From owner-freebsd-security@freebsd.org Thu Mar 19 17:37:37 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 18D43265A12 for ; Thu, 19 Mar 2020 17:37:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jvHg702yz4cvQ; Thu, 19 Mar 2020 17:37:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id DA85F14CEE; Thu, 19 Mar 2020 17:37:34 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:04.tcp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200319173734.DA85F14CEE@freefall.freebsd.org> Date: Thu, 19 Mar 2020 17:37:34 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 17:37:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:04.tcp Security Advisory The FreeBSD Project Topic: TCP IPv6 SYN cache kernel information disclosure Category: core Module: tcp Announced: 2020-03-19 Credits: Michael Tuexen (Netflix, contractor) Affects: All supported versions of FreeBSD. Corrected: 2020-03-08 14:48:21 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:46:01 UTC (releng/12.1, 12.1-RELEASE-p3) 2020-03-08 14:48:32 UTC (stable/11, 11.3-STABLE) 2020-03-19 16:46:01 UTC (releng/11.3, 11.3-RELEASE-p7) CVE Name: CVE-2020-7451 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Internet Protocol version 6 (IPv6) header contains a one byte field called Traffic Class. Two bits of this field are used for Explicit Congestion Notification (ECN), the other six bits are used as Differentiated Services Field Codepoints (DSCP). The Transmission Control Protocol (TCP) is a connection oriented transport protocol, which can be used as an upper layer of IPv6. A TCP endpoint is either acting as a client (sending initially a SYN segment) or as a server (initially waiting to receive a SYN segment and then responding with a SYN-ACK segment). To mitigate the impact of some attacks against TCP servers (like SYN-flooding), FreeBSD uses specific code to handle the TCP connection setup for servers. This includes the transmission and retransmission of SYN-ACK segments or responding with a challenge ACK segment to a received RST segment. II. Problem Description When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6, the Traffic Class field is not initialized. This also applies to challenge ACK segments, which are sent in response to received RST segments during the TCP connection setup phase. III. Impact For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte of kernel memory is transmitted over the network. IV. Workaround No workaround is available. Systems not using IPv6 are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r358739 releng/12.1/ r359138 stable/11/ r358740 releng/11.3/ r359138 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLuzQ/9HvuKX5w2/CDerZPseNDKqumxjoap6MjfExvpVN4Auy31wcE7248JpZ/d I+Be927dmghiey97opVcR56g5OJ9QAinQRTWX1rLKaQ2xldGFE5924iLyQ/hjMXG LDkYrBpJ2Wkdq9XFZKAuu2dpV/RUMlGnKANG/QfAAd5V4VC7Sg5X6ty7ISlVMrM7 aQdBP4e5XyssfeqZeZ/A57dF3Yi7F1TEEjXeM+dulTET4nm0+w74n+QaNoH6hcMI n3Bb/SsF9HfbZtXz235vkzbgvvSX4f+D/d3vrcAA9KMVjKBH6QbiwJKuHSdb0GY8 ENMb7vO7Rx71u8GnCYg659qFrWb/kaTW2BCbgAJyp2747nAw8I7DwZiN2RKWA7qh JbcZb1rJN9gEccnGyNouuy4DzUlUc4VQnp4ajqV4S1YGbwdfsBqi2c0dYwqEcW96 RKxxTrH9JB8d52wMMshB7hMfwbeLeOJJ4phFL8knXuv19SWCP/tz6XDopoBN6wTW yn5g+n7oVCOsSwlPLHl/5WWUTvKjyCB6eZIblFhlbiNTuQiUaegDXx66On+vgVKD oYA9cDQUcvIKLne/KgCqTQ5MAuwE/7hPyUlGmuiZ3/Qx6CW568+v1kTc19eUQb0a +e5HDRFhtiQyRMpTC9Yt14sv8oFLynhyt/IbQWTeqppZhBugbJ8= =CFKz -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Mar 19 17:37:44 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D94F9265AAF for ; Thu, 19 Mar 2020 17:37:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jvHr4FMXz4d9G; Thu, 19 Mar 2020 17:37:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 187ED150CF; Thu, 19 Mar 2020 17:37:44 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:05.if_oce_ioctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200319173744.187ED150CF@freefall.freebsd.org> Date: Thu, 19 Mar 2020 17:37:44 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 17:37:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:05.if_oce_ioctl Security Advisory The FreeBSD Project Topic: Insufficient oce(4) ioctl(2) privilege checking Category: core Module: oce(4) Announced: 2020-03-19 Credits: Ilja Van Sprundel Affects: All supported versions of FreeBSD. Corrected: 2019-12-26 16:56:42 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:48:29 UTC (releng/12.1, 12.1-RELEASE-p3) 2019-12-26 16:58:11 UTC (stable/11, 11.3-STABLE) 2020-03-19 16:48:29 UTC (releng/11.3, 11.3-RELEASE-p7) CVE Name: CVE-2019-15876 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The primary interface used for network driver configuration is ioctl(2). Several ioctl(2) commands are reserved for driver-specific purposes. For instance, a driver may use one of these ioctls to implement an interface for updating device firmware. II. Problem Description The driver-specific ioctl(2) command handlers in oce(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation. III. Impact The oce(4) handler permits unprivileged users to send passthrough commands to device firmware. IV. Workaround No workaround is available. Systems that do not contain devices driven by oce(4) are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch # fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch.asc # gpg --verify if_oce_ioctl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r356089 releng/12.1/ r359139 stable/11/ r356090 releng/11.3/ r359139 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJAuBAAnsnjdm2aTLo14rOiNHTNh0NqJPQTJ5F6MwE1P/nUlP5xM21GzDkyki7H 4AytZiCma6MCPzbc8aO6wGnc5zfSA1G/5TLetIgIQeyDQ8wRd0uhIoeO3NB3EXhz KJkNqtyosmzKUSmq7V/WqYN7VOVceegvbvLXCMTYFkUmvJxYbB67s0upqydFBAD4 j1ecKkNOIehV6cGColM3Dv7sJtVgdvaKg2ehW+AWR7UBOntIr/X3mVpkUE5Y2oLX tpjuEbdraOpIw/ohKfvpZNPXnEFmhgxrRV4WRw8yFeMsEtLI2HyyUV4ysZrgMKB+ LKxdhfd7HhIiGdoRZO4P60traRiRD+VfqU9Jt3xd9fO1t0MZYTS0R0Lqt9n3UPhR 26YcyrJgElaHIz8Viiw1U7Pdxila7b7gL+V4QVNSG00OqCKkdepgURRepzaz8Zhd lrfLf+9vysPIL6RsJwDb77qYbu9kK/afGmadBVot6QGg6ovWVLUGd0pQFJuLihZl YRocdxDO0lgF+w6llmp6ZidEjaScL7XG3yKG1DuoSa0tS+0eQU2U2hByJDzzzkTn x7t7WU8o5gSRYDe68yuJHXiHWswA4IK+tkYf+h8fDhENDbt7PCo86Vq0Dixg3hoG ak/KfomAAsnh6MfWNRlCWDXbe0p/yxYLPRHugDdrZ2IpX+uJWHs= =pADZ -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Mar 19 17:37:52 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B3855265B3D for ; Thu, 19 Mar 2020 17:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jvJ02K4Sz4dN0; Thu, 19 Mar 2020 17:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 0C035153D4; Thu, 19 Mar 2020 17:37:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:06.if_ixl_ioctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200319173752.0C035153D4@freefall.freebsd.org> Date: Thu, 19 Mar 2020 17:37:51 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 17:37:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:06.if_ixl_ioctl Security Advisory The FreeBSD Project Topic: Insufficient ixl(4) ioctl(2) privilege checking Category: core Module: ixl(4) Announced: 2020-03-19 Credits: Ilja Van Sprundel Affects: All supported versions of FreeBSD. Corrected: 2020-01-10 18:31:59 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:49:32 UTC (releng/12.1, 12.1-RELEASE-p3) CVE Name: CVE-2019-15877 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The primary interface used for network driver configuration is ioctl(2). Several ioctl(2) commands are reserved for driver-specific purposes. For instance, a driver may use one of these ioctls to implement an interface for updating device firmware. II. Problem Description The driver-specific ioctl(2) command handlers in ixl(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation. III. Impact The ixl(4) handler permits unprivileged users to trigger updates to the device's non-volatile memory (NVM). IV. Workaround No workaround is available. Systems that do not contain devices driven by ixl(4) are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch # fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch.asc # gpg --verify if_ixl_ioctl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r356606 releng/12.1/ r359140 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIyvg/+Myq/m3iP2V8tluOVxVmXOEn9qULYfSEM8thr7N+EZpepK45KMkVeBMp5 gGvd8XEbZyS1RSu+Knr3+yU+jQTFeVg/52QJ8fcTbH5r+5fcO0eJw9I0hwoJBAM+ Fp7mTtON6PUCIlaXcwmFQfQ4l1iPee2qCsn7ia02dBFZXvHq6fT6tplSagtJj8Fd xOBvnlf8obrvC+TswIKydCREaGAIRKTa0yMzh0Ml435gmCYMrGTe2NtjNKM9sgw8 N0Y5QHuV59kiM3mYc5I7uLux1wUIlO6rdZ2lOsbuWNcW40q9IE1Gve9kjhmha8Ls h7BW3VPLM8gxwrgJNygxSRtremDYfQZNoeONqRKd0C2H5EVT4vZfPRI4VxziNGU7 US0VJwm7x/bET/zbVS5YIsGwqyn9kVjBRpv+eRN4CNmEoZugB/ZJn7lRhZ9cdsTG fDM/ULk7UMPrap8ltr0hcYvLYzOmsR1K+oxqmWLzO2+FpnoUrAmWaInptbBuOaSj tbmRc97wpR7LJcrmAo3rHvHdbwzY9jsQk1X1Y4LAKAr114S36m3HqwX5mhv91/ZR oXOiDYCvFlf8BBQo5BMFDlSfft1Nd8iwAEumHmo+hFFs/yVwJlwwyt2tVwpT3V3Z py6szSTnDzjslb/JGYI8ujpHNuJrfdWRmJUrXzqreKbiYA5pWGo= =MmYl -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Mar 19 17:37:59 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0136B265BFA for ; Thu, 19 Mar 2020 17:37:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jvJ6552Nz4dXw; Thu, 19 Mar 2020 17:37:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id F41FD1582A; Thu, 19 Mar 2020 17:37:57 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:07.epair Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200319173757.F41FD1582A@freefall.freebsd.org> Date: Thu, 19 Mar 2020 17:37:57 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 17:37:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:07.epair Security Advisory The FreeBSD Project Topic: Incorrect user-controlled pointer use in epair Category: core Module: kernel Announced: 2020-03-19 Credits: Ilja van Sprundel Affects: All supported versions of FreeBSD. Corrected: 2020-02-04 04:29:54 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:50:36 UTC (releng/12.1, 12.1-RELEASE-p3) 2020-02-04 04:29:53 UTC (stable/11, 11.3-STABLE) 2020-03-19 16:50:36 UTC (releng/11.3, 11.3-RELEASE-p7) CVE Name: CVE-2020-7452 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The epair(4) interface provides a pair of virtual back-to-back connected Ethernet interfaces. II. Problem Description Incorrect use of a potentially user-controlled pointer in the kernel allowed vnet jailed users to panic the system and potentially execute aribitrary code in the kernel. III. Impact Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic the system, or potentially escape the jail or execute arbitrary code with kernel priviliges. IV. Workaround No workaround is available. Systems not using epair(4) are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch # fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch.asc # gpg --verify epair.12.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch # fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch.asc # gpg --verify epair.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/12/ r357490 releng/12.1/ r359141 stable/11/ r357489 releng/11.3/ r359141 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJIrhAAjdJsKCoBkjLmwIG/yU2W5jUkqahriXx6hAQwOqwAl7pyguAghPBUFRF6 SjU2yr/4yQk0TB3wxRMGJNVlKuBZm8I62BQLdh7al6zO3S55s4FedeM3FOBZ1jT+ GrHU08DPEoDT3pgz4w5/T5PQFxBwqsQDEE204kAOBBOsoZEhgxz+6pADyDpt1ciY 3x+b47PTMk0D4Oi2eXX+ErMApB5xA6sEQfVa6j7HoaQ3HRnvRbuF2vQt2/KTdrWB pOnad52smH0+5ervZS9Ooidg7L9Sfu+ARdWSFxOIsFPOSgJr7dVIKw6vcliw93Py GwRVaOxKWUmVxuQUNBSawsIbhLCQYMp74hUL9iZ/vLo398H32u/sd/xLfHYXyZfb GoyTQ6WxjjqzXlc1ISj3gv8+25X9vnPZ/zQC45cDLqTBYkB7V3rdDAcqrxzR/PF/ hA+skUOnJ9N00MM/WB9+fMlAj4ZqZR2btpQcxPbRkTHbm0NZfGAFU2IlLgQ38sPD ZN/zXEho+7rCFocEJ8AxFWMsTB0eAsVfvFyN2sdQXMQcGeHb2HfAX7d3MUInb+aH BQm6tMi+cNTDUdPnMefRy0G/gQGEUPha0Nv5uePMhXum8J1Gaubs5a9SEezCBRby 6k1Oj0PSkR89XW4X9nkTnKo4F7fu/wB+IQy7Ts7rTa36LcgtV+U= =yXWc -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Mar 19 17:38:02 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E93F3265C5B for ; Thu, 19 Mar 2020 17:38:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jvJB4J1mz4ddj; Thu, 19 Mar 2020 17:38:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id EC92F1575F; Thu, 19 Mar 2020 17:38:01 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:08.jail Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200319173801.EC92F1575F@freefall.freebsd.org> Date: Thu, 19 Mar 2020 17:38:01 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 17:38:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:08.jail Security Advisory The FreeBSD Project Topic: Kernel memory disclosure with nested jails Category: core Module: kern Announced: 2020-03-19 Credits: Hans Christian Woithe Affects: All supported versions of FreeBSD. Corrected: 2020-03-16 21:12:46 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:51:33 UTC (releng/12.1, 12.1-RELEASE-p3) 2020-03-16 21:12:32 UTC (stable/11, 11.3-STABLE) 2020-03-19 16:51:33 UTC (releng/11.3, 11.3-RELEASE-p7) CVE Name: CVE-2020-7453 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail_set(2) system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. The jail_get(2) system call allows a system administrator to read the configuration of running jails. II. Problem Description A missing NUL-termination check for the jail_set(2) configration option "osrelease" may return more bytes when reading the jail configuration back with jail_get(2) than were originally set. III. Impact For jails with a non-default setting of children.max > 0 ("nested jails") a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory. IV. Workaround No workaround is available. Systems not altering the default settings of the jail configuration option children.max=0 are not affected as a root on the base system has access to kernel memory by other means and a super user inside a jail cannot create further jails. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch # fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch.asc # gpg --verify kern_jail.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r359021 releng/12.1/ r359142 stable/11/ r359020 releng/11.3/ r359142 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKWdw//ZFfaoCenbVtvB6a4JW9HOT0yMoDXup+OdpjbhUTsJSyvDB9eZUSiZJ7u 4rQZpYQZotND2I/U8BSUjcJlDVzhTn6WN1yZFpWI9oFrSJhKxkwGMuetocUw7MgE ++WaaVueodMBjG7+v7mUmr5pXomdpxCO4XZxTW0BCm3Pvydera1kZVHzQ2pAw0On cnOiSN+v04latfkjjdjPv+oC8GUsI3Q+4jF745MN9dND+4KV/4CW5BJg6sUiJakx WB6cXayxp+Q/WPoB4OS/w3loe1FGIqESjXMxdHAV0n9eVofv8+h0rQt5kQ9oFpCm Ql2NUG7xKqoidGlhzff5w0j5+VNXA/exv+sH/lQTZO5xJa/5Ti1wlUxsrp/8jO9Z vRDd3CwjOIG+dFBSAXWcAaSedJ+Ax97RVbfKmYiy5B7ujJp/X6rJXU2G3zOhObCS 8/E+KHlj9YT4hN73zDeGiw5zKVjbfVQp661mKgP1lO+4Mv9357F8epux+CV3fdb6 BBttCm8l8ubhfr12fmBAfXUXDx7stNTpvcgphGUB0v6Sfxbv0OHoGzfAGrQ3i3LP Os7OoFRJ+2SJ/G8xpjVjriOsAoLeUX43JIlPTOEvU2mhol/M717Rwn94ndqXfNJh XCF2AaOVXxBpdx2Vik3FBTGZvAfTCxMQOZwGn7zVzpbxlCbasKM= =13XM -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Mar 19 17:38:08 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4AF7A265CD5 for ; Thu, 19 Mar 2020 17:38:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48jvJH5jz1z4dmZ; Thu, 19 Mar 2020 17:38:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 378391587E; Thu, 19 Mar 2020 17:38:07 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:09.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200319173807.378391587E@freefall.freebsd.org> Date: Thu, 19 Mar 2020 17:38:07 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2020 17:38:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:09.ntp Security Advisory The FreeBSD Project Topic: Multiple denial of service in ntpd Category: contrib Module: ntp Announced: 2020-03-19 Credits: Philippe Antoine and Miroslav Lichvar Affects: All supported versions of FreeBSD. Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE) 2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3) 2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE) 2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Three NTP vulnerabilities are addressed by this security advisory. NTP Bug 3610: Process_control() should exit earlier on short packets. On systems that override the default and enable ntpdc (mode 7), fuzz testing detected a short packet will cause ntpd to read uninitialized data. NTP Bug 3596: Due to highly predictable transmit timestamps, an unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim ntpd configured to receive time from an unauthenticated time source is vulnerable to an off-path attacker with permission to query the victim. The attacker must send from a spoofed IPv4 address of an upstream NTP server and the victim must process a large number of packets with that spoofed IPv4 address. After eight or more successful attacks in a row, the attacker can either modify the victim's clock by a small amount or cause ntpd to terminate. The attack is especially effective when unusually short poll intervals have been configured. NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such that an ntpd can be prevented from initiating a time volley to its peer resulting in a DoS. III. Impact All three NTP bugs may result in DoS or terimation of the ntp daemon. IV. Workaround Systems not using ntpd(8) are not vulnerable. Systems running ntpd should make the following changes: - - Disable mode 7 - - Use many trustworthy sources of time - - Use NTP packet authentication - - Monitor ntpd for error messages indicating attack - - If only unauthenticated time over IPv4 is available, use the restrict configuration directive V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1-STABLE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc # gpg --verify ntp.12.patch.asc [FreeBSD 12.1-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc # gpg --verify ntp.12.1.patch.asc [FreeBSD 11.3-STABLE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc # gpg --verify ntp.11.patch.asc [FreeBSD 11.3-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch # fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc # gpg --verify ntp.11.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r358659 releng/12.1/ r359144 stable/11/ r358660 releng/11.3/ r359144 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB 2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I= =Q4Yq -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Fri Mar 20 09:17:08 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D8A1526014B for ; Fri, 20 Mar 2020 09:17:08 +0000 (UTC) (envelope-from SRS0=mxbq=5F=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48kJ7l44fGz3GSt for ; Fri, 20 Mar 2020 09:17:07 +0000 (UTC) (envelope-from SRS0=mxbq=5F=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E71C728422 for ; Fri, 20 Mar 2020 10:17:03 +0100 (CET) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0BF1D28417 for ; Fri, 20 Mar 2020 10:17:02 +0100 (CET) To: freebsd-security@freebsd.org From: Miroslav Lachman <000.fbsd@quip.cz> Subject: current SA in vuxml Message-ID: Date: Fri, 20 Mar 2020 10:17:02 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 48kJ7l44fGz3GSt X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=mxbq=5F=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=mxbq=5F=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [4.04 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(0.84)[ip: (0.30), ipnet: 94.124.104.0/21(0.15), asn: 42000(3.64), country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000,0]; NEURAL_SPAM_LONG(1.00)[1.000,0]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=mxbq=5F=quip.cz=000.fbsd@elsa.codelab.cz]; DMARC_NA(0.00)[quip.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=mxbq=5F=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2020 09:17:08 -0000 I don't know who is responsible for adding March entries in to vuxml at the same time as published it on the website but I really would like to say THANK YOU. Kind regards Miroslav Lachman From owner-freebsd-security@freebsd.org Fri Mar 20 10:45:54 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C01DE262848 for ; Fri, 20 Mar 2020 10:45:54 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [IPv6:2a01:4f8:151:4202::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48kL6B33y1z4Yl8; Fri, 20 Mar 2020 10:45:54 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: by toco-domains.de (Postfix, from userid 65534) id B13FF759C3; Fri, 20 Mar 2020 11:45:45 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on toco-mail X-Spam-Level: X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.3 Received: from Jochens-MacBook-Pro.local (ip-95-222-237-84.hsi15.unitymediagroup.de [95.222.237.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by toco-domains.de (Postfix) with ESMTPSA id 83C54759B3; Fri, 20 Mar 2020 11:45:43 +0100 (CET) Subject: Re: current SA in vuxml To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-security@freebsd.org, Gordon Tetlow References: From: Jochen Neumeister Message-ID: <390d1872-ea3d-2b87-3313-e95ffe47334b@FreeBSD.org> Date: Fri, 20 Mar 2020 11:45:43 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: de-DE X-Rspamd-Queue-Id: 48kL6B33y1z4Yl8 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [1.76 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_MEDIUM(0.77)[0.774,0]; NEURAL_SPAM_LONG(0.99)[0.989,0]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Mar 2020 10:45:54 -0000 For you, Gordon ;-) Am 20.03.20 um 10:17 schrieb Miroslav Lachman: > I don't know who is responsible for adding March entries in to vuxml > at the same time as published it on the website but I really would > like to say THANK YOU. > > Kind regards > Miroslav Lachman > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Sat Mar 21 16:54:50 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BC772266E5B; Sat, 21 Mar 2020 16:54:50 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48l6FP57MLz4W3s; Sat, 21 Mar 2020 16:54:49 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-io1-xd43.google.com with SMTP id n21so9504622ioo.10; Sat, 21 Mar 2020 09:54:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=l20Ddb/fmvFUohzhjPjts66byUH1AwmfTyQuJ7mCtIo=; b=bJx100UIffPrvb1klBzDzxjDspcwLd+bLZY8z0VIIMVwOKaPcjA5Ek3MONFXdXeK61 aK0vc1s9yf5iQr4WQ/bdyWHtnhKwxLJfe0gQILLFWtTa6lWrMOCFgK2TeURdY7rVsj0G h9HvhIyJJ2+gbCoxdyYk+2P2w26t9I/09zKB41qdYq4Ljd8A/jetlngjXQkpij6E2F7R 0qGclmubXyGqtk4cbgqeWwHKlG1fyHZ7+uVGaIzDoxYB0sXHK8CiVBf87NFT4mgoVspQ rvWzoM/Vf2B0JD92yJFBHsYlTMn0koiyKUaNlAYBkWMM4sotDgzmrbCQb+cOXgeFHegA 849Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=l20Ddb/fmvFUohzhjPjts66byUH1AwmfTyQuJ7mCtIo=; b=ppHxMXHVL9NcDomSD9CJNJKnOGA0b/Q7Wl+sDeKImX8qiWHZPkRx7ogWzOVK70FF4i erKKVjLg+BoXhNh2asYp4wwrR5MTzS6q4D++kwdYkohMfSrE4R8aB2P97A1DXA2r9Rw5 Yy3mgkuXOpDjeyWfS4Ldjc5ucEwrV7fkHyUv5Dj6XgEpxGMIL+8jdSAdWTP0iG83UHIZ 6tfhjrBWFLIaBbqhbVHr0YKgXmq/pAtTA5tFBUp1o/9Mt4VU6eazf54xb/lJx6O/gU95 MdgGjKP0wOorVo0+q94tvAHGRVmFdcUa2OAqb0M0MleOFD+eDotEDwq+bYQ66UbfOP8v eqHg== X-Gm-Message-State: ANhLgQ3VOttI5RW0BbHx8n9RNqmMS8XTaCQ8mwKKDv6HShvY/qXNrce6 gyHnkMO11G3cp76wJZliZoH0K+9RqP2uEzadHZtycXw3 X-Google-Smtp-Source: ADFU+vvtP2iZrqaDpvSbQehx3wkbX++K0o7qxXAA4UoH8itaMN56TQVa7dZoy6esGZkE9Cc6KqIiKq7VPiqrr3vPaSY= X-Received: by 2002:a02:9183:: with SMTP id p3mr13075144jag.55.1584809688408; Sat, 21 Mar 2020 09:54:48 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a05:6638:210:0:0:0:0 with HTTP; Sat, 21 Mar 2020 09:54:48 -0700 (PDT) From: grarpamp Date: Sat, 21 Mar 2020 12:54:48 -0400 Message-ID: Subject: TLS Fingerprint Pinning Needed [ex: for NFS-over-TLS client] To: freebsd-current@freebsd.org Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48l6FP57MLz4W3s X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=bJx100UI; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(0.00)[ip: (0.98), ipnet: 2607:f8b0::/32(-0.74), asn: 15169(-0.85), country: US(-0.05)]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[3.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Mar 2020 16:54:50 -0000 People appear to be talking about using and "authenticating / verifying" TLS certs now with at least perhaps this NFS, and certainly with other apps. If so, it's required critical thing for the admins and users to have the option to pin the certificate pubkey fingerprints in four ways... - Ignore the CA chain / expiry / etc, validate only the fingerprint. - Validate the CA chain / expiry / etc, and validate the fingerprint. - Validate the CA chain / expiry / etc, ignore the fingeprint. - A TOFU mode. No application that uses TLS should be considered completely featured and security capable without fingerprint pinning functions. For some background reasons on why --pinnedpublickey implementations are now showing up in softwares that speak TLS, and for sample code, and related infos, see the links... https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html --pinnedpubkey Tells curl to use the specified public key file (or hashes) to verify the peer. This can be a path to a file which contains a single public key in PEM or DER format, or any number of base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';' When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public key provided to this option, curl will abort the connection before sending or receiving any data. Please note this option is rightly more specific covering only the isolated pubkey, not the DER form of the entire "CA signed" cert (ie: not the typically referenced coverage of "openssl x509 -fingerprint"). When fully implemented, this enables a local admin and user environment of more flexible certificate validation service cababilities and security model hardening when subject to various third party things and adversaries like... - Environment of rogue / forced / spy MITM CA's, TLS termination / proxy cloud MITM, VPN / overlay / WiFi networks MITM, etc. - Annoying "expired" certs awaiting tax revenue from their captured audience. - Assigning pinned trust to intermediate CA's such as Lets Encrypt, Google, and corporate schemes, to let edge server certs they sign be freely rotated and or freshly signed without need to update pin. - Avoid need to update pin every "expiry" period. - Avoid CA's by using cert owners publicly available and out of band self certification attestations found on keybase, social, observatories, PGP, etc. - As mentioned above, optionally in combination with other CA / expiry / etc checks, or ignoring the CA altogether. - CRL checks are a massive metadata privacy and user monetization leak that some users might not want exposed to. - Pinning one or both of: pubkey (herein) and or CA (openssl x509 -fingerprint) Another very useful security feature to have is a trust on first use TOFU mode that stores, pins, and subsequently validates against those fingerprints, similar to SSH model. This is useful for both known comms partners such as client-server model, and in more distributed group or even p2p applications to help keep things a bit more locked down by default. Defense (like this pubkey pinning) in depth... you can use it :) References (obviously TLS_1.3 is todays version to use)... https://www.netcraft.com/internet-data-mining/ssl-survey/ https://www.ssllabs.com/ssl-pulse/ https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as-internet-standard/ https://en.wikipedia.org/wiki/Transport_Layer_Security https://tools.ietf.org/html/rfc8446 https://github.com/OWASP/www-community/blob/master/pages/controls/Certificate_and_Public_Key_Pinning.md https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Pinning_Cheat_Sheet.md https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d https://github.com/curl/curl/blob/deb9462ff2de8e955c67ed441f5f48619a31198d/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 https://github.com/curl/curl/blob/51fde337471c9125e7bf425e7ce0a0bf53691992/docs/TODO#L728