From owner-freebsd-security@freebsd.org Wed Feb 24 06:06:06 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4F78154A007 for ; Wed, 24 Feb 2021 06:06:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dlllx2WbDz3qTj; Wed, 24 Feb 2021 06:06:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146765; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=7KmwH3Wo18OU22hOzwH4opXaqIGZt9SyWpYax4dT098=; b=t6Qu0nO221fu+KC/M7jy1FtEmNjCM80XmvC5RyHGWGsb6BbOTd0ItTxbZkRchvA1lw3cE2 oQnq+hg8IuvWGCOw3vJd5Ccm4ncL7+6wpa60DiTA96YvZvjDBOtwegg+uC8TLSM+rOMkuJ bWs72Kar3iapkPKDJEbZ8hribOlnShIfGo1de8H7NEsuJ+m/I/dhpLWOOLnIzg0frSzlqN i6C+VOzjrWHUSItibYjZcs/EejjmYH0VOA7e23oEfaQ7+X0e5PUEyh3XxLWBcco188qkxs vZ6kAgGaI1hyZ98ueFPGN0G6EfTyvQiFAG6nq2APM1+IexV9d/9UvcVhb9erBg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 27A9E1BBA6; Wed, 24 Feb 2021 06:06:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:03.pam_login_access Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060605.27A9E1BBA6@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:05 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146765; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=7KmwH3Wo18OU22hOzwH4opXaqIGZt9SyWpYax4dT098=; b=JcUZK45zo0RysujtZ4WhTzEojYe2ukkBp6YNtUbTdLyXwaxgmT8KnOA7Joazxzh4lnSGlP HxCBZwlwaA7TOf6nP+RljPUqX19Nq29Uvv+IS09RGqTApwRktBXiOIhhhOlMitB9+lO8OA tUz7J9iooXBvT1JrYu9xT5xGXVtVQ3LPkrPJn66Ld2t+ZrFPnVhc2HDQX0E4++deAf9M8J a8/RUHgIdZEOot2egArwFQuINoHLUO6eUeqy0bDlagan8cdVwBa84szNLBUmh3HP7hA3Rq jzmoTk0DIkAiN0jBLwVLUZ8QjtAMaAGcpoDYDxGDPnvFSw9/VUZOCHzOUnv8rQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146765; a=rsa-sha256; cv=none; b=ICalqWR7GaAAfMKWBgBlf9PlSp9sJJ2rBomIK+1hXwRYrtUqhAeqhzzLJBbSLtHK4jjx/4 +q3Tu9Q6KXEKepi8ykBVMGhRJVe2Y1WFaERNSKShseUzLzB8hPd8Ywsfph7fkp4wFvLP0Q i582XLwvPYJftlaiT8AGFZDTdz3U0CgtJNPQE+WpwjuIUkNUf3G/u9J18WorJLdlsLVJhi TKbbNroSDxqkl2LtvwVr/bRSzWC6Xzjo5whctysjupIU9OBmZ4D24ZGHNsoPeBeC0BuWV4 ZaQawTHelPvRsW9FCAsFAgQx9vBJFa7/rktIVZK9kcqjvvH2tTYzS+gSqJghkw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:03.pam_login_access Security Advisory The FreeBSD Project Topic: login.access fails to apply rules Category: core Module: pam_login_access Announced: 2021-02-24 Affects: All supported versions of FreeBSD. Corrected: 2021-02-24 01:20:53 UTC (stable/13, 13.0-STABLE) 2021-02-24 01:42:42 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-24 01:40:36 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:44:01 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-24 01:39:53 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:53 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2020-25580 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background login.access(5) is a system configuration file allowing administrators to define policy around system login access by specific users and groups. It is implemented by a pam(3) module, pam_login_access(8), and is configured by default for accesses via sshd(8), telnetd(8) and the system console. II. Problem Description A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored. III. Impact The configuration in login.access(5) may not be applied, permitting login access to users even when the system is configured to deny it. IV. Workaround No workaround is available. Systems not relying on login.access(5) to enforce custom login policies are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch # fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch.asc # gpg --verify pam_login_access.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ 8cf559d6b9b4782bf67eb868ea480f47fc8c64a4 releng/13.0/ f82cffcf2f44c909bec00d18549826f5d1d62205 stable/12/ r369346 releng/12.2/ r369359 stable/11/ r369345 releng/11.4/ r369351 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n 5cKg1A/+MKN4Gf9ndHqjEUKiquiUGAE63RJC3wZRpN/GsxP2qLArX4QDOXLJxFZ3 +T+u3lb0vxhhowvp23vFegmQbmWA6ZHI4M+NBsgMnPLTEWkwy4tRTfZDma1Q9j3k RNPJFnzJ5HTKBXtZom/yKcxuXw1JGlqmxuJYfveBEBIN6PmH5nz3qwcRVV8j+gAM 1CtmnWpUVHm8aOqEGhOPr/eNRbAX14S/rdrtETmyyKm7WlYtiFD8GN5Px+eTTZcM khZhyhlpvEPU0tLNahnDGiPBmlr8VpysT0+0ZdGsT6qMME8WQne3pvJeM2HaZs8a ob35quA5tH241NjNBvoYmMj50/UOFS8RZKb6VILX7+PVsYOiuoGKR8ikr6n09SZs LYThBcnWx5Bwcn08DXbd2bPn48aSFnbe0UMTzwrTC0L/5lp2FLv9j+bhwb3gF6W1 9hmRHOb+Cvdxxqw/djFCQsxODC9qZzneRW012PTsEZcwB8UjvG+OEVahz5iOfiGC tXNQ6rdbdTEr7QY+JCx0ngyHkQyDrOEJGd8UTIavr0CiuSdSWzi2zrppqZzvjBIp MENgB7uWf0MvzkYbxqwlRFr+25MLPGPYNfcLR/NnoWZcEuXR9VUL9Nb+ozH1HGs2 oziYLqXp3yvDGrHXdItOz5sVsgsZCZLLVD4SVI7Y31Ctxd6MlcM= =WQ8j -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Feb 24 06:06:12 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 516F5549E70 for ; Wed, 24 Feb 2021 06:06:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dllm414Pmz3qP1; Wed, 24 Feb 2021 06:06:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146772; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8xi6uBPVHDnzVSGyvXqWMn3fXiNJM2Nlq7qC5vZV7Ks=; b=wB0FgOFRe2uqQRZQp/mBJE8gG338w8pvkeaho7MBU+JREQesc5/7NJlbzuZ10FEnVOV7/D AogK1gu476rni8eGYG2mgli/69Vd87Wziwa+qH5LjjH7n3Sepa+9AAu9Y7kfCDBs7eVIAa FoOZzYptm/CQTSSBO4GCtWNG3FpLp0ZOrRkXsDd/+ii8MFRprw1YvynwM+IdORx493VETG 7QwI7FKlmAWCkuPIbR/xg2TzUkw9Secrjo6F+E9p+OVEK7JDvQKpT5e6dGoibHXdyBoqVY Aw+ypM1bPSEqieQR4jyrnH0ZX1tl4Z9o1pdkTE0IL/mpUCsmbn9VJ3xL9TlqOg== Received: by freefall.freebsd.org (Postfix, from userid 945) id E33021B97D; Wed, 24 Feb 2021 06:06:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:04.jail_remove Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060611.E33021B97D@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:11 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146772; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8xi6uBPVHDnzVSGyvXqWMn3fXiNJM2Nlq7qC5vZV7Ks=; b=ZF9QaTGklWjdftoBiy5VhdoY7WgaeW/StQ0GOb8LkOfraPZssSV0lDsLCk6YSCO+dnkSnb ZLbUKy1hY9Ijj6HaZGgm3bAPwAghTyZD8OVqGMvxgtM8IVO39EF22fuaGpJX98vz+r+DXv mElK70rkQZl2AuTVCxG4dt7SG5RuW4CtqhHBT6GfBTthzvCZANOWK+Aq/RnQHqGwDGWk6q YbisVK2dN1Zzb9L5OsXSPIHKRWP6yk/areRFwVbjI6UE+UTKPGk8BTbWvrjjPJQ5CZb7js M4lcJdqBRw4NATCh1mOAEQMySysvlpboGsH6jeel9zBNKjdUZlsmN2Ph2ORi1w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146772; a=rsa-sha256; cv=none; b=YmbvxpQwgrNrNDbkRqfRIXj+J7D3AXzsIrgUJpueWdyxmWbxb/bo6ydhQD7xhbo9/uAVV7 97ny27X5r4dg6UxzLpE9OoZ80J9zq68Q6DHEZQAIu0Ih37vg6e825sNc7J8CkYgAYBZuVV NNi4HFWs6iHJbRx5RsvJYcfOU1X4rEpiNHVrNoA7PIU3H6JPDPy6vt1LDO9yAb561pjWlD 3R/e+efIt1Cl9H0J64aqUJ/952frO1GSeL9qxSuqfGJ+xxkp6yX1RI0lehG2n2IKaRb7JS 335cBtjnVr7QK79kUpnoQn15Gp0sZXfy3sf225/1iTNu0kFptee/KDHNFl5hmw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:04.jail_remove Security Advisory The FreeBSD Project Topic: jail_remove(2) fails to kill all jailed processes Category: core Module: jail Announced: 2021-02-24 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2021-02-19 01:22:08 UTC (stable/13, 13.0-STABLE) 2021-02-19 21:53:07 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-19 21:46:31 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:39 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-19 21:50:26 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:41 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2020-25581 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The jail_remove(2) system call, which was introduced in FreeBSD 8.0, allows a non-jailed process to remove a jail, which includes terminating all the processes running in that jail. II. Problem Description Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes. III. Impact A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system. IV. Workaround The problem is limited to scenarios where a jail containing an untrusted, privileged process is stopped, and a jail is subsequently started with the same root path. Users not running jails are not affected, and the problem can be avoided by not starting a jail with the same path as a previously stopped jail. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.x] # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch.asc # gpg --verify jail_remove.13.patch.asc [FreeBSD 11.x, FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch.asc # gpg --verify jail_remove.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ 894360bacd42f021551f76518edd445f6d299f2e releng/13.0/ 9f00cb5fa8a438e7b9efb2158f2e2edc730badd1 stable/12/ r369312 releng/12.2/ r369353 stable/11/ r369313 releng/11.4/ r369347 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n 5cK69Q//UI2SeHrGXytm6ScQzCIbFPlUXlhkCX51WSOJmr/LUXpF9bcUhW73qqov /c70VGF876woMXHkbfYnCVdB4ETLIqTbGOl2aw/c8fuwrmFdtyeDEQ4SRRfWgdC4 L6jEgMvB/fMO9e662k19f6RFXrdMspK4rOz3/aowTFbOEvD3Q0HpBUnFbWWg3Iiy I190M0jbytFuZ2EJQ563bbRFFjEafZ51SKYz1FcR3cJAbVo/q75G3uDrjeNhnHxZ 0VqcTGHmF4Lh+RocUeW0v/1wHL8lBpoAKXmo4IL+FhFIR8fjVpKbGSm/IHSueatT Tr6xOg93Ef+sETWVn9Jv26BAU06LEM/ZuXz+HS7T7DwnJJeKa3d74KTJnnGauE24 67OO0i4Fok9Yyy2ArBH8V8mnzdW96dJyHrwdG0UUBddYlEyzArxkUQZyoIdj1Gb1 fns8ndY8t5tky2fxHZG2UMBWwQKBtbMZY027JRylAJWExsG6wH7DcUJ51FpcnbNe r3QvCB+ifOBGzFd2S4PduttxHW+xldWknah8513u9mRNCwnSFbY9ZXTpSeDmJaPo hYAZ2WlDodkaJxbTTMbJ+4fr6wMkmWf32g5pRh+wDfMAd0Wvbzmu/+fUQVf54FNU Qb91AAtVBuIE0J8jKqZxw+dtno+e6etmO1pXoZXvPHUr2N2BJmI= =yxgm -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Feb 24 06:06:29 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 107EC54A290 for ; Wed, 24 Feb 2021 06:06:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DllmN6303z3qPl; Wed, 24 Feb 2021 06:06:28 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146789; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ujJFXQim63KVPjyqPdyKej94pP7DHpiTvMxpnSydYWg=; b=O7QR3c/zywtFBCrrsRuWgw0L11LFAEjDkp0XUfnzoVsT4wYspHC0DnrIkgbpNyULIDT7JF fYP0WF/XrXyDY8Ghlm21oarq+TmlBIpo2o/SstMGOuqLW5QcO/IOYfhXswSKEb6U7fyfT9 4fSBp9idEb7OpBDL2YX4/x+HlUhMCBl0Y+7EhjlgHfAScakgERnQA5bbryId7Arc+lY17h kt90/eqJIC1gKusJCEtykeXwOiUmyi/mk7/Hbw4vAAvIwH5P4gA6kq1b6lZTrgAn8YAvA4 XNvPSTng6qhCvwv6bvm0FJQEObZiV+2pxDAz18HcEHCja1J0d8EGIB36i6n8Eg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 9D6D41BAE8; Wed, 24 Feb 2021 06:06:28 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:06.xen Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060628.9D6D41BAE8@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:28 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146789; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ujJFXQim63KVPjyqPdyKej94pP7DHpiTvMxpnSydYWg=; b=tLTsnnRMQW2R9usvKtvfl6aEJ4Turn5tQ0DRzHa48/UGFKwENGin2mL5hP9tlXCi2yjbRZ n+0rQfZhbVXM1WUwcucwFJA1MF+mS5L+4169I3WUEh4+C29McmESD1du7orihP27J+9Qh7 IfwZ0ZcontHiNhGYLU/Zxh/jLlCNCMLDkSbdxzJtL6U1O9xFRut9gZzoAOq0Z/B3QB8vt8 5S5yEOso6WpeinvcY6/VPzkd+GHJ1+bYbDjxPBrAjlUy0nuiiaB066zubO0CirPKkA+pNQ q6tRuOMuPrCGKk3CbCsR0TmJgzvxhFHU7t2LyBs735XD8w06nCIv5IAY/Are0A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146789; a=rsa-sha256; cv=none; b=shYmexDPoquuPI+LXh8otDdGI+Zqu3papJbX5865hHCiZLgeQBP5oJv3Pq2zcH/WLcW3AJ Wxpjsi82R1yv/b1TWpOgLRGffDiTpZeORv+CXLgtIh26L8qhZynxx8XrwK5iV4/64MBC4w LlUeWFfDijw4Oc81bbZ3LdUgyQ/0dZC0RLgG5qxh1Eciuh50SEcN2/e9H4V9X0UF5cvKwh Rx7MQNGW0nYC0ljhTN5PnxjQacw7HWKtG6sSXgzD3Q6peQWFXj1JX8Px7wgUpWsAurBZ1d iap3HeinftHHxnHj08K3+T1gqxxHrwECewVD6BFoSyImw4WqdrJ9E7zmVaIIqA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:06.xen Security Advisory The FreeBSD Project Topic: Xen grant mapping error handling issues Category: contrib Module: xen Announced: 2021-02-24 Credits: See Xen XSA-361 for details Affects: All supported versions of FreeBSD. Corrected: 2021-02-23 00:55:14 UTC (stable/13, 13.0-STABLE) 2021-02-24 01:42:35 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-23 00:58:03 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:59 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-23 00:59:23 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:51 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2021-26932 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host domain). II. Problem Description Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. III. Impact A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver. IV. Workaround No workaround is available. FreeBSD systems not using Xen are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch # fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch.asc # gpg --verify xen.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ ab3e1bd3c22a222520c23c2793cc39e3a23c9b46 releng/13.0/ ce9af53d0897a1cb926bd244f499fc09b1626b27 stable/12/ r369341 releng/12.2/ r369358 stable/11/ r369342 releng/11.4/ r369350 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n 5cKBJg//aACyR6yp/rs1MaAMj2QIm53y+s1/0qRQmAYTq7QVnMNhauGLIUdd7BPQ O3Gj1fsdpg3iNpKXn20YweUpTQqt4xHxNg+A+cYxexHJ/mepVVnY4OMwWh2est17 2p9Sj3k0vNQ/AdYXELyKW7UA5/tHncFv6EGzdAsGYf4kGUL89bnmWkmcBLR9JZ9a iF83WhKhLe3O7KzkryMzCh72nbHnKicjrgvun4VH4p5/FrjqNjoPESvGhT6hyObK 80aKN610j/ZdDNdjD0wO62IGB8QGzx/hpr3TIIQ05ydGsuurFKJQYwknYL7rbpuf GaINHkQTcB+8aWsqSQxq3HTy3P7hEdA3HDzounpAOtYHk+Ff8ZeuH0ZVtJYXP6FP lbFZoYzXak8odKZp5tNBO8Vu9qiuzthY/ImhZ0d5e+gQ5Bk2Nu68vwie2TGRpLEN EQYIiIS1AnFsEhDx78UuEojUT/UmMIbv7GNyryv2ElThf1uIH86wtXonie8OFjPp EGYu4OS/m+FO5fTcEty5ayEsQI0i4mnj83BBdq8sq2lpQbdJjKDSaykHfJ4PEMKi /WRWiWjlS6fhu+rPC7rJ5b7FoDLXh6hm3uFuD/zNjOmpFFyjNE/O4JCH2zoAdH3C ygVMUqa4qFalsC3vntk2YweBX4D7za95z4oCDwrFBm4ZWGYcwgs= =fN2Q -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Feb 24 06:06:22 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6ACC1549F41 for ; Wed, 24 Feb 2021 06:06:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DllmG0DVNz3qYK; Wed, 24 Feb 2021 06:06:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146782; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kPfuM6zRL2fjOMeeWHb/yv3TU1WxK6K5iAwMwkcQJSI=; b=qnjPZKSLR9RWNIMDXmzILa9OdYfZh9TJByrim8rA7MunRhWcY1rfBTivgNCFwN0xigigxs 4rPhDxPUF7ObzWavZXdafYhRr2r+G6QckQHfmHZ1mDgxqI2Nzpz3sDrHOFbGt/UfPHyB3D 39jtGZ/dFJPA0f6VqWM3Rx/bu4V7VJSS6UaeuB0kSlEi+OzlfrgUKIl8yFXxnZWcLzJhQY jwT/04PytSqgydgGb7GWAQevhEhiUUmh1kbkp/QarLjTpDo9jldriMJrSKNzi0wDm9aXwC TwEaf17Q0Z3JhV4G8oJg+eF7QTwpznjmI4Ybcknv9wH6CTzyuRghIqFMGxrfDg== Received: by freefall.freebsd.org (Postfix, from userid 945) id A81CD1BC9D; Wed, 24 Feb 2021 06:06:21 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:05.jail_chdir Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060621.A81CD1BC9D@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:21 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146782; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kPfuM6zRL2fjOMeeWHb/yv3TU1WxK6K5iAwMwkcQJSI=; b=qx4rC4GZDO0l8VGtfT8Lo3wtbqDSvO4jm3GVwW/IJ50Ak8E0AlBe1aVOR57xy2SYGmlxG1 XP6QnghuaKDh+GtdZvKjaJYC9POys4EN5Om7iCfF1Tx0JHM3qqgOB1Zm5UTalq6bmp5cSX lOTx6tRcRfXP2jDEW1uKIfYADvafZBcash1JykNgHfImLTAiAI0ARk4QRQ9iCs+nuUtOEh c5Q+wswu0eFaHf74yo5mYd7w/BAKYR4eJXFAP96gN0nNVZFc5vgLkLGN70MbT/XBGQrLnU IUPlAOSWrDHH5b2dXgM5n14acxnH936Ek8F/FXfzuI9aDFC8oP9gN5COua6dlQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146782; a=rsa-sha256; cv=none; b=l6vTO279/zYp2ED34Ui7TRb3JWi0I1OMIReyEUz4QHbH4yQ9l5EGHd6ruZyYg21TtDWyJO 9a4beCMsemPb3pFpuAHo90cDJKW8OBXAGyWMlt+ZcT0gaJqIx9qUJ7Gb0j/Ijve/YeH+GD jfuXtQcYrjxZcADBeDj9Uok/HGU6b8MxRMMMV20eagRMujIQdxDErGXGT6qjKtt7W5x0lB dxnjWYCROsukho1l5BptATr0eovPlYSSGSPLP+l9kEtBkYleejJibgeXAXiwC9Gvh8F3Uw CYQQzO3YumMR3JoPAjr23Qg3ldi9Jc5tRxmpXrJb15xW3JDztwbHS1UKjWGJDA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:05.jail_chdir Security Advisory The FreeBSD Project Topic: jail_attach(2) relies on the caller to change the cwd Category: core Module: jail Announced: 2021-02-24 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE) 2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2020-25582 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The jail_attach(2) system call, which was introduced in FreeBSD 5 before 5.1-RELEASE, allows a non-jailed process to permanently move into an existing jail. The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process). II. Problem Description When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed. III. Impact A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system. IV. Workaround No workaround is available, but systems that are not running jails with untrusted root users are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.x] # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc # gpg --verify jail_chdir.13.patch.asc [FreeBSD 11.x, FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc # gpg --verify jail_chdir.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ 5dbb407145c8128753fa30b695bc266dc671e433 releng/13.0/ f3f042d850baaeda1bed19e00c2b3b578644b7e9 stable/12/ r369334 releng/12.2/ r369354 stable/11/ r369335 releng/11.4/ r369348 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n 5cKj/xAAjbGc0bV3Ua8PuIFoDk7ADnwNotFV9PlXknWpeM4fXVVrt5EDncMfgHdw XeKHOjzKNocOCtDioDhOcev9hhLeiYJjGHKrOQeKv34hJoufd6Wr0nvLgv/IVlMr iZRVndvG1eBlnkwzlbx0xh1OY9zhffqjEiVkQNxXZV0iz/P2ndG0wP7N/bTG2QW3 1mZmp4Fh9AsbjLPVGyutoLZXiypuroGPLQZrth3n7Cz8HklwyPzoAgPOYx7mMW3D x1Th6kYIEx1aCe+ZBsgOuPsKeZ4SSB5o1w2F5y+mor/rslgQJAppNakBMmyDkSEI UhEqLGNA469P0qonCHhGY83wfkuUedFTuWLrdnh97J7yr+WIn1ik1/jBXxv3+1kS bKivBd/oj6hEFULE7r6T/UVomJjU+dPPBm+ewljJFVib+3zIQsbxauLdqUuqWlob QUkQc4mu7fjVSAMyVbYVrjBAgwQJit0KfX+JSbEcLndmPv1RCK8wnxIf0zbmV2m/ DMg9QGqwfcJkba6Y/JCAFZcl+HUCfEGUqZ7pEqGuwsp3wnMwO7Qg9IAEmDt8i2lf 6kaqAatJ5Reo/D+j6KJFvGCajnEfD0n+jDx8cdJFNY2Zzbo3/lRGd8dque5OEbTA O0UZu2hRv5YMIagMf57WWzGrF+ACtgYbath710IKfVUfP/OiCIM= =/d5L -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Feb 25 04:38:39 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 32C7F556300; Thu, 25 Feb 2021 04:38:39 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DmKmZ4v33z3Pbf; Thu, 25 Feb 2021 04:38:38 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-ej1-x633.google.com with SMTP id w1so6579039ejf.11; Wed, 24 Feb 2021 20:38:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=yBmBem/so8lEw88qbUitkdESVAqQMgvs3lO+uea7UA0=; b=ljb+jOlgHuZDwyFdHTuB4NDV+BEmLwAR5aOxPoJCyIDd4Xg0ul+6UUuChPk933Vu+Y fCyBeQYe8kldZePBVUZQYI01RsXreZOkqsnAy4jJrRYV1qxtRrk/AcGxyzuLXxAaTkzF lRjtnk3NTTCuEqlD0LooeehyRii8kqJoAuFxQfBHZugUBYnZcEdHI4IM1dNvqoIxux1w 3Az05CwBzmuXb7hB5com/18zO9GBjIdh4nHQzyIZY4artHDaG53ChzQS4W0rDzfhtknt 4B2DIg1cA9UyvYkMf477IGEIeFVa9M8OS7A8ITOeu16ZMF9Y8y/5jJuTW+0WPhypHqf6 lFZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=yBmBem/so8lEw88qbUitkdESVAqQMgvs3lO+uea7UA0=; b=UocfJfGpZMNeIbrtQ4yxYmZuGn+ICqwe+AC4uCFKP2YTggRzM4BOhIvdwU2yOUyj4U VHF95f6kIhNwBmQ3rIY92WB8Hb1FwHihKNGk464mljVwxU+dE+OQGpMNgdKHbw11Rzwp RGuNGnxjfIloREPhrOex0MKe5cJ9DjG1hGvWT+UV84eMMUjh378Fhs9TZNsImTqnumIt u0wl+SHBhN92wQGkd3LjOppq8dxcnUd2YmWhRvr1NsSIrmkvhw8jr87nfMDBT6R8SXQP 1fnPZ6EvWGrJHdrH74YH5yYxSBZr+rfqH5XDx4KdECAqwhMZiySAldGFdiQAjqZ4yE/E btRA== X-Gm-Message-State: AOAM530az1n6Vr2PycrfbBNVLI0vMlW3bGqbN7BPKY4sVMN00l9x3a+D SBWkGFQevUCgBWiEUM5BzpWiBeER5b7wtJ5oHOumRmrVpSWBpg== X-Google-Smtp-Source: ABdhPJzMq6P9/74fvIuyUQLiY2d5hn+ddtQT+LA96rkI0hVHUHjgNe/JrLmMwG0as+wID5a+qjBbBSyW9AgQMSxiPEs= X-Received: by 2002:a17:906:3916:: with SMTP id f22mr922064eje.328.1614227917472; Wed, 24 Feb 2021 20:38:37 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a54:3148:0:0:0:0:0 with HTTP; Wed, 24 Feb 2021 20:38:36 -0800 (PST) From: grarpamp Date: Wed, 24 Feb 2021 23:38:36 -0500 Message-ID: Subject: CA's TLS Certificate Bundle in base = BAD To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4DmKmZ4v33z3Pbf X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ljb+jOlg; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2a00:1450:4864:20::633 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-2.18 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::633:from]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::633:from:127.0.2.255]; NEURAL_SPAM_SHORT(0.82)[0.818]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::633:from]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security,freebsd-questions]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2021 04:38:39 -0000 FYI... Third party CA's are an untrusted automagical nightmare of global and local MITM risk... - CA's issuer gone wrong... Govt, Corp, Bribe, Rogue, Court, War, Force Majeure, Crime, Hack, Spies, Lulz, etc. - CA's store bundler gone wrong... Mozilla, Microsoft, Apple, BSD, etc in same ways above. - Undetected stolen unrevoked unchecked CA's, intermediates, server keys, etc. - Total/targeted IP/DNS traffic user interception by agents, vpn's, proxies, tor, mitmproxy, sslstrip, etc. - Base asserting trust over all that, when reality none is due. There should be no non-FreeBSD.Org/Foundation CA's shipped in base. Its shipped pubkey fingerprint sets can bootstrap TLS infra pubkeys/prints off bsd keyserver, to then pubkey pin TLS fetch(1) / pkg(8) / git(1) to reach pkg ca_root_cert, git src ports repos, update, iso, etc. See curl(1) --pinned-pubkey, GPG, etc. https://www.zdnet.com/article/surveillance-firm-asks-mozilla-to-be-included-in-firefoxs-certificate-whitelist/ https://en.wikipedia.org/wiki/Edward_Snowden https://duckduckgo.com/?q=rogue+CA+root+certificate https://www.win.tue.nl/hashclash/rogue-ca/ Users should delete all those ~139 garbage CA's, only add in the ones they find they need during use, easily scripted and tooled, start with say the... - LetsEncrypt chain And force TLS pubkey fingerprint pin check on critical services. Search web for howtos. At minimum require user / install to ack before use... mv /etc/ssl/certs.shipped_disabled /etc/ssl/certs From owner-freebsd-security@freebsd.org Fri Feb 26 01:07:59 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 713AF55050B; Fri, 26 Feb 2021 01:07:59 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dms331vbsz4Vyf; Fri, 26 Feb 2021 01:07:58 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 11Q17pTX069165 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 Feb 2021 17:07:51 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 11Q17pTp069164; Thu, 25 Feb 2021 17:07:51 -0800 (PST) (envelope-from jmg) Date: Thu, 25 Feb 2021 17:07:50 -0800 From: John-Mark Gurney To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: CA's TLS Certificate Bundle in base = BAD Message-ID: <20210226010750.GY5246@funkthat.com> Mail-Followup-To: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 25 Feb 2021 17:07:51 -0800 (PST) X-Rspamd-Queue-Id: 4Dms331vbsz4Vyf X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2021 01:07:59 -0000 grarpamp wrote this message on Wed, Feb 24, 2021 at 23:38 -0500: > FYI... > > Third party CA's are an untrusted automagical nightmare of global and > local MITM risk... Do you delete all the CA's from your browsers then? Having tried to verify the certificate for a bank when verisign f'd up their cert really doesn't work, trust me I've tried it, the support has zero clue what you're talking about, and they have no process to handle such a question... > - CA's issuer gone wrong... Govt, Corp, Bribe, Rogue, Court, War, > Force Majeure, Crime, Hack, Spies, Lulz, etc. > - CA's store bundler gone wrong... Mozilla, Microsoft, Apple, BSD, etc > in same ways above. > - Undetected stolen unrevoked unchecked CA's, intermediates, server keys, etc. > - Total/targeted IP/DNS traffic user interception by agents, vpn's, > proxies, tor, mitmproxy, sslstrip, etc. > - Base asserting trust over all that, when reality none is due. It's even worse if you disable ALL cert checking, and force people to use --no-verify-peer, as then anyone can MitM the connection instead of a reduced set of people.. Considering that pkg used to, by default, d/l packages in clear text, it was very easy to know if a FreeBSD box has CA installed or not, making someone who wants to MitM FreeBSD hosts have an idea of what machines they could likely MitM w/o getting caught making this even MORE dangerous... > There should be no non-FreeBSD.Org/Foundation CA's shipped in base. Except that FreeBSD.org doesn't have it's own CA. This means that either there isn't ANY certificate, and people couldn't securely d/l from www.freebsd.org out of the box, OR, we use let's encrypt cert, which means that 240 million+ websites would be supported out of the box... And as you say below, you really have a axe to grind w/ Let's Encrypt, despite them being more secure because of the short expiration of certs... Because CRL's are pretty much universally ignored... so, even if a CA (or a user) revokes a certificate, it's still likely mostly valid... > Its shipped pubkey fingerprint sets can bootstrap TLS infra pubkeys/prints > off bsd keyserver, to then pubkey pin TLS fetch(1) / pkg(8) / git(1) to reach > pkg ca_root_cert, git src ports repos, update, iso, etc. > See curl(1) --pinned-pubkey, GPG, etc. pkg install ca_root_cert was already able to be securely installed before this using a similar method.. > Users should delete all those ~139 garbage CA's, > only add in the ones they find they need during use, > easily scripted and tooled, start with say the... > - LetsEncrypt chain That's what the certctl tool is for, to let users easily able to do this.. certctl list | tail -n +2 | awk '{ print $1 }' | xargs -n 1 certctl blacklist > And force TLS pubkey fingerprint pin check on critical services. > > Search web for howtos. > > At minimum require user / install to ack before use... > mv /etc/ssl/certs.shipped_disabled /etc/ssl/certs Last I checked no browser requires users to ack to install those CA's have you attempted to pressure them to? I'm personally much happier to have them installed by default then before where people were using --no-verify-peer to d/l stuff. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Fri Feb 26 07:41:34 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 74F5F5588F2 for ; Fri, 26 Feb 2021 07:41:34 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "submission.mff.cuni.cz", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dn1n84J1Lz4vpD for ; Fri, 26 Feb 2021 07:41:32 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University/CN=Dan+20Lukes+20100000045929 serial 0EF93D8DE50F0DBD57474A194D122E49 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=obluda.cz; s=mffsubmission; t=1614325283; x=1615625283; bh=wRarNngFXb46w7FuYWvwx6M9dvgbC0FevsEkeSqrINs=; h=From:MIME-Version; b=i7UMdSXsXr4+SB7E/QNgz0KcDbyhtuiGQ5Vb2ofBHFJcG3XsLRWMbPEmW7eAL9oft oiow/QMJdGCsDTJQURlzMlPPalJSwnp9AUj/IqP1HLeHEtTuNF0Hf7Mx2IiMnuUMKA HNn1bQsLPm1fHjh35ofZQr3g+vF3ej2WvIpW98QUEWIlr33byxBwePJzDTQAJTJLdb 2mKU3Qf0Y4m/OgOUIr0fwh8BSXwDmci55BqJi0PN5x9LWG2+7JrzJFDKTCWGwohYNQ pkMIzYpkQp+hxsIf71XpjS9BP3B4HPBPz0Jcb7MT9wQoL9Z0XvSMMgYyCamqCJpcht q66+8DL917Pgw== Received: from [10.46.29.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.16.1/8.16.1) with ESMTPS id 11Q7fLhK051736 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK) for ; Fri, 26 Feb 2021 08:41:23 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: CA's TLS Certificate Bundle in base = BAD To: freebsd-security References: <20210226010750.GY5246@funkthat.com> From: Dan Lukes Message-ID: <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> Date: Fri, 26 Feb 2021 08:41:21 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.3 MIME-Version: 1.0 In-Reply-To: <20210226010750.GY5246@funkthat.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Dn1n84J1Lz4vpD X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=obluda.cz header.s=mffsubmission header.b=i7UMdSXs; dmarc=pass (policy=none) header.from=obluda.cz; spf=none (mx1.freebsd.org: domain of dan@obluda.cz has no SPF policy when checking 2001:718:1e03:801::4) smtp.mailfrom=dan@obluda.cz X-Spamd-Result: default: False [-3.80 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[obluda.cz:s=mffsubmission]; FREEFALL_USER(0.00)[dan]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:718:1e03:801::4:from:127.0.2.255]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[obluda.cz:+]; DMARC_POLICY_ALLOW(-0.50)[obluda.cz,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:718:1e03:801::4:from]; ASN(0.00)[asn:2852, ipnet:2001:718::/32, country:CZ]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2021 07:41:37 -0000 On 26.2.2021 2:07, John-Mark Gurney wrote: >> Third party CA's are an untrusted automagical nightmare of global and >> local MITM risk... > > Do you delete all the CA's from your browsers then? Yes, I'm cleaning them from browser, then I'm adding few CA as needed. Despite of it, I'm not on grarpamp's side. People are installing FreeBSD system on it's computer - it require a lot of trust. Most of users can trust even CA list that's part of FreeBSD system. And those paranoid users like me ? We will check pre-installed CA list all the times. We do it now and we will do it even in the future. Because we trust no one. So we don't care what's content of file in stock install. So I don't vote for grarpamp's proposal. It will decrease effective security of "standard user" and it will not help to the paranoid ones. But it would be nice to know how it works. What CA are included into distributed bundle ? Who is making the final decision ? What rules he is obliged to follow ? It should be documented somewhere. > Having tried to verify the certificate for a bank when verisign f'd > up their cert really doesn't work, trust me I've tried it, the > support has zero clue what you're talking about, and they have no > process to handle such a question... My bank have defined process you are speaking of here. I has been IT security officer of such bank and I defined process in question. For about ten years, there has been one (!) call asking verification of the certificate. And it has been call from my friend that has been curious to verify if it works ... Despite of it, it's not the argument related to the topic we are speaking of about. Certificates are just tool. It can be used properly or improperly. The proper use of tool depends on goal, so the goal needs to be discussed first. Dan From owner-freebsd-security@freebsd.org Fri Feb 26 23:49:37 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7176A55316D for ; Fri, 26 Feb 2021 23:49:37 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DnRG82jJpz3LKn for ; Fri, 26 Feb 2021 23:49:35 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 11QNnXrf048879 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 26 Feb 2021 15:49:33 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 11QNnWZa048878; Fri, 26 Feb 2021 15:49:32 -0800 (PST) (envelope-from jmg) Date: Fri, 26 Feb 2021 15:49:32 -0800 From: John-Mark Gurney To: Dan Lukes Cc: freebsd-security Subject: Re: CA's TLS Certificate Bundle in base = BAD Message-ID: <20210226234932.GA5246@funkthat.com> Mail-Followup-To: Dan Lukes , freebsd-security References: <20210226010750.GY5246@funkthat.com> <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Fri, 26 Feb 2021 15:49:33 -0800 (PST) X-Rspamd-Queue-Id: 4DnRG82jJpz3LKn X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.76 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.96)[-0.956]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2021 23:49:37 -0000 Dan Lukes wrote this message on Fri, Feb 26, 2021 at 08:41 +0100: > On 26.2.2021 2:07, John-Mark Gurney wrote: > >> Third party CA's are an untrusted automagical nightmare of global and > >> local MITM risk... > > > > Do you delete all the CA's from your browsers then? > > Yes, I'm cleaning them from browser, then I'm adding few CA as needed. > > Despite of it, I'm not on grarpamp's side. > > People are installing FreeBSD system on it's computer - it require a lot > of trust. Most of users can trust even CA list that's part of FreeBSD > system. > > And those paranoid users like me ? We will check pre-installed CA list > all the times. We do it now and we will do it even in the future. > Because we trust no one. So we don't care what's content of file in > stock install. > > So I don't vote for grarpamp's proposal. It will decrease effective > security of "standard user" and it will not help to the paranoid ones. > > But it would be nice to know how it works. What CA are included into > distributed bundle ? Who is making the final decision ? What rules he is > obliged to follow ? > > It should be documented somewhere. I do agree that it should be documented better. There is this file that helps answers most of them: https://cgit.freebsd.org/src/tree/secure/caroot/README The short answer is that it's managed by secteam/security-officer, and follows the Mozilla store... This is likely the best option, as Mozilla is quite public about various CA issues over the years, and how they are managed.. > > Having tried to verify the certificate for a bank when verisign f'd > > up their cert really doesn't work, trust me I've tried it, the > > support has zero clue what you're talking about, and they have no > > process to handle such a question... > > My bank have defined process you are speaking of here. I has been IT > security officer of such bank and I defined process in question. For > about ten years, there has been one (!) call asking verification of the > certificate. And it has been call from my friend that has been curious > to verify if it works ... I think I tried this 15+ years ago. :) > Despite of it, it's not the argument related to the topic we are > speaking of about. Certificates are just tool. It can be used properly > or improperly. The proper use of tool depends on goal, so the goal needs > to be discussed first. The certctl command was written specifically to address the issue of making it easy for users, like yourself, to blacklist various CA's... Yes, there are lots of packages that are installed by users, but at the same time, FreeBSD has prided itself on being a "complete" operating system out of the box, and IMO, the lack of certs made the security out of the box not good. Also, the number of users who didn't KNOW to install ca_root_nss to resolve the issue was another problem as well... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sat Feb 27 21:23:04 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4DA5A553DB4 for ; Sat, 27 Feb 2021 21:23:04 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dnzyb0Y51z3v4f for ; Sat, 27 Feb 2021 21:23:02 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.16.1/8.15.2) with ESMTPS id 11RLMvk7021009 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sat, 27 Feb 2021 23:22:58 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.16.1/8.15.2/Submit) id 11RLMqf5020784 for freebsd-security@freebsd.org; Sat, 27 Feb 2021 23:22:52 +0200 (SAST) (envelope-from lordcow) Date: Sat, 27 Feb 2021 23:22:52 +0200 From: Gareth de Vaux To: freebsd-security@freebsd.org Subject: user account disappeared Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lordcow.org X-Rspamd-Queue-Id: 4Dnzyb0Y51z3v4f X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-3.30 / 15.00]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEFALL_USER(0.00)[security]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2c0f:fb18:402:5::2:from]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2c0f:fb18:402:5::2:from:127.0.2.255]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Feb 2021 21:23:04 -0000 Hi all, one of my users in a jail has mysteriously half disappeared. I've renamed the user to 'lostuser', the password hash, and the process it's running to protect privacy below: I suddenly can't log in over ssh: sshd[22485]: Invalid user lostuser from XYZ # su - lostuser su: unknown login: lostuser # ls -ld /home/lostuser drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser $HOME still exists but only showing the userid. # egrep "1012|lostuser" /etc/passwd lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash # egrep "1012|lostuser" /etc/master.passwd lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/bash Entries are still in /etc/*passwd ? # ls -l /etc/*passwd /etc/group -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd This process is still running, which is a network server which is still functioning: # ps aux | grep lostuser 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr/local/bin/python3.6 /home/lostuser/xyz also obviously showing the userid and not the username. # grep lostuser /var/log/auth.log ... Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuser xyz 23 Jan 2021 was the last successful login, and later that day /etc/*passwd was touched due to me changing the password of a different user, confirmed as the only change from diff'ing against backups. Last buildworld upgrade on 3 Nov 2020 (host and jail): $ uname -a FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue Nov 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC amd64 The last ports upgrade was 13 Feb 2021, before that I'm not sure. The last entry in /var/log/userlog was 23 Jul 2020, and: # ls -l /var/log/userlog -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog ie. timeline: 23 Jul 2020 Last userlog change 3 Nov 2020 buildkernel/buildworld and reboot 3 Dec 2020 lostuser network server process spawned and still functioning 23 Jan 2021 Last successful login to lostuser 23 Jan 2021 Unrelated user's password intentionally changed with passwd 13 Feb 2021 ports upgrade 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /etc/*passwd and a process running Any ideas?