From nobody Thu Jul 27 22:03:00 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RBlBb4gCnz4pw3y for ; Thu, 27 Jul 2023 22:03:03 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RBlBZ4qkKz3DNg for ; Thu, 27 Jul 2023 22:03:02 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=Tzu7fo5e; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::92c as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ua1-x92c.google.com with SMTP id a1e0cc1a2514c-79a46f02d45so654706241.0 for ; Thu, 27 Jul 2023 15:03:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690495381; x=1691100181; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=xndcJ20Oxs52Cr+2btt9Re7elVeXsZTHMhoySR7u7Wc=; b=Tzu7fo5eav7jEbHwUjG4qQnpU8BmrBHg4uz8r8QyNqtRAzd0QNoTsXqr8HECC0SZzS OrFb6QOTL0Zei5do1Tdavn7cOIFBMKpBVzaBSBwLO99LG2AYDa6VPYQZYCaMrUtCRqkq /Gi01OJaUCmfeePzwy53jq57mpBSq5wxcWPo41jCuV7Hjg0ebzbTogDYBqfM3GTE8WoF Mj75B1q+0uGJj7Qnu1DJdQ0UChmUNxfcZz0h33PGylgzivQubJZVnzl0Ju7wve+b+e+x +xJ/XtzY5vaRYZhn+4+V3DTFWQ3IugVcW+sceFvH328aWRJ7Gxytv36+PLdmdm7+bRz2 m0rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690495381; x=1691100181; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xndcJ20Oxs52Cr+2btt9Re7elVeXsZTHMhoySR7u7Wc=; b=Z9MG/noGs1tmFFlFDvQGoRopF8JN/rycZvx8tw1pPMm2fJ7Ez0aNm0Kc7plvQou1el KxRo7niWBa8JGCuNQ+gYCT9QDTqUz+M4iS3JhESrGe9WPdlAG8PRNr3gDT2aTFIk/U6z nYXKrRkSwn1/XaazokqYIjLFF6dOHIUw3zW8EoFz6unFckS1pUD3zPqJs1WUA5JDzD1L 21wYHyfgSkMVmUfkFa4CEHD79ShLuWtmxAUYrGQkbI2QXfRUYWhwMiHHwCBlt28AZUX2 UOYcQRMoAaf4cwchrBe6MB64CbdGTx+Fsi/P8RaZ6FB0riOGFbDQ4r2bCwlId9YUvJip zTXQ== X-Gm-Message-State: ABy/qLYotYTEQNiYTQC5KBCtH9u9xMH8xaYLV44k+WlqEdhqV5TH0T+Y fg5CZ1n20yXFT+bjl8DkEeX7lH5pmL6tGpZ3uY+HMTUnjk2+ybQm X-Google-Smtp-Source: APBJJlG0W15Hz8gjdFLIEV/WHmU8Qs6roTizsRdLsLKlizGwfIbbF3u0ymXsUvQv/bYqeQVsCDeRDdcX1rBUv0oUhNc= X-Received: by 2002:a67:eb46:0:b0:443:6c11:fc5b with SMTP id x6-20020a67eb46000000b004436c11fc5bmr618779vso.14.1690495381535; Thu, 27 Jul 2023 15:03:01 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:af52:0:b0:3ed:209f:4d2d with HTTP; Thu, 27 Jul 2023 15:03:00 -0700 (PDT) In-Reply-To: <1958561.iAkVjBisvr@ravel> References: <20230726214636.yblem2s4sgapb6cw@mutt-hbsd> <1958561.iAkVjBisvr@ravel> From: grarpamp Date: Thu, 27 Jul 2023 18:03:00 -0400 Message-ID: Subject: Re: Zenbleed To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.54 / 15.00]; NEURAL_HAM_SHORT(-0.99)[-0.989]; NEURAL_HAM_MEDIUM(-0.97)[-0.970]; NEURAL_HAM_LONG(-0.58)[-0.578]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::92c:from]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4RBlBZ4qkKz3DNg X-Spamd-Bar: --- On 7/27/23, Olivier Certner wrote: > https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=0bc3126c9cfa0b8c761483215c25382f831a7c6f That commit is labeled for 17h (z1/z1+/z2). The one below was made less than one day prior for 19h (z3/z3+/z4), so it likely contains some mitigation. Try loading it to those platforms and testing the exploit against them to see. b250b32ab1d044953af2dc5e790819a7703b7ee6 https://en.wikipedia.org/wiki/List_of_AMD_CPU_microarchitectures Microcode firmware is literally TOP-SECRET//SCI weaponized magic packet voodoo silo black team stuff, thus updates usually don't get consistent glossy docs publication coordination, let alone exactly what all is being applied to which chips by which releases. More interesting solutions are out there for you to start and join... #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust , #GuerrillaNets , #P2PFiber , #GNURadioRF , #PrivacyCoins , #DropGangs , ... From nobody Sun Jul 30 16:45:56 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RDS1T2DQGz4pCt7 for ; Sun, 30 Jul 2023 16:46:00 +0000 (UTC) (envelope-from tom@hur.st) Received: from eda.aagh.net (eda.aagh.net [IPv6:2a02:c206:2085:1375::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "eda.aagh.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RDS1M0pRtz4NKP for ; Sun, 30 Jul 2023 16:45:58 +0000 (UTC) (envelope-from tom@hur.st) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hur.st header.s=20220420 header.b=tkl7ABA9; spf=pass (mx1.freebsd.org: domain of tom@hur.st designates 2a02:c206:2085:1375::1 as permitted sender) smtp.mailfrom=tom@hur.st; dmarc=pass (policy=reject) header.from=hur.st DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hur.st; s=20220420; t=1690735557; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=EvRUZ6KMsG29AUfPrMgdAjSQS6YDqyLpNv4xFWuiM60=; b=tkl7ABA95CVfPUzwZV1rrJKw8hCtbl+uzlyrhWGSydQNvEm1O4ZLrAwxr40ltpCBA53i4p GQTOVg80jAf4cYjtQgXdpaPfULXncxvGzWqaP7lAuS13wS0D6uDYv+SObfDdRY55xRfB69 nzX/h/2ha4CrfWYOPMYqaYAY3W65mio= Received: from voi.aagh.net (voi-mgt.aagh.net [10.0.0.1]) by eda.aagh.net (OpenSMTPD) with ESMTPS id 34aec059 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Sun, 30 Jul 2023 16:45:57 +0000 (UTC) Received: from freaky by voi.aagh.net with local (Exim 4.96 (FreeBSD)) (envelope-from ) id 1qQ9YK-0005Gs-2M for freebsd-security@freebsd.org; Sun, 30 Jul 2023 16:45:56 +0000 Date: Sun, 30 Jul 2023 16:45:56 +0000 From: Thomas Hurst To: freebsd-security@freebsd.org Subject: Re: Zenbleed Message-ID: References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Not much. User-Agent: Mutt/2.2.10 (2023-03-25) Sender: Thomas Hurst X-Spamd-Result: default: False [-3.93 / 15.00]; NEURAL_HAM_LONG(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.98)[-0.980]; NEURAL_HAM_MEDIUM(-0.95)[-0.951]; DMARC_POLICY_ALLOW(-0.50)[hur.st,reject]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[hur.st:s=20220420]; MIME_GOOD(-0.10)[text/plain]; DKIM_TRACE(0.00)[hur.st:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; HAS_ORG_HEADER(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[tom]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:51167, ipnet:2a02:c206::/32, country:DE] X-Rspamd-Queue-Id: 4RDS1M0pRtz4NKP X-Spamd-Bar: --- * Konstantin Belousov (kostikbel@gmail.com) wrote: > On Wed, Jul 26, 2023 at 08:34:56PM +0000, 0x1eef wrote: > > Hello, > > > > I was curious if there are plans to apply the "chicken bit" > > workaround for the Ryzen line of processors. A firmware > > update is not scheduled to be released until Nov or Dec > > at the earliest. Thanks. > > The chicken bit workaround is > # for x in /dev/cpuctl*; do cpucontrol -m '0xc0011029|=0x200' $x; done > there is nothing to wait for. It is silly to push this into kernel when > recommended solution is ucode update. I created an rc script for this, including a check that the system is actually running a Zen 2 CPU: https://gist.github.com/Freaky/2560975d3c94246b86f464b8be75c967 -- Thomas 'Freaky' Hurst https://hur.st/ From nobody Tue Aug 1 21:38:04 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPT2x3Wz4psST for ; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPS51Zdz3Nf3; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8A3nTx/aWsLePUrDcCYnsUOtY0O5BZbkQ5Q7RgSsOKE=; b=FVkBLI+37ifab6DBBuLlbVMBd8EDTpvU7wVRrSEu7MhxS3p+1P70kxa86g1k+niMLqs4Cv x1/INzkI/ThlWjmRgwf2ZeXadua7LTb5nEbfyJRbkUYlWjcMvOcFNIv6zrtmc6BYchbxDh b8B4gNOiuah/SrhB6qzD5PGPF632MjWxPePYyNixqZJixBaNfikEHxaBh/O3tjxJIbbsRH HcsskefR/0NCFVkNjvvAnXQBsUGDCowHPZvoi2NONhNNpj2Jp6Mnej5F4+ZzdmTIY5FdUD O0cjQ3NmCwU+FeFoa8VxA3iRnCn9ENZ9rziacr4ySawfFsdlAxEHoNOIgpZEUg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925884; a=rsa-sha256; cv=none; b=e7fspx9SNfz55p2SyFzahUCLeDPYN+eQiiorLSRa01nxEJ1QnK8+E3xYq+SL8XEDKdOidA /lp3u1O4liRAe93V5a97qM8800rKL1bXgfXS0+1pqf+QQU1dJHzODM31LTIjIGCFAchOsF 4mJ7V73WETPwfrHApn3JX6vozvfNV/U4XE0jtakAlw+fOigg+yEwgWe9crQwUp1r66eJxn qHnshM+La+YXr307OIGj4svCZEJNIhhM0YXzBHo/P4h0ll9S80bTiAsB/tK1N6+fAKNct3 V+e+IjqIb3Rno51j7ETSiKEc0XFWzLTbcxhaOV7xqe2G6WyhlrySnEZ6TkHGZA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8A3nTx/aWsLePUrDcCYnsUOtY0O5BZbkQ5Q7RgSsOKE=; b=CqyJg4qAJBBtGLFmY2OFUZM2BCpPSICgC7scrm2u/prSERjuEjY232L1vH3dU9xy30qKsH ifhl3NvTr0KBKxZcB1odmTjoByi9Iz1FokjCFWPqsn1hWedyEdspyNkJa1OnvS5BxRZGvk r2kOSVTFTOmlFGzVJoAlE0y+4D5OXk5AsWsE416FO+K1qrogKs+XHErXYGSrr7HLvgHyku umNuV1dxmzpRZx6ES6X1xwUNXOY3cUdbyuDFL2M1SnXkrCLzYYYEZ7q8OVcIYDD6LE+YIl wvGTGLnoOteBPLIluE7Stu49x4Res4vD3Ciemzeyyy7/XDHyASRcAcpwUkMfzQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 4AD9019D3D; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:06.ipv6 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213804.4AD9019D3D@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:04 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:06.ipv6 Security Advisory The FreeBSD Project Topic: Remote denial of service in IPv6 fragment reassembly Category: core Module: ipv6 Announced: 2023-08-01 Credits: Zweig of Kunlun Lab Affects: All supported versions of FreeBSD Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE) 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-3107 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 packets may be fragmented in order to accommodate the maximum transmission unit (MTU) of the network path between the source and destination hosts. The FreeBSD kernel keeps track of received packet fragments and will reassemble the original packet once all fragments have been received, at which point the packet is processed normally. II. Problem Description Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header. Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field. III. Impact Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service. IV. Workaround Users with IPv6 disabled on untrusted network interfaces are not affected. Such interfaces will have the IFDISABLED nd6 flag set in ifconfig(8). The kernel may be configured to drop all IPv6 fragments by setting the net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from being triggered, with the caveat that legitimate IPv6 fragments will be dropped. If the pf(4) firewall is enabled, and scrubbing and fragment reassembly is enabled on untrusted interfaces, the bug cannot be triggered. This is the default if pf(4) is enabled. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9515f04fe3b1 stable/13-n255919 releng/13.2/ da38eaca4a22 releng/13.2-n254626 releng/13.1/ 4e548c72914a releng/13.1-n250191 stable/12/ r373149 releng/12.4/ r373152 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66 4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/ dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0 mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c= =V/jE -----END PGP SIGNATURE----- From nobody Tue Aug 1 21:38:10 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPf6QySz4pt9M for ; Tue, 1 Aug 2023 21:38:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPZ1q4Mz3P0f; Tue, 1 Aug 2023 21:38:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925890; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zYC8cFpOR5T8CjoO2Zz8jJoWc4Vkdi+UpAhQbNAxqbw=; b=eNfpxt0YxEPFbVyBM0Sn4v4mxxWwEmw8hY1DC1o14MiJnTH049b44MhqyHhKwndoeUsT27 e4VFohCqmMIqdaIIblZsj8Ueizy6CK3xttIja6cb8Wl324PbDZf/dnyz3+7kdlHxGpLk+X G5pmv8zXB9bYDkqdqiVE72UirM6woL9rGCmp6uQ2HjyI4EWiJQGPJaMzViz+ytZegjA1vb oR4CO3OonsGN+imWzFWJmuA95/opYC+CCSYtZHL3md2j2IHOrwc9I3wnDFBWFT8Y4RNGh7 wOnkj8bkTXQ1ogodkrddN0s0CweLr3OkT7FkFmwocMSG+7tJUEdBQ4k3JzszfQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925890; a=rsa-sha256; cv=none; b=RRYHJqQhVnB3dhnmhtADrg3Mie7tIbkhCad1z+icV4Gdn4vY950HORgusV5qAJ6FdipIyq 89cJVBW9wo6NvhBdbCP0Jt80z+A14IlCpIf9VrUe3BlTfupHGp6CA76IDrADY9oH5rttkE Xu4HougPXCTe3n1HLDxRBrw3JmcWSuCT5UKlpB8xcq2KrXfvb60HLDIWmYBpp46VOvQpJH Ru0VCOCMAb/7eUIRJMfTCBEY0A3ls2S71vU4picuTpikM0R1lcCBFqDR39f8uXOD3mXVyB E74vVdQvKTNAih2xmTWFFrmpht/NXT09k6uqSFRTf3foMJFhTYKVWz+c+9rBGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925890; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zYC8cFpOR5T8CjoO2Zz8jJoWc4Vkdi+UpAhQbNAxqbw=; b=c/x2lECLxiu8CIdNmygwbq7h7oAdW2VZZX/hxA4PT744+M8BirqFvvxqM1qOOH3/eipHLO ZzAKtzfQU2jseOb3UigE25yY4QhOUy5s8Fyse591rrw3bEPN9tJqeHpoFOA/xMJnaiQQF3 qY2o8dYtBEMkzg1LWdlTmijfqSdr+q10QSDxkKzC+D+TV2ONlwTgTVPF0qJv3tFTBqgd0u Pm0wzKWMs/sqYIhmdBgGoZeqjAGcTWYgzQg/7CCHU8FwrZKlw85l2TTgvl29kNbaay1W+X AL/IymTjVl2sxN6jQ/bPIXY5orgTVicGFAIzteX5XPDxtVB/arbr80v9d2fntQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1CD3D19DB2; Tue, 1 Aug 2023 21:38:10 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:07.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213810.1CD3D19DB2@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:10 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:07.bhyve Security Advisory The FreeBSD Project Topic: bhyve privileged guest escape via fwctl Category: core Module: bhyve Announced: 2023-08-01 Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft Affects: FreeBSD 13.1 and 13.2 Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) CVE Name: CVE-2023-3494 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8)'s fwctl interface provides a mechanism through which guest firmware can query the hypervisor for information about the virtual machine. The fwctl interface is available to guests when bhyve is run with the "-l bootrom" option, used for example when booting guests in UEFI mode. bhyve is currently only supported on the amd64 platform. II. Problem Description The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. III. Impact A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available. bhyve guests that are executed without the "-l bootrom" option are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all affected virtual machines. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc # gpg --verify bhyve.13.2.patch.asc [FreeBSD 13.1] # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc # gpg --verify bhyve.13.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all affected virtual machines. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9fe302d78109 stable/13-n255918 releng/13.2/ 2bae613e0da3 releng/13.2-n254625 releng/13.1/ 87702e38a4b4 releng/13.1-n250190 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0 drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0 JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4 LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI= =MlAY -----END PGP SIGNATURE----- From nobody Tue Aug 1 21:38:22 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPz3fRPz4pt3B for ; Tue, 1 Aug 2023 21:38:31 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPq1W9Dz3Npj; Tue, 1 Aug 2023 21:38:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925903; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4FyxMhvJhYkw1CS3aiqAAMu1SpXXfB5UAEx5SvteShM=; b=cwW9E7dGx+nX7Qgidx2W60oUNPTiwIGn869RPhPwM2vijSti4xabNcqGAU3olt0LDfuTo3 VryW8U+47cYngFQZAfwog8UKHnD/Jiq1mOZL/WZXphkEDEA3uq5KIAopTscsbLSDxvX78Q CteNFiujafRogqh8oojbZeSkjn/+XXD5ac49vdTzY5lQDerSoVqIZHLyWVJXb4qdN8C7j2 8uUAOhbdjuNcbMPER6oKp4g8tZje0QLnbuDP/E+hx+hya/nd7/xiaR/Lq6/WpW5PZSeOOP lm3+iq7crpRmLRZ6vBS5++uVeHpkwYyjCVCGvatGeogPAzW8PAQvSUQFz9g2eA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925903; a=rsa-sha256; cv=none; b=GH/SLc2AXJR3Ab9/unu/34YP3enFZHkzwHCEwrWt/XHWKXdERA/F+4/4+FuI6D5aAWv32O M1hG2tY9ysAlEO8zHZXfunhookdaXxftWvxclPbqT8UmX2nN/7HbdtoHtGYuujCzGIIk2z TWvLWqSM6IjMNaDa6Vw8lwVpoyz+53MApO3BfTvAgKqSJTVzObL+qjGohAph5l8RYVkS/O LxhX/GS3wJxknTvhUvXK21z6iTRcQDPSVaDQWpjl/y8N7sE+XGNLGn+uLOK5w6kzQrQ2f3 w2LCuslcfQtEVrS/q0XeVnXJcdMEXfUt13iITKppESqiY63eh23YcYV43JVfdg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925903; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4FyxMhvJhYkw1CS3aiqAAMu1SpXXfB5UAEx5SvteShM=; b=PW67kghVEc57OJVekdP+bHZzaSGkaxptAjb2YUtpZHwUw22GArJYzsima2pJg7WFMGV/Do f4MWqKqqR6MgMJ8SU91h/0x2x6wlrUmEfPE3CPWhy8OGzT4GUq0NHDJHwFuRP+8TQeIoum MOJ+eHjdRuBekuMBbC7y5Y+rAzPEEMJzG0lxXTayjQmX6oWgCc8GrnAcDgOswkYLNRq5qU 46EGqi5rYy8bH9layTA92KFKQWRbMJBAR/n2nxILHYcT81oA8cN7gvN9XYIlQUW8CaXvuN ieACZMc0eiQVwtAjBq+WrDrH/3Nx4uMeY8SHSFt3uBF4qQR6VfF7LcMOPGqVPw== Received: by freefall.freebsd.org (Postfix, from userid 945) id EED9B19D41; Tue, 1 Aug 2023 21:38:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:09.pam_krb5 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213822.EED9B19D41@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:22 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:09.pam_krb5 Security Advisory The FreeBSD Project Topic: Network authentication attack via pam_krb5 Category: core Module: pam_krb5 Announced: 2023-08-01 Affects: All supported versions of FreeBSD Corrected: 2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE) 2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-3326 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Kerberos 5 (krb5) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. pam_krb5 is a PAM module that allows using a Kerberos password to authenticate the user. pam_krb5 is disabled in the default FreeBSD installation. pam_krb5 uses passwords for authentication, which is distinct from Kerberos native protocols like GSSAPI, which allows for login without the exchange of passwords. GSSAPI is not affected by this issue. II. Problem Description The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following the patch for that advisory. III. Impact The impact described in FreeBSD-SA-23:04.pam_krb5 persists. IV. Workaround If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from your system. Additionally, ensure pam_krb5 is commented out of your PAM configuration located as documented in pam.conf(5), generally /etc/pam.d. Note, the default FreeBSD PAM configuration has pam_krb5 commented out. If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is commented out of your PAM configuration located as documented in pam.conf(5), generally /etc/pam.d. Note, the default FreeBSD PAM configuration has pam_krb5 commented out. If you are using pam_krb5, ensure you have a keytab on your system as provided by your Kerberos administrator. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch # fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch.asc # gpg --verify pam_krb5.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the PAM module, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d295e418ae7e stable/13-n255792 releng/13.2/ 9b45d8eddfac releng/13.2-n254622 releng/13.1/ 140f65a20533 releng/13.1-n250188 stable/12/ r373127 releng/12.4/ r373150 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdskACgkQbljekB8A Gu9QjQ/7BlRQJGHtf/tljjCbzVKAOTcknk/d2VncZ4dDidsHWgO4umaYIrQzYxX0 1mBtLEPZ7vHt2t4IC4NZ1FP7wrdLNDWCfHcKlP9p9tCzhh2zQXgv6NHbruUTMtJX /LN+fxdOcRo++23ae0ohaBUwFVo69/nel0KnSq3QOeSwzJdvaW9cggimOK96pvB1 QXsqJvb9uBZGdv0yufZ4xJ174xDVnchBY/wvLx2qSdAsXGPO6ihvoeJHFJ7JAYLP JYtEAKkgHnkDtG9cw9DQigskwr8VC0x8J+9JG5H4zTXtzofng4pFD7+LBDhozoPy FRGi5IfWA4VkeQYDaMB9mE37R333PpKFfJZWF8cwOyeLXNTTUvtPEu2k0DRvljqs 6lmKcqNLJMbbHa7jIDwdYs5wrSqXJuKOD0Fsj/QScfqWphK86oz6VBdft71A+g55 D9QFVoXZ2kYTdJ3mMvcKPCdsnixVdtIaaTQ+Embeu2dnMUemc9xsRiPNp18a5y1a EgLJ5WHIVJoCjte7HROnPKN6IeB7G/laPeewpoO8AJqL46Z+Ch0PMJacYLhNp5fn 9rDnJkurJBa4hqii05MztQvhvaoJyy1WFQbObrzfNQI7Hl+EtMb8dlP09qsiWeGq 27gca8AB1KaMbG+Wwc92n1cn8ZSiF6WT0cV/+Cx3lYuIbmMgnBU= =eKnj -----END PGP SIGNATURE----- From nobody Tue Aug 1 21:38:14 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPz04Wvz4pt1L for ; Tue, 1 Aug 2023 21:38:16 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPg6ZJtz3Nkx; Tue, 1 Aug 2023 21:38:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925896; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=EvJV/k5pchuM+8dL8rwzBZd47FwpBIwrG+Cr/w5yndo=; b=MjBKFuDPrAqn/H7F9uAgyHy2WYwoynUAi6OWE1yU5YVgqkbIn+W6A2/Hn+bMXaiUXG8RXe O8Ns9kUe1sL69A0gZ0gGe3KbZzRGrVqcaK3IJhB2FelclEZn+/ZAva0bNIdDeaXl9UlpaG wjWni2BPNKU5Xzq/JCfnxT6FweeXgaeq8o89qKmXQcuw4uIL4mh7KphbS3etknTHcgN/CN tYu4fCGMyH8yaGItGId/RnqmYzjK5oFkEhAzWbl95LW72KzfW3MYnzq09wZTpezqMCWFed O88UL2k3U2iiBWadCtWVDvvG4A95BcvODIgDnpPrf6cQfq9S+UNtJc45RMMtmQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925896; a=rsa-sha256; cv=none; b=eX71rz0984NFzNsdvrEFyv6wzVC57bn+zbXj9rb7PgiNmCbN9Ttgn4yaLce77qcarZCbql HGUuSVMrdBbTirm1gLStFC9uiI2WWCz8fWJkyvsmvTbBwjRWAJYj8Ar4kWM9E/sd+ej3qv QDoy8GDFhOkMvg6ouQxU9Zz8Rtcce2JYPdL7XW+r8jTY1tifrXM1C2+Azlmim8PmGGcuzN ep9mfDgry9wVwKcGQzow0Qv0ZGYjiDQAjWgv9wZDxU+yVgpvfmlvbHAL6JS6hO5Q8Qllsd z3I7MUTiLyIkMOz6bBF1Ck7fLSYc2KAPDBiSmrK9i+g4DueUeCeVA7u8XxaFSQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925896; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=EvJV/k5pchuM+8dL8rwzBZd47FwpBIwrG+Cr/w5yndo=; b=Aw1CNKbNtLCVNFZcefCyaQrY56a3Z65yJ8T+kyb7IvmWzFpIOqpAphgtba2yHlqXKEUcZ6 ZfycpRccg7JF7Lv1qUka16zZgdCD94Y7N+fzZcguFLe92cfCSevPPSngvyt9aLwu9p7Ml9 GErb6F3u4PwMxsqGA73qgdnHbThnOQImvaEiq9MHE4ydiNf4KblKX/e0g1gFSg8mj7CsYU APlkW8FBBXzFehMtKRUGLye1hk05tjTDO5WAymR5xxppDc3Rv+/jeWSuo0D/bvC0dSYfv1 2K/RjH3OiXI6p/UZbVX/KY351IEHK0u8PDX/cE1CJC9IsQIyNj0pJ+ihkiS3Ww== Received: by freefall.freebsd.org (Postfix, from userid 945) id 43A9019D40; Tue, 1 Aug 2023 21:38:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:08.ssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213815.43A9019D40@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:14 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:08.ssh Security Advisory The FreeBSD Project Topic: Potential remote code execution via ssh-agent forwarding Category: contrib Module: OpenSSH Announced: 2023-08-01 Credits: Qualys Affects: All supported versions of FreeBSD. Corrected: 2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE) 2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-38408 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ssh-agent is a program to hold private keys used for OpenSSH public key authentication. Connections to ssh-agent may be forwarded from further remote hosts using the -A option to ssh. The server to which the ssh-agent connection is forwarded may cause the ssh-agent process to load (and unload) operating system-provided shared libraries to support the addition and deletion of PKCS#11 keys. II. Problem Description The server may cause ssh-agent to load shared libraries other than those required for PKCS#11 support. These shared libraries may have side effects that occur on load and unload (dlopen and dlclose). III. Impact An attacker with access to a server that accepts a forwarded ssh-agent connection may be able to execute code on the machine running ssh-agent. Note that the attack relies on properties of operating system-provided libraries. This has been demonstrated on other operating systems; it is unknown whether this attack is possible using the libraries provided by a FreeBSD installation. IV. Workaround Avoid using ssh-agent forwarding, or start ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and restart any ssh sessions using ssh-agent forwarding. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc # gpg --verify ssh.13.2.patch.asc [FreeBSD 13.1] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc # gpg --verify ssh.13.1.patch.asc [FreeBSD 12.4] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc # gpg --verify ssh.12.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all ssh sessions that use ssh-agent forwarding, or reboot. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d578a19e2cd3 stable/13-n255848 releng/13.2/ 20bcfc33d3f2 releng/13.2-n254624 releng/13.1/ 3d3a1cbfd7a2 releng/13.1-n250189 stable/12/ r373142 releng/12.4/ r373151 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7 9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA +8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69 Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66 1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw= =scNH -----END PGP SIGNATURE-----