From nobody Mon Jul 1 08:58:40 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCKhc1ypbz5PfsV for ; Mon, 01 Jul 2024 08:58:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCKhc1DvSz55ml; Mon, 1 Jul 2024 08:58:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719824320; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XM+yGdhbBRRmcUUAPeJufqrOY4S6WBLi2SSOKjq/aMA=; b=T3SA2Lzihvo26p5QKQSCHZDRQXklSCz4qRHZKttouevMS6iQFWNX2xz+dBzjsDZxlR1YLT pkDMJQXtlSXVWnPWoSdqbRxSgQBHlKzw7px5frwFkDtuzRwyB4o7crJa+lgiV8y19UMPl2 qiGGvhvqwlEWXxQST1RnVVFSDEL+6+tfkEOodo/vjvTqdnlj4ONKexnELErK/tgPVM3pw0 dQDQgkaUwulk9B3vO4Pxd6y+E0g0+LFl8IZiYhUiKBs8I3Qh+SF9INReCWu3Bi5RNp8MLL X6Xo6eVm12+3J+Rg5fd7nCaS6cPhxjAun0DEYLWJnwgPRqUvsopnmu4TRNqGSg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719824320; a=rsa-sha256; cv=none; b=HFzSfSH1KBI/K1y00YmBfr8MBVJuo3XeWzlsrs4Q5wsQaLk/JAkzBMnQUNl03evZeV05Ut 0SFYrT7mUQ4G06mNTJHkk5uJHHnkeQ5Ahj3xIm3w9ulKaBao0w0SPMNnXBUdcKw6s5Kpqq gzqog06zpnIFRU8gSUFE3e2VH+UoWJD41i+6CDxeDn1fN/4/zLZuOUmB5b9TnSHZJtpcPX +U3YbtKrYcDOlpFaGHGIiE/SaT3Y4WeNPUE7G9Ple0M8f/ryx8xtBLJ5jNw06ftAYzkqBn 2YWmgUmRFrh5Ib1v9iLmu/zjpEAomf8dl1nt+2tB7P+pMFMu+cH62IlExTUp3g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719824320; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XM+yGdhbBRRmcUUAPeJufqrOY4S6WBLi2SSOKjq/aMA=; b=XUtl15aCXGw8SHc9ZorrbmiWWQGmgsvlId/W3quKTCV8yf1mPVQaP9HiofKMMvzoZsmGCD 5/+eHXwUrIldC8jHQ0DV/uiQV4wTTzTw/PxhL/UvhL/ICHJRwzRzk1chp/75h1KCPTwfGP fb+fZbjwlM9Qs7aszTTYxFr1R2zZDLPMzwRF+Npg8yy7SIh7th/PgFEQYrbBwqe1rA3Tcn 4qXKLDwXrhI41vh02IC2S+eQPFAq24ArkJ/A+rIrnN8TS8eX2QnoiNpPoIZfcvg4XsR24U tcFhF2+u7AAFbVVXCidTeH+fukfrzwY+F203QWUOqWgokAVfTxZJSaTL5qw4Hg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0EA17B51; Mon, 01 Jul 2024 08:58:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:04.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240701085840.0EA17B51@freefall.freebsd.org> Date: Mon, 01 Jul 2024 08:58:40 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:04.openssh Security Advisory The FreeBSD Project Topic: OpenSSH pre-authentication remote code execution Category: contrib Module: openssh Announced: 2024-07-01 Credits: Qualys Threat Research Unit (TRU) Affects: All supported versions of FreeBSD. Corrected: 2024-07-01 08:22:13 UTC (stable/14, 14.1-STABLE) 2024-07-01 08:24:48 UTC (releng/14.1, 14.1-RELEASE-p2) 2024-07-01 08:26:05 UTC (releng/14.0, 14.0-RELEASE-p8) 2024-07-01 08:23:16 UTC (stable/13, 13.3-STABLE) 2024-07-01 08:27:10 UTC (releng/13.3, 13.3-RELEASE-p4) 2024-07-01 08:27:53 UTC (releng/13.2, 13.2-RELEASE-p12) CVE Name: CVE-2024-6387 Note: Due to the fact this advisory is being released the day after 13.2-RELEASE is going out of support, the Security Team has decided to include 13.2-RELEASE in the response for this issue. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. II. Problem Description A signal handler in sshd(8) calls a function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is a regression of CVE-2006-5051 originally reported by Mark Dowd and accidentally reintroduced in OpenSSH 8.5p1. III. Impact As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. IV. Workaround If sshd(8) cannot be updated, this signal handler race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # service sshd restart 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.1.patch # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.1.patch.asc # gpg --verify openssh-14.1.patch.asc [FreeBSD 14.0] # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.0.patch # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-14.0.patch.asc # gpg --verify openssh-14.0.patch.asc [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.3.patch # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.3.patch.asc # gpg --verify openssh-13.3.patch.asc [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.2.patch # fetch https://security.FreeBSD.org/patches/SA-24:04/openssh-13.2.patch.asc # gpg --verify openssh-13.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 620a6a54bb7b stable/14-n268045 releng/14.1/ 8f80def8aa08 releng/14.1-n267683 releng/14.0/ 70eb00f17b31 releng/14.0-n265420 stable/13/ 25cf430cd551 stable/13-n258037 releng/13.3/ e3e0912f2977 releng/13.3-n257437 releng/13.2/ 99ad94894edf releng/13.2-n254666 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmaCa5QACgkQbljekB8A Gu8E9hAA2tYE3vcgDNMnsy9Rw5CR8uJWkCAPk4Pd1RvJlYlCFmC4XASukA6DHdv5 Zym13OwC7wO3ak4u819y052Iia7fOCzkdg/MWODvao3v8BOjXcOZjtSCgCsh50Om NNStF5Bhl4l7FwggZqYgo5+6XafjzjU4NbdiCH4Y4qN8VkQwCoHLozfl7X6/XwyE 0LRCL9IzS2lpoqsMvOBOYkS1U1/arEsjWrY0XrDtA30r1zGkkZQ2DKLPWhxGM2wR /ImPpWiINxfVq0u55ubZCm9g3JqnXJVBQ41wo44wdW4R98WabvqQgKDLfxwMlhTc rKlg/JARehrYpPC1d0+PN2RaQUkAucjlxSFjnb3UOt0o0w3FqWB03u9IB7Q7PFya O7S4+WNyEJZiex9Ef1C/ea3ewfx9AMfaWYj+t2yYZjy5oXgZHk4EpoWsOqNDgmC7 bOlFMPeMoxczXkjqiCmsrODho3w8oEo/I111ovo8Sc6tS+13/Tioy9ZSrgdpIVrV DGItqasOXmVaHdatkY/DJ6f2buWlpZ3GTadAB5R+sixe/t3s583jV1Hktjb5NY4M N8y+TEpf5wf/yn9Z/Ub52JQPQDy1qAwICjWPpdYXligYFMV2vy4XZCptnldttz3y gz+2coOund99MGmxpyAm6NVtpVvVpRfjeVFbcqmzxF+35qXsl8w= =Zcol -----END PGP SIGNATURE----- From nobody Mon Jul 1 10:34:00 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCMph0QRrz5Q7TN for ; Mon, 01 Jul 2024 10:34:04 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCMpg4zBDz4Hv6 for ; Mon, 1 Jul 2024 10:34:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Authentication-Results: mx1.freebsd.org; none Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by mx-01.divo.sbone.de (Postfix) with ESMTPS id 47C0AA64805 for ; Mon, 01 Jul 2024 10:34:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net; s=20240622; t=1719830041; bh=tF8Q//E2Xkg7GfB6Oya56GJWYfJOBWoeBnBpxi5cJgo=; h=Date:From:To:Subject:In-Reply-To:References; b=nsIm6/wjCDN/22JvBHXEpzzDTVUv6ORW1dNYD5RPXiEkvooxPtI+BrZcDDkPTaOpo RD+jjnz02w2vFPIWd5iiKeici9DGPik3vRP7q80oUDndfc3KyUPdiVnjA0ASQE4aLh reEsFuP5y1JuhVJbqp6zsnfURQBCSE1y/wSS6q+chBMCjCnav5S/t8H9S0+c0OEB3h 0i8U8EwFvQMSUNTSYc7Agp4KD2/9vrZCRm+rQ3pLPNUzPqlaeIdzkTwmHk+L9ppam+ ISsje0TWor+DdRPk4ItN6IJ+DWRrhy9eWA2VxRDGVj60G8+QN9TCKu7zavbvP+roDp N8rIEdq5WeX3qbFracVtYSwz6XzK5gUmHDdqKnvWTj+zdAVDIH7NMfdJccJFrXt5WK W/tNAehy2XWzimnjvr4u4UIU/nx6pRnA2jjqN/RKXZOT9a3GGlwqHtSi85nHiov6qN ozQ5EVLX64qoOGzMpJmbYt3NCg3ju/+8IThXiXDNxkWSeNNfYzgSBcyZj4FZc3CrLZ I3hjhJtwHqBC351LoPl2Ng6pFQr/m7GbjDMI0FCa0bUl+BrDD3AVWo0nyu3hvGYT2P BGoBNUUJwnS0+dPKM+BoGarsPXsxe4sd2IFnc26qMufFG83o+XO0Lig2WfQtdkjiK1 cw1G24vIFVZL/HyW/8T1dQ6I= Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 6EA1B2D029D8 for ; Mon, 1 Jul 2024 10:34:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025]) by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024) with ESMTP id hhDtWqU8yU6Y for ; Mon, 1 Jul 2024 10:34:00 +0000 (UTC) Received: from strong-iwl0.sbone.de (strong-iwl0.sbone.de [IPv6:fde9:577b:c1a9:4902:b66b:fcff:fef3:e3d2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 63E5E2D029D2 for ; Mon, 1 Jul 2024 10:34:00 +0000 (UTC) Date: Mon, 1 Jul 2024 10:34:00 +0000 (UTC) From: "Bjoern A. Zeeb" To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:04.openssh In-Reply-To: <20240701085840.0EA17B51@freefall.freebsd.org> Message-ID: <44522737-qr68-q1n2-rs8o-7o75329982o0@yvfgf.mnoonqbm.arg> References: <20240701085840.0EA17B51@freefall.freebsd.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE] X-Rspamd-Queue-Id: 4WCMpg4zBDz4Hv6 On Mon, 1 Jul 2024, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-24:04.openssh Security Advisory > The FreeBSD Project > > Topic: OpenSSH pre-authentication remote code execution > > Category: contrib > Module: openssh > Announced: 2024-07-01 > Credits: Qualys Threat Research Unit (TRU) > Affects: All supported versions of FreeBSD. [..] > II. Problem Description > > A signal handler in sshd(8) calls a function that is not async-signal-safe. > The signal handler is invoked when a client does not authenticate within the > LoginGraceTime seconds (120 by default). This signal handler executes in the > context of the sshd(8)'s privileged code, which is not sandboxed and runs > with full root privileges. > > This issue is a regression of CVE-2006-5051 originally reported by Mark Dowd > and accidentally reintroduced in OpenSSH 8.5p1. > > III. Impact > > As a result of calling functions that are not async-signal-safe in the > privileged sshd(8) context, a race condition exists that a determined > attacker may be able to exploit to allow an unauthenticated remote code > execution as root. > > IV. Workaround > > If sshd(8) cannot be updated, this signal handler race condition can be > mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and > restarting sshd(8). This makes sshd(8) vulnerable to a denial of service > (the exhaustion of all MaxStartups connections), but makes it safe from the > remote code execution presented in this advisory. Can this code path still be exploited in FreeBSD if libwrap/hosts_access is used denying connections (at least from untrusted sources)? A quick look seems to show that LIBWRAP checking happens before the signal handler is setup and the bug needs connections to be accepted? -- Bjoern A. Zeeb r15:7 From nobody Mon Jul 1 15:16:42 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCV5V2Ry8z5P6qZ for ; Mon, 01 Jul 2024 15:17:18 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCV5T3FHTz44cZ for ; Mon, 1 Jul 2024 15:17:17 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Authentication-Results: mx1.freebsd.org; none Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-79c0b1eb94dso209216285a.1 for ; Mon, 01 Jul 2024 08:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; t=1719847034; x=1720451834; darn=freebsd.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=nD+S4m2zx94MNW9SCMKmB+cO3kWlM+Ai6+YfxxF8+XA=; b=smaGNyjok5HMZG/t+tHx31XPnvSZW/maE3VUazWvpI1707RukAPkXoJjzBwvmY7UmY YxrrPjUACrxO4OvPAEdPtXc+jolSh+lGFM84Cj8KdaREpubjR5X+X9cGG1ZuvP7WS5Cy PT445k4yN5vLpHQBU1kn7Yx/sBlxh72WV6Bt0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719847034; x=1720451834; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nD+S4m2zx94MNW9SCMKmB+cO3kWlM+Ai6+YfxxF8+XA=; b=pclPsRqUcIRPMv6VkDr7TnA1vlGHoYcGUt9U0SnGvbs4GtDgC7RJDJ4ibcwXI9qi+U P5PiSRGRJqkDviotqPX5fj2o+EcUI6gKz6MB3q+gcDup4bE4ESeaLwNrH3f+6PucX3Iv KCIVPbRgVl+CQf7RIhIsfqxLtp9mFU+l7jfX1Z3GycmMndrMH/OIZYh1TW4xBJFYLkPk M347JyMQw8MR7Ahk/Tz34JAl2hnVKtmsiYXHiBQHGb6m6pNh84XroAthJkWrv5KUrfDj xxS4xIE8fwo60ExLZ5/cvqF/RXv9MjJTvXRz0nSEo5/3ekD8tQYIEdtifE3l28QE2Bas y3ew== X-Gm-Message-State: AOJu0Yzw2J2lwuserWDMcXG+/m25tHmBCACo/P3rhZpGlrsTVzRYFDBA 5vLluyvUZ59iJc+TpWGJSgSJxCFWyHPlS4EG8r6oDKbq8rCdZHIQw+oNvBKBdQVJ4YVSJuT5aXO j X-Google-Smtp-Source: AGHT+IHXM6c/dwQA1GVy3aUwBVXchEbTOURROTFSNWbGcFlkLkEgGmdn4al4gIahICmS+CL9Yc77ZA== X-Received: by 2002:a05:620a:4625:b0:79d:7e9d:f4b with SMTP id af79cd13be357-79d7e9d123dmr884380385a.44.1719847034057; Mon, 01 Jul 2024 08:17:14 -0700 (PDT) Received: from smtpclient.apple ([2600:1008:b190:3a61:588d:f683:7d41:334d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-79d692eabe8sm355800885a.72.2024.07.01.08.17.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Jul 2024 08:17:13 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:04.openssh Date: Mon, 1 Jul 2024 10:16:42 -0500 Message-Id: <3929C43B-33C1-4DCC-B778-2C80927DD2F6@dataix.net> References: <44522737-qr68-q1n2-rs8o-7o75329982o0@yvfgf.mnoonqbm.arg> Cc: freebsd-security@freebsd.org In-Reply-To: <44522737-qr68-q1n2-rs8o-7o75329982o0@yvfgf.mnoonqbm.arg> To: "Bjoern A. Zeeb" X-Mailer: iPhone Mail (22A5297f) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4WCV5T3FHTz44cZ I don't have access to an example rule right now but this could be handled w= ith a pf rule with timeouts and max src conns as an interim fix possibly. Se= ems more feasible than libwrap. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Jul 1, 2024, at 05:34, Bjoern A. Zeeb w= rote: >=20 > =EF=BB=BFOn Mon, 1 Jul 2024, FreeBSD Security Advisories wrote: >=20 >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >>=20 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= >> FreeBSD-SA-24:04.openssh Security Advi= sory >> The FreeBSD Proje= ct >>=20 >> Topic: OpenSSH pre-authentication remote code execution >>=20 >> Category: contrib >> Module: openssh >> Announced: 2024-07-01 >> Credits: Qualys Threat Research Unit (TRU) >> Affects: All supported versions of FreeBSD. > [..] >> II. Problem Description >>=20 >> A signal handler in sshd(8) calls a function that is not async-signal-saf= e. >> The signal handler is invoked when a client does not authenticate within t= he >> LoginGraceTime seconds (120 by default). This signal handler executes in= the >> context of the sshd(8)'s privileged code, which is not sandboxed and runs= >> with full root privileges. >>=20 >> This issue is a regression of CVE-2006-5051 originally reported by Mark D= owd >> and accidentally reintroduced in OpenSSH 8.5p1. >>=20 >> III. Impact >>=20 >> As a result of calling functions that are not async-signal-safe in the >> privileged sshd(8) context, a race condition exists that a determined >> attacker may be able to exploit to allow an unauthenticated remote code >> execution as root. >>=20 >> IV. Workaround >>=20 >> If sshd(8) cannot be updated, this signal handler race condition can be >> mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and >> restarting sshd(8). This makes sshd(8) vulnerable to a denial of service= >> (the exhaustion of all MaxStartups connections), but makes it safe from t= he >> remote code execution presented in this advisory. >=20 > Can this code path still be exploited in FreeBSD if libwrap/hosts_access > is used denying connections (at least from untrusted sources)? >=20 > A quick look seems to show that LIBWRAP checking happens before the signal= > handler is setup and the bug needs connections to be accepted? >=20 > -- > Bjoern A. Zeeb r15:7 >=20 From nobody Mon Jul 1 16:54:09 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCXFM4bn4z5PyCZ for ; Mon, 01 Jul 2024 16:54:15 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCXFM2GRQz4Nmd for ; Mon, 1 Jul 2024 16:54:15 +0000 (UTC) (envelope-from ml@netfence.it) Authentication-Results: mx1.freebsd.org; none Received: from [10.1.2.18] (mailserver.netfence.it [78.134.96.152]) (authenticated bits=0) by soth.netfence.it (8.18.1/8.17.2) with ESMTPSA id 461Gs9qY018058 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Mon, 1 Jul 2024 18:54:09 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be [10.1.2.18] Message-ID: <83513e2f-89c2-46bc-9729-110af95878d2@netfence.it> Date: Mon, 1 Jul 2024 18:54:09 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Andrea Venturoli Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:04.openssh To: freebsd-security@freebsd.org References: <20240701085840.0EA17B51@freefall.freebsd.org> Content-Language: en-US In-Reply-To: <20240701085840.0EA17B51@freefall.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT] X-Rspamd-Queue-Id: 4WCXFM2GRQz4Nmd On 7/1/24 10:58, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-24:04.openssh Security Advisory > The FreeBSD Project Hello. Assuming: a) a machine is on the previous patch level (e.g. 13.3p3 or 14.0p7); b) source has been updated and "make buildworld" completed. Would the following be enough to close this vulnerability? > cd /usr/src/secure/usr.sbin/ssh > make install > service sshd restart Or is something similar available? bye & Thanks av. From nobody Mon Jul 1 22:15:14 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCgN33kXPz5QGsh for ; Mon, 01 Jul 2024 22:15:31 +0000 (UTC) (envelope-from tatsuki_makino@hotmail.com) Received: from APC01-TYZ-obe.outbound.protection.outlook.com (mail-tyzapc01olkn2075.outbound.protection.outlook.com [40.92.107.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WCgN26yW4z47D4 for ; Mon, 1 Jul 2024 22:15:30 +0000 (UTC) (envelope-from tatsuki_makino@hotmail.com) Authentication-Results: mx1.freebsd.org; none ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lJgBiK5ssrnMcAcitptottLpG5iD8qjWeXpBNodfhDNT/afWbIsfhSdbmEf2pxeMhgA8qJdLOIZWwxyOAx3rNBQZdDz1FceRcrJss2aJlZCPaW3IVSHWqMhp+MSvB7i/8xUKvJRXcDF5mP0iSZ1ssBTf3IZ2OLviXpMbhtKMHmoTLlGprIFWjLl9JUUIY8bfP1pYTsSmmT+FzWskyqU4nsOTF5/AIhDLQWNrTx7vy+i1uwXdeMiPHg+BlXOfkJn7HnQojZ3PKdYFSH6m6JcJAdPGJbqtNphSYAOGfk69ZbeBHleT2Z4oTNzzxckPLUrP2PezhSJqxU1tttXDrdGMww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gYvyjIJ5MmHNuQVmRwED5urL6JjPWUbSc4St5Hto80w=; b=dNSVtT5vixN2DucBjow+Z1KGOKqED12xBuk0lGk5LjL872KD+mdWKG+mv/eB89YjJZ0Zn4J05EOYsQE5j9QHeft3iG2hlB4JXkp+y8UBd5+maXmNX3theBIQ56vO+TvKNiv4cof81nvNe1wmQFJXaeC9MoBtyADJSlJ1OD65UhchdPzgIq+VTLJacsiuG+g23pbCkfu53obISM9aQbBXruRYHnt124x0GimEf9obnRyMHDbrzNi/k6YEOhX7rbVIg6ktNtZKigaHw2eyfUqBeYOPxVJtKzcve4f19IJgMhnIGFsUYeasbQ31xpHViDH5lwJhJNaKsYlH3uW6ZPtNPw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gYvyjIJ5MmHNuQVmRwED5urL6JjPWUbSc4St5Hto80w=; b=I8/8t0oRTmJpli7U8/JdOSwYs7UcUrESVmg2xqZIHyUzLqrOvgXv27XTgOAnvZqqdHzuLMY9G9RgAvJaaHcObBKsTCcylXkkgzfeyDiYnbI3JN4CgNsL5DEDkxu6It/BNeMb+JLi3eiDFHKUDsnR1IdZpPuDFUnDdNGw/1Ds25sOxJh5IQuXUl628hE5OVkKRTJ95n8QOyD9tM56VsAbCVVRtTnz+TOZT0IPNONISmr0eEfYvvs4zFz5jgmCfGsaeVIOX+Hn6tJOKDOyQFZTGx94Qkp/d+H2WPqfKqacmXs1tLKVcFSiYjfY/mxNbRRicLE5sFThkP5u5uWDJxjB3w== Received: from SI2PR01MB5036.apcprd01.prod.exchangelabs.com (2603:1096:4:1f8::9) by SEZPR01MB4875.apcprd01.prod.exchangelabs.com (2603:1096:101:9e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7719.29; Mon, 1 Jul 2024 22:15:26 +0000 Received: from SI2PR01MB5036.apcprd01.prod.exchangelabs.com ([fe80::546c:7ecf:524e:4c34]) by SI2PR01MB5036.apcprd01.prod.exchangelabs.com ([fe80::546c:7ecf:524e:4c34%6]) with mapi id 15.20.7698.033; Mon, 1 Jul 2024 22:15:26 +0000 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:04.openssh To: Andrea Venturoli References: <20240701085840.0EA17B51@freefall.freebsd.org> <83513e2f-89c2-46bc-9729-110af95878d2@netfence.it> Cc: freebsd-security@freebsd.org From: Tatsuki Makino Message-ID: Date: Tue, 2 Jul 2024 07:15:14 +0900 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4 In-Reply-To: <83513e2f-89c2-46bc-9729-110af95878d2@netfence.it> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-TMN: [3XU7QBlYEjr+lv2qHxUJvcujJSnAp3yK] X-ClientProxiedBy: TYCP286CA0319.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:3b7::18) To SI2PR01MB5036.apcprd01.prod.exchangelabs.com (2603:1096:4:1f8::9) X-Microsoft-Original-Message-ID: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SI2PR01MB5036:EE_|SEZPR01MB4875:EE_ X-MS-Office365-Filtering-Correlation-Id: a782962f-5f0a-4d27-d9fb-08dc9a1b4eb6 X-Microsoft-Antispam: BCL:0;ARA:14566002|461199028|8060799006|3412199025|440099028|1710799026; X-Microsoft-Antispam-Message-Info: /nBJ7BZvrS/48HDs1rvHxLSiZr6pjBTYZx3LQkOwQSAmEKY2PupV7l6WG6A8PdBB8pSaP+OJNghlTBpJYBcryXfnZTRrU7r3SiBvSKyNLa9hlrN+YHnbY8Ix8cvHckNEreophyb0+Sybf7W8letTevhCXtDxAeBzZPJaTEkTr7SWJIeYgheBOB3AISAb3HVf7SK6Hl5YvrX4Wjoddsh53L+k9fNKamZFaf2GPh/85VpDZJw9y677Sw9eQTw0YvpNCex6JrSEj4EJ8xElpsGXDIIfsUOpifra0KyCkmduao4uzsD/7TcFK3sB2DYP1we8QPsEYwpBJ9+t/NcRyPDyW2frHpAnUi+7O//VRkR1AA6XZARmx3fuBJDFzGGREAKIQ+XD2lfbcJLcS+/xMSmVxycXU24tvQtE1u9Rj4WsYuGu3Mi4iDE3DKSSR+WEYqukWRv5Y6OtYrY8P5L7C7OTcjjJ3vqUrufw8VxOp4vxmcba++b23KVqSvOUgI57I0PrGSkgV3ImkkJHyKY00+htv283AgEOYDvVAr1E/YljA2KbTIc3nuUGfY/gU7GauA1WrdrRQWO4yMZr4Ch1hM5ruWbzfvWAjeAckDqHkz26gyRxXOGe4Gv6j6o1Q2F5ZZ78Jo34rZqunEehV/MR1ynT7A== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?a0lRMnAwd25tMnJ0UWh2VVBlbnVqdmxLMlhaUGJzRytWd0Zhc1BhRDNhcDZP?= =?utf-8?B?cXp6c2NlbjR3M2NsZG9vWnpGZCs4NTZFMitVSGRkU2FleUw4TVlWRmxvb3px?= =?utf-8?B?RnlwUlpPRlFZOXFqQnBrRTdOVmtnNjZNbCt2OEQwZVJ5RFl5MW1OSnB4S21w?= =?utf-8?B?WTZUV2tMalFBR1J2MUlEN3Y0bWVPcXZpOGlhMkNoRXJpSUVHbUI5OGNDd0F5?= =?utf-8?B?ajAzaUxCczhHVEhzckRFd2NFaUs2dXhUL3QwK2s5SWZxOEkrbE5xVk1xb1dt?= =?utf-8?B?YlV1c3k2SjVFTWV0T0JtYml2MFUyY2dHNFpvVUZpV2d6R2lqM280ZGt5NTZu?= =?utf-8?B?bGJFRzdST1NHMGRvN1lqd2xRZ09PdU8ycUttZ2pKVFBaOGl0SDIrYzBVTFg3?= =?utf-8?B?VTVSbVBRZGFRMVF6YStNR2RhN1dHTG4yZDd2RnBNMjhDWlAwZ3JmTkJibVV3?= =?utf-8?B?bE4vK3phcnFJNDJNK2o1NXNYMXdqNHdhN0ZKdUNDYkE5YmkvTlNiOElJUGRu?= =?utf-8?B?c1QvRWhHOUVUcTEwZFVsWUhZL3krZVU0Uk9uZmI3Ymg0b213bUFSaDNXK2ow?= =?utf-8?B?NEc2Q1lYb0l0UzVJUktPOVU5aHpucm9QN1RRelFxSDM1N2pQcjNFNHFEZmNw?= =?utf-8?B?Q2F3NEtFUG5VOHJZRVQ2MUJHcm44Z3g3ajZ0Q0VHOFJlTC9RRStPcUgwdm1N?= =?utf-8?B?emRaazA0TmdqZzdESERHSWZsNmp3N0ZndTduQjhydGhtY0x0eFMrek81cm5Z?= =?utf-8?B?bDRPTmVQMXZXNFBpRllHM3ZvYjkvR1lBa2lOalV4d2dpMUF6WVYyZ1BqNjFK?= =?utf-8?B?bkZnckNtQkVTUXJON0YrSDkvNG5DeStSQnZlV2ZTU29LQ2pleVIvTG1XdUFv?= =?utf-8?B?ZFZqcitST0RmYUltRmdvNHIxSXJIaW1xYzVJNlRKR1F5eThsUTZZTk41WUxr?= =?utf-8?B?TGZzM09YZldNUktIbTFyZUIwVGt1akpCVy84K1JkRFR2eHBXUHFHVWpWS2dR?= =?utf-8?B?SmI0dWQ2NHZTeTFJSktSanB5Mlp2VjB2Q2hKdHhtSnJuOVM2djRlQWlyM3pp?= =?utf-8?B?ZFNUNmNiZmlhbjBsWEs4RloyOG5aYmFmSURpN0FOZ0JiaU9JU1NIMjhlVHZT?= =?utf-8?B?M3FkNU4ySndFYXFIdHRKV3NaQUpDZ0xKeVVuSW9zUGdMMTJPdVFxaUlKdVpx?= =?utf-8?B?eDdQcllRV3J3TE14c1ZMcFYyRGZZTkQ5NUM2dTlGUDV3VllYMXBvV0JFMWxp?= =?utf-8?B?T1lYOVJGckR2NlQxRVRYd2RFMXFlS3BEQkh3allOZ2NWMFUrOW5OYTdnWEhC?= =?utf-8?B?QUdtM3dzOU9KU2pqTjYwTXN3T3hlQ21LNDdtL1hzVWM0UUZvTDB6LzBLTi9r?= =?utf-8?B?YWZGM0lkNjU4WXpZY3VmV3JSQXlDMFpMU0pMaGVZYXlQa3ROdE04RVAzU2lk?= =?utf-8?B?bjNEMkxoaGhPRXcwb1pEQWZXaG5HNHp0dHJoWnI1ZVIxa0l3MjZsdzdRVEZL?= =?utf-8?B?RmpRSGN4Ni9oeTRvMG9GVmJSSzdjR2JNY0Q2MHp6WWhnSVN1Z2V4VnpsRHRk?= =?utf-8?B?a3pjUWFGYnorWlY4dEhBNjNjM1FyVWR3QUdUQ1F0M29FQkZ1Z0F6dWQrZSsv?= =?utf-8?B?VjRiSUZYdFhVTHBBMlhoTTdBNGp2ZzVJN0ptMTZzR1NCT0xVd29VTG40bUhu?= =?utf-8?Q?8sQVDIY0QL9skNd4hZcS?= X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-d8e84.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: a782962f-5f0a-4d27-d9fb-08dc9a1b4eb6 X-MS-Exchange-CrossTenant-AuthSource: SI2PR01MB5036.apcprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jul 2024 22:15:25.8804 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SEZPR01MB4875 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US] X-Rspamd-Queue-Id: 4WCgN26yW4z47D4 Hello. Andrea Venturoli wrote on 2024/07/02 01:54: > Would the following be enough to close this vulnerability? > >> cd /usr/src/secure/usr.sbin/ssh >> make install >> service sshd restart > I think the directory is here. cd /usr/src/secure/lib/libssh However, although I have applied it to 12.4-STABLE :) It seems that it will update the libprivatessh.so, restart sshd, and it will be done. Regards. From nobody Wed Jul 3 13:00:41 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDfz30YlZz5PF7t for ; Wed, 03 Jul 2024 13:00:47 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20700.outbound.protection.outlook.com [IPv6:2a01:111:f403:2419::700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDfz220ryz4lw8 for ; Wed, 3 Jul 2024 13:00:46 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcomlaboratories.onmicrosoft.com header.s=selector1-redcomlaboratories-onmicrosoft-com header.b=N32UDsiJ; dmarc=none; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 2a01:111:f403:2419::700 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com; arc=pass ("microsoft.com:s=arcselector9901:i=1") ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GnqIYcgyAcWvHPNPZ/ykORuHRDCRvASmMbwrlkLIlNFjzTK1yXCyPJz0cM6HrXKa7HD2zzQV3eJJO7tQd6JOTQyRaqW0aFPy0Vjy71iCX7cCp5IW+a1HS3cuCo9nGvM4vgC08GwDOrmNV+4quBCMBSqmvCj/J9wgDftvyJKUj1PvEFSYLXNAD7oSMWWEuZ6MpbLBktnLtHzkkH5cRrF1Zh4hEr080ScdofSwuW4RobF5aXjCwz3rSyfKwlKVFn/st2yKcen8S1ENnzTwm6quaMTRxRdPlo2RVHQfUehZQglGCWDSygHMgl2I0Nx0yCYKrO8n3+BJzKfXcOu9we5gjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aNh9aTBaKS7tdIfRS9u+qgSwfdtuve+SCosLxJc0X3E=; b=jdUAhMJVyXsFCsSTGlvzHsoWLVgRClpYpM8iYyl6rnyv/uUjJ10EQ8d543C/Cy3/9yPi5J691MjNei9Dvpfw7hteooXo2s/bKs8z6TjFNUK+pero4CgWcGQDC105uBpFd8AX4E1XdF92lrSf/EUV4H7dUu4Ynv5m9hNshWXi3ZiUATfhAMhzTHI2KLZS9W6RlfffTqpHzjdXQ6RYmCbKKH/+jyJ0yYCi5XbTueL6tLy1WcrNPexcaipFHPdkkxA+65lOWHNriPVHhDBv1ebfHjjOMCF63JSgkVEkDFxQarETEJsQYBXTFjY3IHLqpLJbRI9xF0R99eRagD8oLwlxPg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcomlaboratories.onmicrosoft.com; s=selector1-redcomlaboratories-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aNh9aTBaKS7tdIfRS9u+qgSwfdtuve+SCosLxJc0X3E=; b=N32UDsiJykVayV16tNcupptRW0DG761jplB6w1mXMi2zjvTZ/vNERAScIeXmQDImGMWlec/KJ9/hTRH600J/ZlakBXOb8pR9FWDdgNdiyc4t6kbusVxJEcctzmnxi+fSm1uzsN8Rrp5gZQRaxfvXZG2n3AibfYb4S/5PwvvJKa9mHbYfUT4yfjJjiZAEaDA95eeVod15ldOZHjdJY9hXarqaDonk2Jn6vfRs8zZNOw0B8iabxqy5wy2JgBHkXdQ5HFlEjMcUICQpQMfsGU9TSZyyiG6VjyR0n4tEfqtqh5jkQfTzSvsSjBDTaAj5R5e0Ypl8zJYP/fUEZT4L9LyLJQ== Received: from MW4PR09MB9284.namprd09.prod.outlook.com (2603:10b6:303:1f2::12) by DM8PR09MB6887.namprd09.prod.outlook.com (2603:10b6:5:2e8::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.25; Wed, 3 Jul 2024 13:00:41 +0000 Received: from MW4PR09MB9284.namprd09.prod.outlook.com ([fe80::7849:d1ba:7ac7:46e]) by MW4PR09MB9284.namprd09.prod.outlook.com ([fe80::7849:d1ba:7ac7:46e%4]) with mapi id 15.20.7741.017; Wed, 3 Jul 2024 13:00:41 +0000 From: "Wall, Stephen" To: "freebsd-security@freebsd.org" Subject: RE: CVE 2024 1931 - unbound Thread-Topic: CVE 2024 1931 - unbound Thread-Index: AdrH8HE4aG8eCTkTSMeV03DrXWBN0gCY2pKWALz8PbA= Date: Wed, 3 Jul 2024 13:00:41 +0000 Message-ID: References: <86jzi71tjx.fsf@ltc.des.dev> In-Reply-To: <86jzi71tjx.fsf@ltc.des.dev> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR09MB9284:EE_|DM8PR09MB6887:EE_ x-ms-office365-filtering-correlation-id: 050c7cc9-0133-49cc-b79c-08dc9b602484 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|41320700013|38070700018; x-microsoft-antispam-message-info: =?utf-8?B?MVlHQ1B2clBvcURGNkNoOG1obEM3UG5nbERleVBjTmp0aTVkbi94eVphY0lj?= =?utf-8?B?ejI1dkcva0VzU1Z2R2VqY3JWQjRZdDJueUdzcXBnT1FEaXQzSXpEV082cnZS?= =?utf-8?B?QWlHWDBZRER5NDQ1NVFjVkZjNUZ3L2Vxcmpwa3NMOWY1SVVNVW50bUo5VGVh?= =?utf-8?B?aFY5VkxkcENqS0J6U0ZRTVkzd0lSbncydUxyOFhOckhmaGlSOWlSdEpxR0l6?= =?utf-8?B?SkN4UVkxYmNDOWdyS0RsdFgxL2QxM1BHbUNMSDFBOWIyR3dVZ1o2NHJyVHBD?= =?utf-8?B?UDh4M1FtSVJEVDFrcDBkeTRkT1VONDFhNUNLMHU0OStXdjRlUnNiNXJWSnFk?= =?utf-8?B?aTBpV0ZkSkI0Yys1MmIxMmo2U3lldzlPUHQxNmZjMXF0T2ZzVFBwSkxwMkFL?= =?utf-8?B?aFljZkRYZjNMaTgyUS9CWHlRNjZzb3dlZDIvRHpXTjY4WWl6S2ZLeU9EekVN?= =?utf-8?B?U0tyMjllcVZGcG1zRFFEN096eUhOdGsvK2RpcDVMY2FUdTdBck9jcnpvcnNC?= =?utf-8?B?NFZXdS9vZDl3c3daRFlDalpzTlFMemp6QjBJWWl5Q3B1QnZ1K3BoUENydjU0?= =?utf-8?B?V2NYb0tsb0EyNXNFM3Yvb3RuMkI0dVRudFVqY21NYlZTM1N2OHNHeHIvZFFr?= =?utf-8?B?MW1SSzAwaW9SNGRITXhWUDdXU1lVZXNlNXgxUTZjZmJQTU1oY0lKV0xBOElK?= =?utf-8?B?amxvYlRQWFhUdmV6TC90SW1vZ1ZINGoyQk95cHFDTE5tT1BObndBZFh0cU5J?= =?utf-8?B?RjBEWXFDOE5UdUNsU1ZXNTZmanJxWGNnaVZJUFdQRWl1UHV2MElaYUNJQ3By?= =?utf-8?B?NzM3Wkp2bGQrK0duRHlxaVB1dXVFQ3hXZlZMdFk3YUJJK1R0YUNuZy9LM1RG?= =?utf-8?B?R2x5NGtRSS8vVjYrems5b2V6NGxWaS9wUmxJM2dmYTY1WjVKYjZvNWgxUkc1?= =?utf-8?B?ZDFQQUZUS0hUdmd4WVJrYjFWQUpuRjl3MWtJNjlvQnF2WW1MWTAwVlVDVnQ2?= =?utf-8?B?SndGY0NPakFJa1h6WTNqbWV1MW1CU3BCWFNRN1cvU0JIblVadEZ1Z0t4RFYy?= =?utf-8?B?bGx0WHEweGgxa3hRSjJUZTlkaXdrRWEwSWlMMmtBdFY0KzBYd05DNEJ0R1g4?= =?utf-8?B?ZC9aVUt1TU9FRGdFTUd6TmZkYVAwMVZxTjBPRDJTY0kvVHUxNHc2eWVPYVZZ?= =?utf-8?B?eFNEOTRlam84THFOSzhrdEgxNUEzTDdjYXF5dFd3eitCR0FjUzdzSWJ2b1JK?= =?utf-8?B?SEtoUWhwWnNNRGsvWWc2bWZBOFdDdFBIT0hEZ2xFekxTczZWeUd0UVVjd05y?= =?utf-8?B?Rk5nWFZwRCswVUFjb0Y3cE5uL0pVZW81NlE3aXlBcUVta0tGVXJJYmhHYUpn?= =?utf-8?B?U1c4K2kyRURsQWVoVkpTbThQYWJxNnNvKzN6SEI3Y0ZqZWVSQzVYSmRJTUFV?= =?utf-8?B?SndtaC8vMEFFOW45ZjM0MytuYlc3V3ZqZ2poMUo3bWRJLzVRWnFuS3VMdTVK?= =?utf-8?B?SEhQd0MvUHYwa1FiVDI1cEhSOUE0dk5uczNMRE54cTlNSlNoekpxUXEvaHhH?= =?utf-8?B?UHNsR2FURlVDeDVxTjlRcHpqWW5TY2lrUGh6TFU4SS83UWgzMkdTRWNJNFBv?= =?utf-8?B?RWxRQzZjQzZLbEl1RTRxRXl4UUhkZEVRdERMZktQWjI5ODZPT2dTRVAzVzlJ?= =?utf-8?B?bFBaWG1HVTg5K05aakNsUVJjeFVXTy83MHkzK3VhVGJ6VVN1OEtOWlRRaFl4?= =?utf-8?B?UmlLSFBzQ0UwVUNFUDFnRjhsajdEZmRaTXFQdlpuRlVqRUFWRnpqQnByWE5o?= =?utf-8?B?MDNSTXdaN2tJaGNZZTkyczNKQkx2YjljNW1BZC9jdUFhSWZpTkJuNmR5OUNj?= =?utf-8?B?TGI2dHlTcndNMzBod2E2Y2ZSYTVWS21FSmxzc1lDZEZJU0E9PQ==?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR09MB9284.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(41320700013)(38070700018);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?K25JMHNDRDVIMW91TjRxTVRqQ1hUbVluMG5yUXNNNjhvaE0vWnhaaFA0SFo5?= =?utf-8?B?R1d6d2xZaVFnS3dyamVjU2sycFFscjYyRkFwWjQ3V05MZlQ2cWxTUHNHZWpx?= =?utf-8?B?UGh4cHMxVU9vREhhc2FHbDN2am1aZG00dWlOcHN4bE9kSUtORFFzRWZCNTVw?= =?utf-8?B?NEJUMHZvbVhLMnpjczNkdTg4WG11Ui9hS2M5OFFoZTMrc01DMVlIY0U0eXhV?= =?utf-8?B?TUJWcFkvZUh2eVEwYlk4alBZN2x4V2Z4K3EvQlo3QVo4U09WY0p0NWl4b3Z3?= =?utf-8?B?VFF2QnNISTVqcVdRRENTTEJwcDljQ2VPNUNlcldId2M3eW5aNTJveE9xUlo0?= =?utf-8?B?VTZpZTJKQmowWjdGZXlqSFNYYnFwSHZhK2pCVVl6VExpYVZXRWJaYVBGcENP?= =?utf-8?B?emx3Y2VHbzVyNmhSSzdKMW5xT2dXNFB0bnU3TmwwNnNBQVNQOGtHUEw3dDdH?= =?utf-8?B?cUM2bGUxYkl4ejJGd3lIRUpURWIzVG4rWnViYkdJYVhRMGs4V1lxUXVQNlU0?= =?utf-8?B?dzBJSzZTTEVFc3FlY0txaitwb0VjZ0w5OE1mRnRtdGNUdHE3emV4WWl2K1RN?= =?utf-8?B?N3UzMFIvS0pzblNGL2thNy9pZi9mU1o3a3prb2pnVVdHZThtL2FjUGs4b084?= =?utf-8?B?TUpuL1ROcHBtQTVzZUEycFJQbytJSS9UeDNhN1YwOW9YRzJUdnRzSXp6U05j?= =?utf-8?B?c3c2UmJMRHc2LzZMR2NYQzk0Wmp2K040T2JwS210Y21MaTRXL2g1a01XeGJO?= =?utf-8?B?S3docmRFWWozdkk2ZVdXS0xHSnNaNGtPZGJlSXpWVUpJdU91K1NwdUlTZStt?= =?utf-8?B?UDRZS3R3ZGxTak1LQ2hrV0RCZVByQk1iQ1ZONjFseFZJdUw4YTZ0bVo0MTZ6?= =?utf-8?B?d0Z4RzFaNWVBWHp5MkZPQUhYN29INVFVTlkwWlEzYzY3UmNFR0tUV3VWdzNX?= =?utf-8?B?LzAwMWtEaldNTXd0T0Y3bE5admVFWFhyL2x6eU4ydFViUk9OME1yc05mR0N2?= =?utf-8?B?ZC9MZFNQdGQ2ZTA5U0JCSVI0VmN2K2JSSERIcE5tMlRBc013a09pN3ZvZVRN?= =?utf-8?B?TUJ1V01lR1pJQVlLZHJucnV3WndXNnlwSitzWlYvNmVoT2ZQQldwajlyeGlr?= =?utf-8?B?YmMyQ1BMc2RXVnZkbjRlQVFhNEc0N1N1TUluYUJEM1REenhMa3VXMzE0b2l0?= =?utf-8?B?cGxmbmg4MkhYczdvUFhmcStoNUV5SjJDMDR1OEJEN2t6UjU2d1QrOWZEZlh3?= =?utf-8?B?aWs5M3JUUmp3T0FJUXN6K2VGTEIvMmtzbG4vdHYwOVE3a2kwd05YL2Fsdnpa?= =?utf-8?B?enlpdGxHamJwYkFud1p5K29pU0lHYW9nWDdTbldGSmhBNVppOGZPSEtrcUxW?= =?utf-8?B?cG83VHB3WFJ2eHJ2eXdFb0VtZGtQdEdsckN1SmU1RG1QTkdubkZuaFhhUEh1?= =?utf-8?B?VjRTd2U4d1QzTkFZUllJSFhIZk1hV0pvTWZxZ002RW9mK1dKSjRNaWFqdXVF?= =?utf-8?B?VSt4a0wvTVU1QzYxTTVrNWpxS1JGZXJPMjd3ZHNRNi8zNTdlV01CQno0VUU3?= =?utf-8?B?cDFNZmlmdEtZSm41ZnF5akxTd3hJL1UxeHZHTnJ5SVJwWFhxdXBaZzY1NEZ6?= =?utf-8?B?Q2N1M296Ukt1V3dnSmZGVENqSklRMi9QUHoxUU95OVVzOEJFdDRyY1g3M0pM?= =?utf-8?B?YUVmajh3elpEekc3VFFaazJhMDlJd1lUbnh3QkJkODQwK01qV2gxNnRvTlpq?= =?utf-8?B?NzdLU0Z5aGZmc1grS0YwUGlHai9PVW9NSi83dTZ6RVoremJJeEFlR1l3RVJW?= =?utf-8?B?TUg4d3N5NExlamxhaHpWOHFZaWlIRTBpVytaUkkzMlBsL2JiWm5SaTcwUUhF?= =?utf-8?B?Q0ZZbTI3VzhtVms5dHE5dDBlU0kxVU1GRFVvckJVbk5jL1lQcE51ME1vc1JI?= =?utf-8?B?NUlOdnNVTmsvNmVQaXF4VVJVQkI0WjdHZS9IM0lmN0hRc2ZXT1V6Y2ZWNlM3?= =?utf-8?B?RmpWTTlnMmpkWWl1SlhleE50TE1HclQ0K3pqN2x3LzQ2c0RmcUZISXFFbzBT?= =?utf-8?B?NVF4UlBxR0dReWh6TE1sZkRSaytBYTVyMzFvOHR3M2kzQXp2eCt0aGVXMDdQ?= =?utf-8?Q?hp48=3D?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR09MB9284.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 050c7cc9-0133-49cc-b79c-08dc9b602484 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2024 13:00:41.1336 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR09MB6887 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.39 / 15.00]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.987]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f403::/49]; R_DKIM_ALLOW(-0.20)[redcomlaboratories.onmicrosoft.com:s=selector1-redcomlaboratories-onmicrosoft-com]; MIME_BASE64_TEXT(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[redcom.com]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; DKIM_TRACE(0.00)[redcomlaboratories.onmicrosoft.com:+] X-Rspamd-Queue-Id: 4WDfz220ryz4lw8 PiBGcm9tOiBEYWctRXJsaW5nIFNtw7hyZ3JhdiA8ZGVzQEZyZWVCU0Qub3JnPg0KPiBUaGUgYmFz ZSBzeXN0ZW0gdW5ib3VuZCBpcyBtZWFudCB0byBiZSB1c2VkIHdpdGggYSBjb25maWd1cmF0aW9u IGdlbmVyYXRlZCBieQ0KPiBgbG9jYWwtdW5ib3VuZC1zZXR1cGAsIHdoaWNoIG5ldmVyIGVuYWJs ZXMgdGhlIGBlZGVgIG9wdGlvbiB3aGljaCBpcyBhDQo+IHByZXJlcXVpc2l0ZSBmb3IgdGhlIERv UyBhdHRhY2sgZGVzY3JpYmVkIGluIENWRS0yMDI0LTE5MzEuDQoNClRoYW5rcyBmb3IgeW91ciBy ZXBseS4NCg0KTG9jYWxfdW5ib3VuZF9zZXR1cCBzdXBwb3J0cyBkcm9wcGluZyBhZGRpdGlvbmFs IGNvbmZpZyBmaWxlcyBpbiAvdmFyL3VuYm91bmQvY29uZi5kLCB3aGljaCB3aWxsIGJlIGxvYWRl ZCBieSB1bmJvdW5kLiAgRmlsZXMgaW4gdGhpcyBkaXJlY3RvcnkgYXJlIG5vdCBhbHRlcmVkIGJ5 IGxvY2FsX3VuYm91bmRfc2V0dXAuICBUaGlzIGltcGxpZXMsIHRvIG1lLCB0aGF0IGN1c3RvbWl6 YXRpb24gb2YgdGhlIGJhc2UgdW5ib3VuZCBpcyBzcGVjaWZpY2FsbHkgc3VwcG9ydGVkLCBtZWFu aW5nIGFueSBGcmVlQlNEIHNpdGUgY291bGQgcG90ZW50aWFsbHkgaGF2ZSBlZGUgZW5hYmxlZCwg YW5kIHRoZXJlZm9yZSBieSB2dWxuZXJhYmxlIHRvIHRoaXMgQ1ZFLg0KSXQncyBteSBvcGluaW9u IHRoYXQgdGhpcyB3YXJyYW50cyBhdCBsZWFzdCBhbiBhZHZpc29yeSBjYXV0aW9uaW5nIHVzZXJz IG9mIEZyZWVCU0Qgbm90IHRvIGVuYWJsZSBlZGUsIGlmIG5vdCBhIHBhdGNoIHRvIGFkZHJlc3Mg aXQuDQoNCi0gU3RldmUgV2FsbA0K From nobody Wed Jul 3 23:29:38 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDwwl0wrHz5QYd2 for ; Wed, 03 Jul 2024 23:29:43 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDwwk628bz54dY for ; Wed, 3 Jul 2024 23:29:42 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id OzLusxrAO2Ui5P9PxsXIKF; Wed, 03 Jul 2024 23:29:41 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id P9PvsRZfyByQrP9PwsszIh; Wed, 03 Jul 2024 23:29:41 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=UOF+Hzfy c=1 sm=1 tr=0 ts=6685dee5 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=4kmOji7k6h8A:10 a=pG-ruRFFAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=n5jPfsbsv1iODwBjfRAA:9 a=QEXdDO2ut3YA:10 a=kChDrUH9n7t_jgL0N8VH:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 173F94A2; Wed, 03 Jul 2024 16:29:39 -0700 (PDT) Received: from slippy (localhost [IPv6:::1]) by slippy.cwsent.com (Postfix) with ESMTP id C71A01A9; Wed, 03 Jul 2024 16:29:38 -0700 (PDT) Date: Wed, 3 Jul 2024 16:29:38 -0700 From: Cy Schubert To: "Wall, Stephen" Cc: "freebsd-security@freebsd.org" Subject: Re: CVE 2024 1931 - unbound Message-ID: <20240703162938.7459b610@slippy> In-Reply-To: References: <86jzi71tjx.fsf@ltc.des.dev> Organization: KOMQUATS X-Mailer: Claws Mail 3.20.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfPgt75Pn16yqstp4DqwNmv+BNXnzvHqtCXJ4+1la33jcvuHeMf/AM6rw7oZ+rVU81M7pBzQSDQWP7OOCZwU7NLL15ISGAZrvDOkzjQCj5E9t4OU9rFsa 3c6vnhoFV9r26dvuVqPPDZgKNDgHpOOg6cVBsEU+fp5BGJDr2VrhPrlLITzRvalfBmk5Ww6pUxp357Q9TeS625O9BkTRPftA602If3nwoWUJ9FV00Pp4EhRX TjOTBSDrG2A/HKT1bKJjcg== X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4WDwwk628bz54dY On Wed, 3 Jul 2024 13:00:41 +0000 "Wall, Stephen" wrote: > > From: Dag-Erling Sm=C3=B8rgrav > > The base system unbound is meant to be used with a configuration genera= ted by > > `local-unbound-setup`, which never enables the `ede` option which is a > > prerequisite for the DoS attack described in CVE-2024-1931. Did you actually mean CVE-2024-33655 instead? =20 >=20 > Thanks for your reply. >=20 > Local_unbound_setup supports dropping additional config files in /var/unb= ound/conf.d, which will be loaded by unbound. Files in this directory are = not altered by local_unbound_setup. This implies, to me, that customizatio= n of the base unbound is specifically supported, meaning any FreeBSD site c= ould potentially have ede enabled, and therefore by vulnerable to this CVE. > It's my opinion that this warrants at least an advisory cautioning users = of FreeBSD not to enable ede, if not a patch to address it. That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from stable/14 to releng/14.0 (releng/14.1 already has it) and a corresponding MFS from stable/13 to releng/13.{2,3}. >=20 > - Steve Wall --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=3D0 From nobody Wed Jul 3 23:40:32 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDx9J18CZz5Qb5P for ; Wed, 03 Jul 2024 23:40:36 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDx9H0L7wz57P7 for ; Wed, 3 Jul 2024 23:40:35 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=cschubert.com; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id Ozgts99Y2drxEP9aUsbtht; Wed, 03 Jul 2024 23:40:34 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id P9aTsRd7vByQrP9aUst0k9; Wed, 03 Jul 2024 23:40:34 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=UOF+Hzfy c=1 sm=1 tr=0 ts=6685e172 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=4kmOji7k6h8A:10 a=YxBL1-UpAAAA:8 a=pG-ruRFFAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=JZ4VUcig2Ds8C-VQWYUA:9 a=QEXdDO2ut3YA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=kChDrUH9n7t_jgL0N8VH:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id A5FCC4B0; Wed, 03 Jul 2024 16:40:32 -0700 (PDT) Received: from slippy (localhost [IPv6:::1]) by slippy.cwsent.com (Postfix) with ESMTP id 5D65476; Wed, 03 Jul 2024 16:40:32 -0700 (PDT) Date: Wed, 3 Jul 2024 16:40:32 -0700 From: Cy Schubert To: "Wall, Stephen" Cc: "freebsd-security@freebsd.org" Subject: Re: CVE 2024 1931 - unbound Message-ID: <20240703164032.4b61ef49@slippy> In-Reply-To: <20240703162938.7459b610@slippy> References: <86jzi71tjx.fsf@ltc.des.dev> <20240703162938.7459b610@slippy> Organization: KOMQUATS X-Mailer: Claws Mail 3.20.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfL9DuMqBX0/Hpg1rJ4Edf43U6fn5y3AJuxBRzq3W8R/jXs4XFBW5GBM/eXFJWgPjiAVlvbd2KWqjBBYQXFvcibxz5JFxz5GjqQRc/wa4Pi+VHqs6BrO2 jlVbBWM7Hp/dOdvKxt7IriODxUXq9fm/9CScKry2PgZtJ+Eq+MVA7zw2UlocnH3hVagAvShvgMOuCPgJR41Pt3QngVVIH3PmkOhqU5Zii1N2ThVZw4MBfoMz 4KQnSWO8Ov8EzUte+bWaQw== X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.60 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.995]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[cschubert.com,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RWL_MAILSPIKE_VERYGOOD(-0.20)[3.97.99.33:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; HAS_ORG_HEADER(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[]; R_DKIM_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4WDx9H0L7wz57P7 On Wed, 3 Jul 2024 16:29:38 -0700 Cy Schubert wrote: > On Wed, 3 Jul 2024 13:00:41 +0000 > "Wall, Stephen" wrote: >=20 > > > From: Dag-Erling Sm=C3=B8rgrav > > > The base system unbound is meant to be used with a configuration gene= rated by > > > `local-unbound-setup`, which never enables the `ede` option which is a > > > prerequisite for the DoS attack described in CVE-2024-1931. =20 >=20 > Did you actually mean CVE-2024-33655 instead? Looks like CVE-2024-1931 was also addressed in 1.20.0. > =20 > >=20 > > Thanks for your reply. > >=20 > > Local_unbound_setup supports dropping additional config files in /var/u= nbound/conf.d, which will be loaded by unbound. Files in this directory ar= e not altered by local_unbound_setup. This implies, to me, that customizat= ion of the base unbound is specifically supported, meaning any FreeBSD site= could potentially have ede enabled, and therefore by vulnerable to this CV= E. > > It's my opinion that this warrants at least an advisory cautioning user= s of FreeBSD not to enable ede, if not a patch to address it. =20 >=20 > That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from > stable/14 to releng/14.0 (releng/14.1 already has it) and a > corresponding MFS from stable/13 to releng/13.{2,3}. >=20 > >=20 > > - Steve Wall =20 >=20 --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=3D0 From nobody Sun Jul 7 22:48:36 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WHMqr0ymTz5QG7R for ; Sun, 07 Jul 2024 22:48:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from pv50p00im-zteg10021401.me.com (pv50p00im-zteg10021401.me.com [17.58.6.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WHMqq0nPpz4XZq for ; Sun, 7 Jul 2024 22:48:55 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=RAJYgHBm; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.6.47 as permitted sender) smtp.mailfrom=gordon@tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1720392532; bh=WgB+uThaIX8BGQlgVa986WpJb86tw7spthZycFBfF+E=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=RAJYgHBm+6GZRdzXD6tm7Js0rKhrD6o+2FGdGhDx02DcTzbwD86vEvKnWSrzQa2cc 65C6CRIKlwteokNNz2AqM8plUaN0GJpo47hY0A7kobyEfTbzzd7ma7guktb0mJ5z+U NmHiC4M6g+/+5aqdS0ITyUpIjDEsqCYkNBwYr61tgF0s9W2VgFKHjd7FPv0w4vXQ72 otPcAsQ/NScUyVg3KvbrH8zHX06i+I7bmuB1V+9uS6VTqRLmXQc2x3Euwl3GsJvVMW beAsZ8wW9sfZfUxpAgZ1XrO+nZ+D/uugXhY1kcVCYtVNQ1HgEgJAncY4drVGYXypCF 4KAoXRCI081ng== Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-zteg10021401.me.com (Postfix) with ESMTPSA id 8399D8E0133; Sun, 7 Jul 2024 22:48:49 +0000 (UTC) Content-Type: multipart/signed; boundary="Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: CVE 2024 1931 - unbound From: Gordon Tetlow In-Reply-To: Date: Mon, 8 Jul 2024 06:48:36 +0800 Cc: "freebsd-security@freebsd.org" Message-Id: References: <86jzi71tjx.fsf@ltc.des.dev> To: "Wall, Stephen" X-Mailer: Apple Mail (2.3774.600.62) X-Proofpoint-GUID: xZgxBiHpI_YPtmOZMm9j6kv2WEfLBXpA X-Proofpoint-ORIG-GUID: xZgxBiHpI_YPtmOZMm9j6kv2WEfLBXpA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-07_08,2024-07-05_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 suspectscore=0 clxscore=1030 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2407070190 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.06 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.959]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; RWL_MAILSPIKE_GOOD(-0.10)[17.58.6.47:from]; ONCE_RECEIVED(0.10)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[tetlows.org:+]; RCVD_TLS_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[gordon]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; APPLE_MAILER_COMMON(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.0.0/20, country:US]; TO_DN_SOME(0.00)[] X-Rspamd-Queue-Id: 4WHMqq0nPpz4XZq --Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jul 3, 2024, at 9:00=E2=80=AFPM, Wall, Stephen = wrote: >=20 >> From: Dag-Erling Sm=C3=B8rgrav >> The base system unbound is meant to be used with a configuration = generated by >> `local-unbound-setup`, which never enables the `ede` option which is = a >> prerequisite for the DoS attack described in CVE-2024-1931. >=20 > Thanks for your reply. >=20 > Local_unbound_setup supports dropping additional config files in = /var/unbound/conf.d, which will be loaded by unbound. Files in this = directory are not altered by local_unbound_setup. This implies, to me, = that customization of the base unbound is specifically supported, = meaning any FreeBSD site could potentially have ede enabled, and = therefore by vulnerable to this CVE. > It's my opinion that this warrants at least an advisory cautioning = users of FreeBSD not to enable ede, if not a patch to address it. Local DoS=E2=80=99s do not get security advisories (logic here is a = local user has a million ways to DoS a system). If the user has messed = with the configuration of the local_unbound resolver to open it up to = the network and get DoS=E2=80=99d from the remote network, I don=E2=80=99t= feel this is something secteam is responsible for responding to. Unbound exists as a port/pkg for the purposes of someone setting up a = non-local resolver. Best regards, Gordon Hat: security-officer= --Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmaLG0QACgkQ5fe8y6O9 3fjF8gf+JLtr7RyclcW0kignz/SmHiopvSDaN/FCwRsCKhFcZDG3cRnV9/13Yvrw rcFoHKpjfUgfvXDxqTuUKuegqZ81hF/7s7xdeKkK5rkenVKobDs6kv9tjnzIP0tV AIcDLyuug8pW3cTp/LuCmM6OOxX+44mvRLTcBqlFvzLBlfi06qiNpQ9tEyrkuoI4 HDj/FyysdjCzeauciwpKJ34074RV3/zktwzmp6F3A+NyKe00n+EPYiu4y5XmMhQf ZdVxeLFLAFCgHjsfVHcdCTQmUuxrZdT9hAFVLAFYi9PutKH/ZXCTzp+tzNpxMdbM z6Uxej68q2K6Hni4hpgal4yqWyCurw== =oKhf -----END PGP SIGNATURE----- --Apple-Mail=_F856FEF9-FC4D-4F46-B42E-D524C66D1A63--