From owner-freebsd-announce@freebsd.org Wed Jun 19 17:20:44 2019 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE4C115C0383 for ; Wed, 19 Jun 2019 17:20:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7E20670C01; Wed, 19 Jun 2019 17:20:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 55D3C10A66; Wed, 19 Jun 2019 17:20:43 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190619172043.55D3C10A66@freefall.freebsd.org> Date: Wed, 19 Jun 2019 17:20:43 +0000 (UTC) X-Rspamd-Queue-Id: 7E20670C01 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.975,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:08.rack X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 17:20:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:08.rack Security Advisory The FreeBSD Project Topic: Resource exhaustion in non-default RACK TCP stack Category: core Module: inet Announced: 2019-06-19 Credits: Jonathan Looney (Netflix) Peter Lei (Netflix) Affects: FreeBSD 12.0 and later Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE) 2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6) CVE Name: CVE-2019-5599 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the notion of time, in addition to packet or sequence counts, to detect losses for modern TCP implementations that support per-packet timestamps and the selective acknowledgment (SACK) option. FreeBSD ships an optional implementation of RACK. Please note this is not included by default. If RACK was not specifically compiled, installed, and loaded, the system is not vulnerable. II. Problem Description While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. III. Impact An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost. IV. Workaround By default RACK is not compiled or loaded into the TCP stack. To determine if you are using RACK, check the net.inet.tcp.functions_available sysctl. If it includes a line with "rack", the RACK stack is loaded. To disable RACK, unload the kernel module with: # kldunload tcp_rack Note: it may be required to use the force flag (-f) with the kldunload. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Since the tcp_rack kernel module is not built by default, recompile, reinstall, and reload the kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc # gpg --verify rack.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile, reinstall, and reload the tcp_rack kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r349197 releng/12.0/ r349199 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK8ZxAAjT8bPjh+U0DGQEjnWvmzkMl7sDd2ISMTzKXh+WVGZ0wdwLuHqCHbBhHw POAyJ4VprY9bGFK1EkoDuA5x0MPRXV4Zbk9I9eNKmzjbvj1JW92fubr/t6ITqiNp 2BAGK6iZ61saZyZNmQvTcZZzEao1ZRqylI3OEJWUwt9nomW6RJhRbRoJvbhl9oJE Dz+ZjtZmf5oKccfkgoom8i7s4sHM1wFu+S00gYM7X/Nznv2S3B66pBYVhID30MGE TKUqDYKdX7UbO/+WsWYVVBOA8Sp7FbdWLMGXXmk7jA9cVW+YUpir7yMYzIU5Ps6R rLMQv4Rc593aznEDdvZkElW6AGMfLh4dpzqBKHbidKSZTv7q0KNQ52XJb18wD8n3 1vr4L54HKai1xfl52MvLvUP7hPjLR1jW1W6QJ5Hk3qGU4aViifStY5VfJ/8J6uuT FUi5J9szYDraT8mWlIRfZNTRnbrQX2FoLjjsouL8v9kCj+83NB92wh+vylplVzKF vlw18g6yC6USuE90OfdY9gXFRxiUWE+/Y0R0+/aEvuqSa9mMLQfolznl3zf1RaK8 GWX892iYmYYiTjN/HKttkdvfrQMYWLoW4COO+6h09VyNApQSpLikclERLnysi72M EHRUquiZdZyV7nFmQGAeW779sdSE0d6gUTvS6Ak/PTzfAhy/Vj8= =ggzB -----END PGP SIGNATURE----- From owner-freebsd-announce@freebsd.org Wed Jun 19 17:21:08 2019 Return-Path: Delivered-To: freebsd-announce@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39C4815C03E1 for ; Wed, 19 Jun 2019 17:21:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C2BF470C62; Wed, 19 Jun 2019 17:21:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 9A15210A85; Wed, 19 Jun 2019 17:21:07 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20190619172107.9A15210A85@freefall.freebsd.org> Date: Wed, 19 Jun 2019 17:21:07 +0000 (UTC) X-Rspamd-Queue-Id: C2BF470C62 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.975,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-19:11.net X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 17:21:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-19:11.net Errata Notice The FreeBSD Project Topic: Incorrect locking in networking stack Category: core Module: net Announced: 2019-06-19 Affects: FreeBSD 12.x Corrected: 2019-04-01 14:19:09 UTC (stable/12, 12.0-STABLE) 2019-06-19 16:41:18 UTC (releng/12.0, 12.0-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Some parts of the network stack use a synchronization primitive, epoch(9), that is new in FreeBSD 12.0. In some places where reader-writer locks were previously used, existing KPIs were preserved and their implementations replaced with epoch(9). II. Problem Description A pair of KPIs that were converted to epoch(9) were modified incorrectly, and thus failed to provide the synchronization guarantees expected by their consumers. III. Impact The bug can cause kernel memory corruption or kernel assertion failures, depending on whether the INVARIANTS option is configured. The bug is more likely to impact heavily loaded systems. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) Update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 2) Update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-19:11/net.patch # fetch https://security.FreeBSD.org/patches/EN-19:11/net.patch.asc # gpg --verify net.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r345764 releng/12.0/ r349198 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZzxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLg/RAAmE7CV+NRWEu3RxLjrXbxCUC6+e0McoRAeS8mKBfeWAIbyHJKN83i0G5b 1vefBZ6rsBFZWxk2MNMSFRcV3WsE+9GoUfl0Yz0xhWN9Uu9BLDAWIBtdYt1/P+YC 8Q6yteM6VEBKyYsm/4pqOviyv4HjlQTR+Skqk9kjBXJXXdEUqoS/iGQmBD8UYY6g +bFxrHX3BiJ1X5xgqEIU6UdLyGl6N2fc0bbhj9DiEi1t7OsY0XbKR32itHtCExut G2iYYeCYIuCLlumQbyCVU1p+vi1CnVyC4UQbZKTN3xIaALopMWG/dQqv99bZwFUR wGHLWjQo5avzaWF0mIGk8XHgkVQndc1OfPxZ/MDi4POQlFyt+tjykrGumlMUGqJh 4GK9n7M/0u/bbDo3P5t1GkHbekFGc5aOvFHR+LjyLPY75n7mbFPKBdyAa4UnuM2w EeQTsZhzOxHnDS752JBfiw5dVKXzmyjmbKJvhkBLdFO/tQ33lBtmMvrO1AIaPMcB pdok94KvxbaH7Y+SzspcWBu63NLZTWOcHu75PVM8dR7CWUP55dGKLS4He24vmPNv PBNHRbtbN0tGbaQQPaYExnryncolgi+5jK/B1AJGnDONIn3ODQkcEn7roFQoZBJT 1G3KvUCdvbESZ+1Gxif3BNop6y9fg7WLMaJSyoElHr56W4lG8u0= =nqeJ -----END PGP SIGNATURE-----