From nobody Wed Aug 7 15:00:00 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyT0rlJz5SHB2 for ; Wed, 07 Aug 2024 15:00:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyS6ykBz42xP; Wed, 7 Aug 2024 15:00:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042801; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=dvYtraIFLutLb4ehyo95HP3wM0hBxxNwydNqXOqMcDA=; b=Cy7JhXgmLt1/t+edCu2tj71s63qAzup9vl68dGHHlRtj7Tp3tWUcbh8oOwPGN+PSrsvDHV E5wPI6Ndu/wC6bwblFTmw/WGipdtK2AjKXNcicVDqo+Dei55G0QJkqcUKJIjXFlChM0X1d AZdQERdtF00TDlK9efR2QQtwVloDEeofMN20qAepwAZ2fwDsc3iAt8jFOjz2OcWGxkq9C/ 7mkkLYHPFXk7Cy0QXqafh7LIoMqQvVb9ZI2JTUztneIVL2cTdG567YPdgsD8IObxdfJOCY tweCz1q0DXhN8VJITHYcRIZCU9HPOKsAxIdOm7RzoFD7f+2OOWgsyBUggaqnGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042801; a=rsa-sha256; cv=none; b=KYxJ21cQrEhJb3xLEjwrOIutx8xevJAg6yBulrWfClfGZwsyYpKypzTk5Hs5HVbMutRzb3 678E1dqxjUH0eEQXYKiXLbt44Cxx6M1Uxqw8jDyH5xrM4mVh4RSkOkntcNbQ+HXtidTF12 6BOX0fftV+WLDqQXCS8Z97aZtzjJF5EplCawGrStzXkfPWzXKezjV16DvHZpOKsDGotn3p xr3tPm8EuLdcHzWX4IcwFTdiK23BxHb1wVq16GGO1SvcXIxo3XFth9yN4wot3nEFPdjopR apxoayWgkX5CMgBTUndHYH+1zyAPxLWDVJ3IIKfllCai3xJphmf3Pg9CQ7Q5CA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042801; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=dvYtraIFLutLb4ehyo95HP3wM0hBxxNwydNqXOqMcDA=; b=VGTyZpMODyeq53DuQwGhQySgviSRmi+6BWepdkFpHStO3ZGw4GM5n6HkHFo2fiu/z0Mw8L 9zlQkN0lMnz5z6Tj6UloqydzFRKUZ67CYj5YdsW+ESrP5hDoEt1Ic3r5VUlYyo10BCeDaR GrUCmejf4LcsyyvqjSKsYkMVrBT3Pr5EoZ5qHjTSvdJx7B8gXvxEjx2Q8Izw44io3dMCVH oxAYb7/4hH4lYxDXqHG3rZ/K1MNNaePTrdrRaQYp0cYyI513OQnAy2T2IEDvTpiEUygk4P T5GkPVl9K6bS4JhahhymlYt+Zy9smLtufoSTdghzGRAtgNMeYWTb0HFFF3WHMg== Received: by freefall.freebsd.org (Postfix, from userid 945) id AF8D15ACF; Wed, 07 Aug 2024 15:00:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:05.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150000.AF8D15ACF@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:00 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:05.pf Security Advisory The FreeBSD Project Topic: pf incorrectly matches different ICMPv6 states in the state table Category: core Module: pf Announced: 2024-08-07 Credits: Enrico Bassetti e.bassetti@tudelft.nl (Cybersecurity @ TU Delft, SPRITZ Group @ UniPD) Affects: All supported versions of FreeBSD. Corrected: 2024-07-31 07:41:11 UTC (stable/14, 14.0-STABLE) 2024-08-07 13:44:25 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:46 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-31 07:41:12 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:57 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6640 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. pf uses a state table to determine whether to allow a packet that is from a known/already open transmission. It identifies ICMPv6 states based on the address family, protocol, addresses, and the ID. Normally, states are created by outgoing packets, or by incoming packets matching 'pass' rules. A packet that do not match any rule will be blocked or allowed depending on the default rule. ICMPv6 Neighbor Discovery has to be allowed in the firewall for IPv6 to work properly in broadcast networks, such as Ethernet. II. Problem Description In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated. III. Impact ICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table. IV. Workaround No workaround is available but systems not using the pf firewall are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-13.patch.asc # gpg --verify pf.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:05/pf-14.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 3382c691dc6a stable/14-n268277 releng/14.1/ a66d33fcf334 releng/14.1-n267690 releng/14.0/ ca9580967e74 releng/14.0-n265428 stable/13/ 05f91f8dd5ce stable/13-n258160 releng/13.3/ 5eb30c313cb0 releng/13.3-n257443 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhasACgkQbljekB8A Gu9/0Q//S/qcyIxnQ1V8Gz8ghAQuJu8OlTdYV9OexFSKExcbc9FYK6LwhSUfPtHf Bx9KowhQCH2D1X33qHRUCWVhDMhgpvHmg/+ajnm0IP/+nc+ZnNFCC0Ew5b/mk7Uw jQAxW54/RSe1Cnl11T4RTcPI7YhGTej8T5T8dm2TlCdTI3m7xS/zfR3e4x89yrmW gVUBG54udbSSzxMDJk2rbr9anoinzaI0eiXY/rnb729OTU6y4SmJ9ZZZwXs+bRpP AUE7Zgj7pNrWC1CxTMy6XLdPE/L/8Yxz9mOFpyJcHahoEHcMH+5DKQePGa4mQgnS N8Srtrxx3Ipz5/zzOPr+O0BbOh8m7KMXU/J8Y3aHpUzbnr+IfGEUHBukN93M3qbV Qkw9iW+5HZ45P16Fyaj2cq7He7F39/7B/DhfjLldbUOnWGPmn3JrWkvONL++iAyI +vOrfGubyTtwgSdZGDcv+FUrL6af6nQzFBBgv4z4TpHN+BTcwA5c6JwuOlvMc5ZY ISh8WItjxmK5Gh27H7JBGKwWDnKYjqkRcgJ7QZd7dmjo2bzOlnKV0eYk51eBvoIh FV4YGAgMPxCJGBrl54/0F5+C8zl0cjNlEhnyyl2IEBbPbnfmvpNw3tMbJdPfEUhF DK+j5IkDU/4sNrV/dmeD+K+u/3xgDxtUv6IjH2odmADtlCbOV80= =/mRR -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:06 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyZ5sZ5z5SHK8 for ; Wed, 07 Aug 2024 15:00:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyZ30HRz437w; Wed, 7 Aug 2024 15:00:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042806; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=x/2mtK09wPqXbNceDvWIm4xKOlZ97hxXXtZUL676sVo=; b=M2JzubBISgS6GxTbORZw1vVMAolFyCoJNrvaLh6eeV2D7D0GM2C3xrcx5LONjmnJgbrag0 mt6OFtcXxtCg9k3JI0fQnNFqBIgYahTKsTitbyfgVFko53jEw+hp0MTaP+NKdvYlLXSM0v lUxyj0gkf8R84jxzkW2JAOYC4vFmhCP8GXZ0ief7MhvakVkhiEa4d5O3FdR6tXoD967iMl o4rf8V3p+sxs0wdTJQua301L/s+cHd7UerhJTb06UH97gTSx1Ti5KWq8q/8tpmkfjkCrG/ lDUyYQH6f6KP2ZeM0leKuACDkw7ncF1T404d3YinRzTduy2o55sYqlhB49COgA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042806; a=rsa-sha256; cv=none; b=DzEdP9EXgvw7F03J3VFSrHBD4HdbhcIey9+M3Z5SHRUSeoxipOwaMVHtakp7cJs9+JMDi0 o0wXSJFPHPbFmTZ4R/PVbrlv43bkIaJ2clFDecwTifeycRo2TCEMvxB2Acc5cHME+7kaC1 VbLYsC8R+X3Tdp7P8Z7/ZyqNjJxEfA9iOOs/zAEDnXu9YRNtQ3B2mZQ8EGl3tFrwZUQYZH VtsGQ98Xn1CyO7Ele5xIBwPtqQ2cFmm1Ef16ine7KXK8TJRxdvQT/USicsc7qmnwG7/2bV Pn1SN3Ny9HZsk5zIA/tCjhca6XttKPgg97MBJWS3ZJSdf8IrAEyjbf67wTmR9A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042806; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=x/2mtK09wPqXbNceDvWIm4xKOlZ97hxXXtZUL676sVo=; b=Zg8cniEGdpsDB8nUEGoxOTOYQAqgSwZApJ1BHyp4xvIhkb2sXqOa3t9ymh1hUD4OX350ty hS+RAAuch0yI0qLYpmoWXb2+KYIB4DXvKC5eMoj1rXBqEo653A+ySzaRU5GICO0mKtl4WU CSh+Gg3Uxs7z63I3DSffKZ+ZqeBLoT/9Nu1WG3gBRIYwSK2w1z+hDKvI69gobJHO53pvns 9HX9nmfOjL4AGXHwHDAij5caZISPQ+iojBN9SqllgMnh7ow0Kz/bnvkDfKdcIBZnUTo2Ph qtJs3Nd3AknAcOv33ljUSijDAQ4hSycPSk1OQvvuDwLgyrfJSnZZJgJeD1pZ6w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1CEC15AD1; Wed, 07 Aug 2024 15:00:06 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:06.ktrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150006.1CEC15AD1@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:06 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:06.ktrace Security Advisory The FreeBSD Project Topic: ktrace(2) fails to detach when executing a setuid binary Category: core Module: ktrace Announced: 2024-08-07 Affects: All supported versions of FreeBSD Corrected: 2024-08-07 13:41:53 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:29 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:47 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-07 13:42:10 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:59 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6760 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ktrace utility enables kernel trace logging for the specified processes, commonly used for diagnostic or debugging purposes. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O as well as data associated with these operations. II. Problem Description A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. III. Impact The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database. IV. Workaround No workaround is available. I/O tracing can be disabled by setting the kern.ktrace.genio_size sysctl to 0, but other information recorded by ktrace, such as system call arguments, can still be leaked. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch # fetch https://security.FreeBSD.org/patches/SA-24:06/ktrace.patch.asc # gpg --verify ktrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 8b400c8488f0 stable/14-n268423 releng/14.1/ 22d04990cee5 releng/14.1-n267693 releng/14.0/ c39fb98e4740 releng/14.0-n265429 stable/13/ f702110bc4bc stable/13-n258224 releng/13.3/ 769536bcb5c3 releng/13.3-n257445 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha0ACgkQbljekB8A Gu/6ThAAvKUJFwdRV/rSRyGEOTWJE+dv1Qig000xhD6g42yKpfGShaNFUTSvMPG+ kLtpN41SRN/LXyNyQfk3GL2SmphB2V9nlJ+FM2PEmi4hMrWoiNi6uX9MmSheFbp3 QbDAh5+2sRo66AUXjUX118cK1ruqQjRRMVSW6D8hOeDv64Wvg01L0R3ls1ZsdXYL 5wYuTRNh2ciyMEHQ0QUz8X38qebdPSV/8aVNSZYinwtYE+wGWbpmUCQoqgtLlnT9 3UqIy68KVj4+TNYoZuQkK5/Ur9YG884YlNpzsJ6peX8U0gjQhG1BfqEPAylTZn/6 vPp0LtJ0fRRZs0a6XJQ+rBxhuh22vLLFLXI9jSthCcNdJhRFFnnY9nFoB0/EOpIH I6i94dEExCeGkWcpPB2wyrQGPcRTik9h57vsTaHcnEAPWu1fO2OckUILZVsMs7Yp WXePdrVfTke1hIzk5DAc5PYJ1IKcN49m/+GhXjLz8aCcy9RadJPpJDe2HSltgfTn xvxAudY+58f6518getIfvU4tAA1DVw2Y9zRoRhdlXLiVDayBkCOFRMMBY1cWOk9o aUnbQ9PYO2h7iyzSvqgWDLIy7fIdLZnyuflSVtJ4KUnetk2hU5kxb0VZFx10+z7l dsTyXGdb04olDMvURtgn5eQotbJzn+KLqi3vOmQ92uAGSsLeH70= =3iOc -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:12 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyj4hY5z5SH5Z for ; Wed, 07 Aug 2024 15:00:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyh6pn6z43NH; Wed, 7 Aug 2024 15:00:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042813; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rXuzDHRX4VhOFI0Qsqd2eyK144II+JwZflhUmi7wpFI=; b=Uesywxpc3sTM7p1yd20mlcpALc5z32Bd0vtvkoqhE+RP+oWWHVFkqKogl9W//u3Ct3DFoG YAr/3Vy6009zIRnfNj+/GvxrxSwcr0hpX4NIKwzqm7JFN6H+VY6JDLAPwbkXKqZXyUmHnu BMK1qGuaJ0+l7psk0EUbtekOKePNSnZn+RVpNeZylRuCSsM4Ys8hslAeJgamL1ol7kylom MgN2WBL/SufINDKawBXltGaY1N8ouaBZGvrjf62cI/BWXkh72HYqoIlHLANbj03Kv2nDDM xBf5X3RHZoRc/3ivB0cUg7UItjO93bMu/30L9hD5oC0JWHsNQh6uWFnFhMgNEQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042813; a=rsa-sha256; cv=none; b=rqgKodP+KpGmERA7RyIKSOikwdQndwprxLKhQBVRB5P5JdflvgeC07FVkazZhmTHT24NRq Xc9v4l8eYX/jwee2Xn6Jspz24egCER12ONfo4TQfrqMZoxbyuSlHfGZrg4zEdfX4Y4KX7M 6Ls1S4WLtHYrPBSA9epY/SUjivK+jjxN4Utwc3QHVmxJOUXNuTi2NPJqsVcmjRz0OazU36 hSI36nptOu5FTC+aIh92c1uG9M34VuHYWxMIPHbxe4Ckkb0fEu3m2kIjrtoaAfleKjuveK 3Ty3bV8wHI1t6cxV4Rk9OjjtU+uNlU2gc6n+sKlv3N51bWQcvTfgQw2wCvHm3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042813; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=rXuzDHRX4VhOFI0Qsqd2eyK144II+JwZflhUmi7wpFI=; b=JEVI3NgzmcBsZLwCYrqkVdElemnOKADAdkE/35rHg/y1DklTocbYgJzeqJttNzDV1rM9aV NlXS3xCBE5aElvy3oEDTe7HEHGHQG9N/4VSSJVag//RTFgTWqcrJqznoda/yIbhWfNn/eb b17YOSrCl3FmEMcI5TCe+rOWoa/LyS0ur1YQqsCQIKuJZPWGZtS/rSNTgH6OyBceymhZ72 s8HmLF0p+WI6P8+B/UPxTn9ajIIKeEJQ6nhpq8zmoJVK/5L5nrz92sQl2QRldHKdfsJ7VA qPXvNTwMipuA/44YxBGN6lcJUdQB31K+pAC75T5AAoS5rSx1PvXPL5KeqxMm9A== Received: by freefall.freebsd.org (Postfix, from userid 945) id B494859E0; Wed, 07 Aug 2024 15:00:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:07.nfsclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150012.B494859E0@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:12 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:07.nfsclient Security Advisory The FreeBSD Project Topic: NFS client accepts file names containing path separators Category: core Module: NFS client Announced: 2024-08-07 Credits: Apple Security Engineering and Architecture (SEAR) Affects: All supported versions of FreeBSD Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6759 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Network File System (NFS) is a distributed file system that allows remote systems to access files and directories over a network as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. III. Impact The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. IV. Workaround No workaround is available. Note that for the problem to occur, the NFS server would have to deliberately inject altered paths into RPC replies, or a MITM would have to be altering NFS traffic. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-13.patch.asc # gpg --verify nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfclient-14.patch.asc # gpg --verify nfsclient-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9328ded386d5 stable/14-n268239 releng/14.1/ 8533e927afc1 releng/14.1-n267686 releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 stable/13/ 0172b5145ad9 stable/13-n258140 releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazha8ACgkQbljekB8A Gu80VxAAsDhdNW5FHcXEBZXbfR6fsShdWGQo8rCY1R1Buq8uhPI4bdzXCFrgUKM7 Rm5P+zfZNcTYtM0epU1Fiz2BhjsKVfKIOMIBmuMik9xMBfeHnTihKGFBZ+TFj7i8 1Kv/NE+oCn99jKZS7sZVNBvdbDMNBq4Em0vixXGRnKlEpa3r8b7niLuB0rHa97// gzIP5GvhUTsMaw3TwCAkVnZDrx+AoAU0dbLVIFf07P4mEt7StGd76C1dq4a6+3ZV s3Gqm16H8nYan5NJzpH2SIhcav4YyDuSD1eS8isyLn5bybpROdYQT7tCAfplpR2X pX0oQ8FRlslodV/wWaGNnCTNTYoSTj0jf77CM4fd8ERdKKmhC6x9zHsDyJBzH5Ku E6JlY9IvM0fL2N4KPDpNjF/U8RmNWDcxxaaou/6uohWdg977CX8uP1wfSL/4Sw6u SvqfDwwqd5BRE4KiqMFE024zgeogeJU7i21747HKs4nxWlNuPhVrWRjrarRhYlc2 M4l2te7OQMjVPtbYhO4DXnDMqNgN37Qf2srgBiAnlOpmRX5Trgj4pw6DGQlSVoWO xY8fO02xAZuRUKgNA/TEvmRVuZx0LaLkl49xQjB8DxSvggYVFbJaY2HpfjnktmN0 ZuMlcw0h/cv9UEFn3FWy0147xN/cjXjozvACmDUWhG0LdiUcnzc= =tJAo -----END PGP SIGNATURE----- From nobody Wed Aug 7 15:00:17 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WfCyn5Mqvz5SH5q for ; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WfCyn3gLxz43j2; Wed, 7 Aug 2024 15:00:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=n9dXp7ibaxQ+2Dgr0X1Am8/zEtoqQpJ4MjGwi/ZTOb7WKOotOuDMcotHU97Hw0Sds00wPI E6fqRlmFpqfr8nUQRUCbJtFRAGxQ7kOYzhpBtDnu1PsGMc0zW4WWWBZfttnsT+OzUYs7mW TqLQw43bvp3YUydo8r4kEjGlnnFIt34UMi7OvbVFo0xxXSsBMmJfZbx5BxIaw20BeyCWy0 cJhqq39Q9FDnK64JrLBy0IE5GB3wHBdRVKPqMhdD9oxnez+hu4vMVRRvVpH1UYYCPYmOD6 XwWM02XfbskKUa7gPUdPO31bQzNCMAKNUijOtdXnPhmJuD/nTt9PexZ5X44qow== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723042817; a=rsa-sha256; cv=none; b=ThF+bPZJk6G52aRLDx/arzRQJ2qQS5i0wxzWQ1MCHP/2N5CSfySpoIym0CxdGl3rAjbMzi 2al2f/RuTlZs1cAMa4jGOv9YMbdCAWwwJNsKIIDNvv01W3oGAu9ZDktAb+zha7aYY88zB/ Sl8k/xIswVhnj5AaFQYqh3Enkcnx0AZqSfflT4QgUa7j0f2012GnYarR8a5mJKOE0TwbeC GuiSX+WRMAJJiYTlqjJL+cbklcBXHk0jnX8HN6y+ywlbiS8d7k04jdvV9LNQTh7kNUuaru eBBsBnoL9l20fuf5pWLOz/W11PGKaWaA56bfG8+nZzlfrJm52XErxtjpcsF+XQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723042817; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uwYR0hTEaSWwsW8rAf96JUmNQXCsIF43ZOYWs1H5Bzg=; b=EVZxYUp4Uh6B129F4maV9g6udESb0SW5p06cdUerJWTx8/CSK5O/1mWjYzjYtuxeSC3cKc bY+rjVwG5AKUDnZSe7OQf0qEMBFk2cysK4MLWygKcchdRBH6cKaBuW7F9h6Pq3kGxkdwSc Jw7DW0Lcn4vMmEkSECKEREQAXPQgSkiEzYCnRUblHWV22MJzKjPOaIJvOMkNK6tSR078YC j0Vs9eZXCGmlL63n4O3T7TmX2fW5FJwxjoZXVUCNNkBvom0EVFokyV+WJ6RGswAU/OVN74 898TO1lyH2vJx9w0ILWSEAcT48sjaGVz8vaqRLns39cDumIAyCG4fmP6BRxPcQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5DF8E5BAD; Wed, 07 Aug 2024 15:00:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:08.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240807150017.5DF8E5BAD@freefall.freebsd.org> Date: Wed, 07 Aug 2024 15:00:17 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:08.openssh Security Advisory The FreeBSD Project Topic: OpenSSH pre-authentication async signal safety issue Category: contrib Module: openssh Announced: 2024-08-07 Affects: All supported versions of FreeBSD. Corrected: 2024-08-06 19:43:54 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:26 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:40 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-08-06 19:46:19 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:58 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-7589 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. II. Problem Description A signal handler in sshd(8) may call a logging function that is not async- signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. III. Impact As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. IV. Workaround If sshd(8) cannot be updated, this signal handler race condition can be mitigated by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). This makes sshd(8) vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but makes it safe from the remote code execution presented in this advisory. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart sshd. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-24:08/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 73466449a9bf stable/14-n268414 releng/14.1/ 450425089212 releng/14.1-n267691 releng/14.0/ c4ade13d5498 releng/14.0-n265423 stable/13/ d5f16ef6463d stable/13-n258221 releng/13.3/ f41c11d7f209 releng/13.3-n257444 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhbIACgkQbljekB8A Gu8uDBAA6gj9o4DXfVMHeZCFKr3WT/g3wPbilTk2xmvzkYoCkAMFC2PZ48wbxK7U /tXvVC5Hs7OO0jkZXgCNiLsUe4kzgEPeutsyi3x5i6uWlLA+I03UZyPdwFgkBM75 w4IYeut6nMfiozJmiy7ekmxdjO1f+IGMy/yoa46gUr0524TyNjqF//p1wAePTF75 WgvZrGEildEuZk6lHp3/sm1fmv4HxG5EmNmzlzWcj/jjMnOAe5Cbf8qpcKe42V5Y vBj8Cm6lVtOaviuT4XXnmkQro3uejeUq6z+LYwM7Pcs26OIeRgz9kzLNB2EXEwR7 GNJDwzUbKvaOfvTnZao8KWqdw3fbS9Un39SJAAs32Y+5sqAcUnmRbdHa1pEFZ2rx F9moYxZ3/xuQhxzNmMqXMyAfWrlJcoX1Tc5hVSh2Rn0TWpH17BMTs3FVdtoaP2iG owhwdPLXBvePkNa/FSARVfhunrFDIBEwBQd3pN5TJRCmKdzvNqmxJsL6Z2y7Ib48 EkFaw90t9kRg1+87YUjMQlhwNVww/yLzDzdZ137bRAeJtP3i7ZdbEVqUZGQvubCE 2eDDaYuEj4RM3UElIlHRj2Z8YlXgfmgr2BcbLpqgP3cXw6McS0POG4Pw4z4Wyshn prFtFlMFqJbAqlNQkXfdVquu/V8BSay0iLaEy69t4KBVp4DFsf4= =TDgI -----END PGP SIGNATURE----- From nobody Fri Aug 9 23:38:45 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WggN63grtz5Sls2 for ; Fri, 09 Aug 2024 23:38:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WggN614DYz4skN; Fri, 9 Aug 2024 23:38:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723246726; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=pqpskrFUdVhUKofs6f+lfUjZ55J2P4P2GczFfPuXd8c=; b=ZXzh/UhurhGb5NzPCCGbyx0UPMXyb20QCHfQs9ucKl+zYqCGhi+rOitMdcUuZP7Ea++vTQ GHAwsSqjnoS8/oqVX56bY+moL+l9UMWeFbykWR6W9+cGfrPr9EMYpaFaaFBJXxdANi4yVj mwzOqf5e95zQcQPKMwLPli4YKGX3xjeoUPCfyd7fDShgWDKgzzZOwW9WiUS4JcdTy+XIrn s4E1vVuT0tOJyJfFRXOvq6+9W5PQBzAseSMejVO2OcdoEAV5Wtfz8qVFtnapNxVtb05zI5 fHNpTL+xW4S2Srh/F3glIy3OIqJtNmPQL5FPEEnk9WE1BOmZCRFMTSDEgI2Uvw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723246726; a=rsa-sha256; cv=none; b=alD4iO4xa7ezI2aMUZrBao6c9vEDykIIuAZgMZh9GLlC2QQLdJXkLcW48jqqfdo1yGEfRU hglpfkaasQZ/+cDWkIahwWulvL1MAbYjpnNYe5w1fmFmS9HBiAhdgr92P/kmaLF4NDjgCC OOKBTaLENBT0r6cOAKQfy8bfdD1OQr4GQjwrQ4zuCZlybBD+H2ng/3kQDogxPJpbMdSswp fL3DkwH/kb7A48SoM6iHVAiqZEijLrYU7sbi1PH7x2Mn6ruRo5/Np2sPqO/FuCkHa3GpFM kbCzh3B22+MpVzNINp5pBnUgTR9AJLvB3YfK86y4hO0CHylqU9QYG6lemCVM2Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723246726; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=pqpskrFUdVhUKofs6f+lfUjZ55J2P4P2GczFfPuXd8c=; b=G5NUJZvTU1hOpb2vMHAeYzYJ4os66aj9vuAPfUrdjPsAaEZYCdKtysAhY4r274yDX3Qhvn AzrudSapOOBr2OqAnFCyybcYAr/KdJJy+G7cAMVX6xw+bGFns7NvrBLwP7ARlgSwwgcQAN 1p8MBygktvkRreD9V8v0oSa1q8EHBYIRk1CcPJ7HWaPdZ3pTSL0mHAaGEe+TxeF2HcMPla 1ExR168T7UzN4j6aMEoUUPIGXIHgMUYc/5dOHyrFpNYGo2tbVuxTSeDSqgLoUvWr9y5SMk 2fJxNPVIFWZw7Wi8JIi6juW6Feo4gS7TvnJoZinV50qTo4CPzU71ZZF3mkTWUA== Received: by freefall.freebsd.org (Postfix, from userid 945) id E4239B188; Fri, 09 Aug 2024 23:38:45 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:07.nfsclient [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240809233845.E4239B188@freefall.freebsd.org> Date: Fri, 09 Aug 2024 23:38:45 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:07.nfsclient Security Advisory The FreeBSD Project Topic: NFS client accepts file names containing path separators Category: core Module: NFS client Announced: 2024-08-07 Credits: Apple Security Engineering and Architecture (SEAR) Affects: All supported versions of FreeBSD Corrected: 2024-07-27 03:54:45 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:21 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:39 UTC (releng/14.0, 14.0-RELEASE-p9) 2024-07-28 04:14:54 UTC (stable/13, 13.3-STABLE) 2024-08-07 13:44:52 UTC (releng/13.3, 13.3-RELEASE-p5) CVE Name: CVE-2024-6759 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2024-08-07 -- Initial release v1.1 2024-08-09 -- Corrected patch path typo I. Background The Network File System (NFS) is a distributed file system that allows remote systems to access files and directories over a network as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. III. Impact The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. IV. Workaround No workaround is available. Note that for the problem to occur, the NFS server would have to deliberately inject altered paths into RPC replies, or a MITM would have to be altering NFS traffic. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-13.patch.asc # gpg --verify nfsclient-13.patch.asc [FreeBSD 14.0 & FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch # fetch https://security.FreeBSD.org/patches/SA-24:07/nfsclient-14.patch.asc # gpg --verify nfsclient-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9328ded386d5 stable/14-n268239 releng/14.1/ 8533e927afc1 releng/14.1-n267686 releng/14.0/ 4e7bf17e9db8 releng/14.0-n265422 stable/13/ 0172b5145ad9 stable/13-n258140 releng/13.3/ 3d5cb2b9a97c releng/13.3-n257439 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAma2pYUACgkQbljekB8A Gu+eAQ/+K8Bh4GvdoSsAW14+/ee/uVjQoXpUKsjDTEsU0kRMCgD9aYN5+D/o/nPU lAuKwjkLm+5xpzZjXtm1z24v7fDKy674YL0O7snAEtzcFNKcNob4sCVESs5USSB7 6rG/3/XCCZhsHM5g52caIdqzC/rflOnipKU6ldySMmJHFlHfgag5VQfklq0F6J8V 0NAyodMYO3IcpBNz9mR4sWnwpd31JLPnbD7LYo460YReu9u29qxUdPljLZaKW8ti 2RhzbiTO8JDu6962Qh0QQf9bnalMKCbmh/Vc6qnRIHsn60vxrRR9BArQ9QBuskYN 4H32OCO+GlL4y0smJSQoolTY4Kq4B1qHIJz9DUbFVayFL0EoJAhuEQsYqRIhTD5r h5PJz07/xIvVO41rUqCJiCflcy+KEmBjom065wGspAsfoYraIcILVe9jUmaiuur/ qZjZ3jvpujulqaOCQcy2zOg6qoI2CrVcPuTKWnEDUWAOZoq0SYcef2DfoRNPCgeb P1Y8TeoD3pzb5AYeGavWYP969Lbk4jE+Pfz/7isIegpvru6gilsTtZgX89s5BZuL bf42dkeRmQnzx/3P89LIEV1/ud5/wnE388UYa00VVkH1xbmMcI+Cp1dKqUWzELiZ fnKRJycdR0bW02ufWkjPfHlfOVHAPK1Y7prkOTj4tD52rbmVgi8= =Pgiz -----END PGP SIGNATURE-----