Skip site navigation (1)Skip section navigation (2)
Date:      Tue,  1 Dec 2020 20:45:49 +0000 (UTC)
From:      FreeBSD Errata Notices <errata-notices@freebsd.org>
To:        FreeBSD Errata Notices <errata-notices@freebsd.org>
Subject:   [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-20:19.audit
Message-ID:  <20201201204549.9C16519AD8@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-20:19.audit                                          Errata Notice
                                                          The FreeBSD Project

Topic:          execve/fexecve system call auditing

Category:       core
Module:         kernel
Announced:      2020-12-01
Affects:        FreeBSD 12.1 and later.
Corrected:      2020-10-27 13:13:04 UTC (stable/12, 12.2-STABLE)
                2020-12-01 19:34:45 UTC (releng/12.2, 12.2-RELEASE-p1)
                2020-12-01 19:34:45 UTC (releng/12.1, 12.1-RELEASE-p11)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The audit(4) facility allows a system administrator to audit
security-relevant events.  System calls are one such security-related event,
and the audit(4) facility will record whether the system call was successful
along with other important details.

II.  Problem Description

All execve/fexecve system calls in affected versions will be reported as a
failure, even upon successful execution.  For affected kernels, the exact
error reported is EJUSTRETURN, 201, or "Just return" depending on the tooling
used.  These can safely be considered successful returns for the fexecve and
execve system calls.  Note that audit trails that were produced by kernels
starting with FreeBSD 12.0 will exhibit this problem.

III. Impact

It is important to be able to determine when a process is, for instance,
executing a shell.  Such events may be indicative of an intrusion if they
are not expected.  Failure to report such an execution as successful may
result in intrusions that are no longer detectable.

IV.  Workaround

No workaround is available.  This error is irrelevant for system
administrators that do not use the audit(4) facility.  Users of the
audit(4) facility could detect the specific error that is being
returned as success, but this may complicate auditing as all failures
must be recorded.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.2]
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch.asc
# gpg --verify audit.12.2.patch.asc

[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch.asc
# gpg --verify audit.12.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r367080
releng/12.2/                                                      r368249
releng/12.1/                                                      r368249
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>;

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249179>;

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:19.audit.asc>;
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GnclfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKqdBAAjBubNRAnzviekLybf9W6QnFT+9LrdoHEKM0epXT7GxHeGdKSbWwJPvaO
PmogRZ88uPOvaRVYIjGLXjJf48zA6D5LuQrVre0BEICVsLEaKcoQpwqOgtSKroI4
LguI26tLC/TmzWMid7CUeDOxzY0yg+t8QWPvrc9kDCZVqDFjrWtUDurLYM50p8Rm
FHfbWgFg0g3ytPF6k7DuafDrSJIs0lULwOtAPBrYR5chTr3/quc6onU99B6oxo4K
rRe4Se458M3Gm637lADAqqyRXtzwMXZ+bJBRFjdMZb3gn6QSRphHluXosv9EWwZe
FV5muyouYzxObkE4ev8dXF8Xx6LyuWfYLj5r064DRS7oFIZjIc/5F3wUITmkzCSc
iqOPZ545JO2Mxd5JwgA6QMy1YagHJb4MKDpwoQG5EHdNSSIRxRy9SEnyyxB/boMw
c65iw+SXM6ln+iAoFO9tyoLF5ek9OFRMH/1hemkY82eECcMA2m8/taSHb3++YOQr
7tmGjBZpynj/xDLQKwQiOrz5bVSPkWFc/4q9yQWAg/IoRPs+j/bsu1QoFlZX5b/8
/161dxwjs5ZLsTj+/oV/cBKQSWIFkSkbaK61ZAdrysXmGHB1jJ6OZDlsXK9kptHr
XavfRbYVCs8tB6NmWWEcfRQvLso20u+9zLO2X0yGz0+XEpKNU4k=
=QTo/
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201201204549.9C16519AD8>