < /path/to/patch >>=20 >> c) Recompile the operating system using buildworld and installworld as >> described in . >>=20 >> Restart the applicable daemons, or reboot the system. >>=20 >> VI. Correction details >>=20 >> The following list contains the correction revision numbers for each >> affected branch. >>=20 >> Branch/path Revision= >> - ------------------------------------------------------------ >> ------------- >> stable/10/ r330141= >> releng/10.3/ r330567= >> releng/10.4/ r330567= >> stable/11/ r330106= >> releng/11.1/ r330567= >> - ------------------------------------------------------------ >> ------------- >>=20 >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >>=20 >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >>=20 >> Or visit the following URL, replacing NNNNNN with the revision number: >>=20 >> >>=20 >> VII. References >>=20 >> > February_2018_ntp_4_2_8p11_NTP_S> >>=20 >> >>=20 >> >>=20 >> >>=20 >> >>=20 >> >>=20 >> The latest revision of this advisory is available at >> >> -----BEGIN PGP SIGNATURE----- >>=20 >> iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhYNfFIAAAAAALgAo >> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD >> MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n >> 5cL9GQ/+PLffyegsvxKngL83XWG9UuHbcGG5aWbNwCecTEzNoCI72TI03aga0ge5 >> iLz5kW3SQvl8tsq778U4YbfFcCw6ifq2ws8asqNviv+u4AcJh7oD8CS3/kFuA9xM >> zjAIrScdNR2taBJhBW3nwlb7RmDeKqydQ3OIxHVvs9Fj5Alc5ZEGezUjC2dueB+M >> UdORg6GvHGMYQ+4AtBFRgZHAU3BFkwmgqsIICywYnUVH+AxKj34shs/pMMeJd/d9 >> a+BIu/tUjAIlQp23VunNAfq7r2eZik9LOV8Y5l1Ww7+K1IwlwezxI+Iw18BMFEVn >> L9baBY9RFh8v/yrZCBqUc7Prhs3ExU/lnAb05Va7TYeD4RXVmSU0jNXi/przN3y2 >> PR7Z3JCm60mFKyp0/Hz2MmS1XPBVBrW4P6g9hH8TZmOHb2mZlK3zDXmil7HKp5DK >> UhtMJpPEWV9k5rfP8iijHJnwkPr0ALntMUAAKUyw/6isVtHT6BZLaYsZvRYIm8YY >> Mn2RUl74m+XoIhQ8R4mxRcaAHwKKXyeyP5nlAs6TQVb9QJukoRiNDr3g8TwbtT54 >> iTswVu+z/a89/YIwJoc6Ud7eCZSDYe6qfuC19TVuledayjjy/ZPMH0ZkNWFWJ3AE >> VAvdyvoUuNbmsv42o4AUtpE/1CmDqOjwBRZZbtV4CONCDFpk26o=3D >> =3DD2ov >> -----END PGP SIGNATURE----- >> _______________________________________________ >> freebsd-security-notifications@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications= >> To unsubscribe, send any mail to "freebsd-security- >> notifications-unsubscribe@freebsd.org" >>=20 >=20 >=20 >=20 > --=20 > --------------------------------------------------------------------------= ------- > 4096R/D21D2752 > ECDF B= 597 > B54B 7F92 753E E0EA F699 A450 D21D 2752 > Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 > Member, Apache Software Foundation > Committer, FreeBSD Foundation > Consultant, P6M7G8 Inc. > Director Cloud Technology, Capital One >=20 > What doesn't kill us can only make us stronger; > Except it almost kills you. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " From owner-freebsd-security@freebsd.org Wed Mar 7 13:37:10 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2281CF2CB75 for ; Wed, 7 Mar 2018 13:37:10 +0000 (UTC) (envelope-from stenn@nwtime.org) Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA2DE73A6B for ; Wed, 7 Mar 2018 13:37:09 +0000 (UTC) (envelope-from stenn@nwtime.org) Received: from hms-mbp11.pfcs.com (96-41-166-181.dhcp.mdfd.or.charter.com [96.41.166.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 6F19DB843; Wed, 7 Mar 2018 13:37:08 +0000 (UTC) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp To: freebsd-security@freebsd.org References: <20180307071008.BB2B6447F@freefall.freebsd.org> From: Harlan Stenn Message-ID: <5131394d-c614-229a-8966-aa3ebaca74b2@nwtime.org> Date: Wed, 7 Mar 2018 05:37:07 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180307071008.BB2B6447F@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 07 Mar 2018 15:17:41 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 13:37:10 -0000 I still think y'all write great security advisories, and I keep aiming to get our "originals" up to your quality. I hope that whoever did this got a smile out of my '--- wait for it---' comment on the ntpq decodearr() description. I think I added that after many continuous hours' writing of these descriptions, and sometimes I just succumb and let things like that slip in to make my subsequent re-reads a bit less ponderous. On 3/6/18 11:10 PM, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-18:02.ntp Security Advisory > The FreeBSD Project > > Topic: Multiple vulnerabilities of ntp > ... -- Harlan Stenn http://networktimefoundation.org - be a member! From owner-freebsd-security@freebsd.org Wed Mar 7 15:32:50 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E03EF3787E for ; Wed, 7 Mar 2018 15:32:50 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1502C7B43D for ; Wed, 7 Mar 2018 15:32:49 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 27ED73D6EB for ; Wed, 7 Mar 2018 07:31:33 -0800 (PST) Date: Wed, 7 Mar 2018 07:31:33 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:02.ntp In-Reply-To: <5131394d-c614-229a-8966-aa3ebaca74b2@nwtime.org> Message-ID: References: <20180307071008.BB2B6447F@freefall.freebsd.org> <5131394d-c614-229a-8966-aa3ebaca74b2@nwtime.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 15:32:50 -0000 Harlan Stenn wrote: > I still think y'all write great security advisories, and I keep aiming > to get our "originals" up to your quality. High quality work to be sure. It is still unfortunate that time had to be wasted on this (and other ntpd advisories). Much time and insecurity could have been saved by migrating ntpd to ports and openntpd to base. One too many cases exactly like this are why OpenBSD and HardenedBSD forked of course, but it is still not at all clear why openntpd and other tested and proven security changes haven't been pulled in to FreeBSD. Roger Marquis From owner-freebsd-security@freebsd.org Thu Mar 8 06:29:30 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BD5AF3756B for ; Thu, 8 Mar 2018 06:29:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46A12681EC; Thu, 8 Mar 2018 06:29:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 3E74E33F7; Thu, 8 Mar 2018 06:29:30 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20180308062930.3E74E33F7@freefall.freebsd.org> Date: Thu, 8 Mar 2018 06:29:30 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2018 06:29:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-18:01.ipsec [REVISED] Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits: Maxime Villard Affects: All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 16:55:15 UTC (stable/10, 10.4-STABLE) 2018-03-07 17:16:41 UTC (releng/10.4, 10.4-RELEASE-p7) 2018-03-07 17:16:41 UTC (releng/10.3, 10.3-RELEASE-p28) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2018-03-07 Initial release. v1.1 2018-03-08 Correct patch for 10.x releases. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. [*** v1.1 NOTE ***] If your 10.x sources were already patched using the initially published advisory patches, you need to apply the ipsec-10.rev1.patch. If you had not yet patched your 10.x sources, you need only apply the ipsec-10.patch file. 11.1 sources were correct in the initial release and do not need to be updated. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x system not patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 10.x that had been patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch.asc # gpg --verify ipsec-10.rev1.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r330609 releng/10.3/ r330611 releng/10.4/ r330611 stable/11/ r329907 releng/11.1/ r330566 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqg1K9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJCDQ/+OpTS1PrKiwuRsJ5i0RWnS8C9d/dIn9C83JJtuxhGb+CEY5bYSVKufsW/ ilkUK3fiOWWwDHYecZW15qvt1E2E6Hm608b+K37bqL+FKobNj78B+KQr4erb0183 /Kqo0TKDtsUzr20sNFWgeQWgHP/EqyWyJuB2zfOSb1vGUViiuxJfMxajzfE2tKqh IDG/QpMvRolJFKSWdQnF08NIYLXfffZ4Sz9+VDCdfeLEQKi+LT6DJnlGDz/rR5iB TwyMg3AbobpGuuV0puOZTul2GiHaPwh/fJR8JoG13+kK5VznvrOXopLAl2CVAjtj mNuHeQHwaSQanSXgKtYxZG4/w1JDMSr60FKgG7FizhJ+9WAbjPySbb+wV5qJD4oY a8F2urt3Tj1c1l4juOctVW+NVSS96idpf9NsmsmticTujgBu+2k63+cSIchiNj1B ZcPw5PLgiC/r0P6FITrwXa7zJLNHdFrPvNihKTlEHJAgGno7FJJpdagxmcfGnpb2 74VlbQF7Tq+9NQJU23y9Vj3YL0XERB/b45oRHkBEoVJKgK9/4U4mzFufn4PfANUt 0hcgMlxTOVKt0S405dh4I6ok51iq6XDol18QoYbXJHqMuEq7Lo80fKuq8gpKmCJ0 h3NBYJKPUsngfJUisXS7VrQx3zTB8Yyp1BykpCDKET8LVJGmV7c= =RMG/ -----END PGP SIGNATURE-----