From nobody Wed Sep 4 23:37:09 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6F6n6Bz5VrFB for ; Wed, 04 Sep 2024 23:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6F524fz43Jv; Wed, 4 Sep 2024 23:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493029; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=sihM7hW09+/9+/fX1cUNOsRBMikmj092y5/RDYDM4so=; b=Er1ESSsjb7+JJZPo49Brdw1UUl008amYOm2VCsFVcjcE12BccTXBgHXWcKVjQmRd1Kls9O 5snXJdOVsKQWzbJtxRZhipEnxLt7lyR2YqNc9Jo9lqF6t46jT69DXo7t+q/4bC8ZBxXMZq z2OCtkuaDWrQAxtwwMyJfqKDZBGWi8v9q7+H3Q4g3dOLlFu40f9ddI34upKi7zcEizQVWO BpT1TxC8NK+mIodBuy2qjvy+9I6vtKHUIx86e4JrYgHVxNKY0Mdvq0C9uqIrj3ARTlkWr8 rWI+kY6O8DUG5heuBwcYoTn+8FGgX+La5Bc1EPe9v+KYvuoO0oEpL5nr+A43HQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493029; a=rsa-sha256; cv=none; b=BazkcF5F9zFgrXh8j/A0PrNbAk647XnYu6KcN890RoBcmn38g2a/TKwn1A49Rl+svz1VDl lI0VTH2F5WMT6sZB5QbmCoc0pGUcmdvsiuQX4phSR0AlfP4rrJRawZXDe7mjneK9jRRixF 3fSYd/R3uNO5QA9oimKeNelg1dpbUE+Ya/8nk/0GJT0K/Olad0sB1TlGYlbY51TCWO1AO0 J1sXRCLGKc5XzKM3YKvhYKd5kudTNI2FkKEKaPJhfi8+LqZNJGSn9bAoBEKxy552SrHNeo ewvXD/6MGRHaHIYbOAnVIrmYYrF7QPlFu3RZuz7G5V24jgE630uLtDxXPGakjw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493029; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=sihM7hW09+/9+/fX1cUNOsRBMikmj092y5/RDYDM4so=; b=LQ3izHSeAj+PqDsIG4qvlrEFbIUwkiotjiOS4JHhKYqRAZZo4eLLtLOvPKQbF3SUqsWjBI nWN+aABv+gOiFT+nP+cfJeoXWgrpfJbEaPdAmURw6SWQfvrUbTdArQG3UPj/D4b9ApRWEH 8H4rl5fTopCKNjftj1fAcrtdWPoncP6efzkPqdrCxiTKEy47YBUny4Ba2zvcGs7k7km2WH pxCkzr0HVovng41jsXJrKkXeuQ6rHUCQm9YUHUdIirsSQWd1eZ3S3GwE/VE9Q/KBJq1Txl YRjKVPsgVMHEJyxk/7IuOS6mqH5UQrHexTMLWQPKHv1aigg0WHRC3bPdqa8a+g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 94EBD27338; Wed, 04 Sep 2024 23:37:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:09.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233709.94EBD27338@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:09 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:09.libnv Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in libnv Category: core Module: libnv Announced: 2024-09-04 Credits: Taylor R Campbell (NetBSD, CVE-2024-45287) Synacktiv (CVE-2024-45287, CVE-2024-45288) Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 12:24:56 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:27 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:12 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 12:24:12 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:13:10 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:40 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-45287, CVE-2024-45288 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv (also called nvlist) is a general-purpose library designed for storing name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data. For example, it is used in libcasper to communicate between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS nvlist. However, the implementations are separate. This advisory is only about base system implementation of libnv, not a OpenZFS one. II. Problem Description CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. CVE-2024-45288 is a vulnerability that affects both the kernel and userland. A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer. III. Impact It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . d) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9c2ef102166e stable/14-n268655 releng/14.1/ d87f821959fb releng/14.1-n267696 releng/14.0/ b219ce1c5a93 releng/14.0-n265433 stable/13/ 03bef9971d73 stable/13-n258309 releng/13.4/ 3aa9be7e3334 releng/13.4-n258240 releng/13.3/ 33b4e2361c82 releng/13.3-n257449 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS 5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6 SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT 893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx 5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ= =yX5r -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:14 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6M0wH4z5Vrf8 for ; Wed, 04 Sep 2024 23:37:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6L5TLnz43F8; Wed, 4 Sep 2024 23:37:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493034; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=m1Cpd1Aj0GPEezgbQ0x/T2BZ/WefwsqLvSzT6p8WWe8=; b=wbD6pYNkhwVg4cbrm6FCFlGbkeK4v/NIT1aXEGz6tPMqq/sNJ0TpDgW/j4f1HIIfXijarV YVD9oOGpGrbHKUpen5SIvAYDD2cPbGK+8LP9yBLYkdvBys+RKMkZNZ2tfo9QdSZncq/CL4 +mNyUfBir/SjV7Sl0BVGi+k2SkhMn3QrWeUar9iu3RjPXdS6yKAbYibL1s0PwxNxz+YvZx NQmogbNlfswpjBOflojjmAu+DisqU+h8bEniVEJrybkS0JVAMgkVA4XmKdYXSB48i6nJUf gxHgTjrtUhiVNoqHHU8feQ9cZN21qYDPpcpSd5oFhYBbA+7I5LxY2d1cbzEUzA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493034; a=rsa-sha256; cv=none; b=ZjCBCH7nReu6GesjeMjvBlwMKsGpGR5SytCgQVZHmpfjLJLQr2JQ1s2CEcqX5Ct1Bwjcaw VNZ9pyhvEPJ867xjL8BFuuRgbcyStj0LMVtvJoZn7FSnVUu0esfmKbg3v9OqpXrq6O5mDP 6OR7j4YQIsmBW7Jaw4iHFs2zPYW4GFFFu4BXzn120io2Lyqs24pz5Dus0MtPrNcMVLJl4D qjdHXJGxaMhGWhDrumJTtKq2y81sfXEL+LTbqkHs3OOzn+W0E95wy49ELD9g1MBZ18BHDD 9nqxpujJ0YD6TDNsd3IGC3Ldaiw4LumYsbpd95F7Ld9WPiTtRgdav/+m4FE8zQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493034; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=m1Cpd1Aj0GPEezgbQ0x/T2BZ/WefwsqLvSzT6p8WWe8=; b=akVezUhT1NIuGS4P2HLzE2GxkSodkSOIrbY4/PW3sPjHEBwUzDeYWvGeTyc/VXDo0cjlmR QtfEYEpvX0Kdp0kMs1FbDRybE0aiWucYXmAMWl4eoOMeYPdKdIQjlVtoVXpLjX4/LLdG8J 5C43nQdjhMSmtSApuwtVTUXoKro60Dqz+T+ik13oBWlmtgW6dW2Pqn7QmAHuSg8Xmhpzam PLSW+EypS+BhPpIJy4MQ7cAunpMcs01z0wzDmB2ac7qLb26Iw6guSpOIxh6+gmv8iuBliJ k5w/XUuJpStDyo3UJ6Txzr8/XMs0kqXIXuFn7/HDOB9NHPuO93xyswKozr2VUQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 84D5E2724A; Wed, 04 Sep 2024 23:37:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:10.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233714.84D5E2724A@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:14 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:10.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) privileged guest escape via TPM device passthrough Category: core Module: bhyve Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: FreeBSD 14.x Corrected: 2024-09-04 15:42:29 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:28 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:13 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-41928 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to provide access to the host's TPM device, where it passes the communication through an emulated device provided to the guest. This may be performed on the command-line by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters. The MMIO handler for the emulated device did not validate the offset and size of the memory access correctly, allowing guests to read and write memory contents outside of the memory area effectively allocated. III. Impact Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but guests that do not use TPM passthrough are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems exposing the TPM device need to be restarted for the correction to be applied. (i.e., their corresponding bhyve process needs to be terminated and started again) Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 6ce4821f0859 stable/14-n268656 releng/14.1/ eab723be7542 releng/14.1-n267697 releng/14.0/ 429f200688ca releng/14.0-n265434 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54kACgkQbljekB8A Gu9vGg//YkEx8/3PWE8GUfdwfGrzMD+bpXoJViBIW+CX4tYYDU05CzF9i/FbB93B 629nWU4HMmTrQfARtpC/VCRASz+v6kSJvsOwt2120GVx5SUuFkP2nw3fCWdH5tqu c/M4GRT2Brl4ZJFZGdfXCKYvGKnw68qhuX6CWFhXgAPAlj2VHNCluElriGMsuPs9 mmu6/YX5vwVps8dj1XJqx8TFv81PXyatBbzmDi4VMpeBkcM6RBjzDl3C9XVh2k9S ahPVp9yW/bXLS2U5GA+rTK4PNIJukZ5tRb2DXH3g5Ku9l6s2l3b8oof6kNifhwf7 1L8QeTYabkeeGgCfpKmQb7ouZoAHw2fe6M64X/IAkWM46XejiV0mzRokjrG9VIPf Ushi7hnEbI7Kzxw/H280R/lgsQh/o8+fF+3iFDij/GPKoWlLVy4WnLluihXkE2Xd wlFxD80CKVxGi18JBjCIo7sFrLPuec1rGPn9sULCf2Yi5TnRnBYp9OzD7wSx5zIR ohm6zKfajdyVlis9HLm1Xee4B7dEEbZWn6seo3DclCTIO22esN3Kjs8ovSyv1KFn B0m0bR8YbJ0qVT/jDYdWkZmJW/EmmZpMMAN91G0q+M9m8Od4e81iQZknvujPsw+I QjM5FlKvEuYXjt2tMxP35Dq8PXdl3jvY0fqTNrkCpuzKK0q76sM= =VI0d -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:17 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6P6nFFz5Vrl5 for ; Wed, 04 Sep 2024 23:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6P55YFz43T3; Wed, 4 Sep 2024 23:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=d1Tm1gpEaqcTY7U571clUDT/ADVHp2ijW7RSnlwFASw=; b=ZOIw2z60sCiYikKvCggn5b8G7XkLvg3ukyEEfw3U4+BmoWgsJVdySw7LKOcBv347KPzfI/ z5G5RTB+280JWZsClTfPBxHBbcjbV0v7ML5ft+WpGT+zXLnxntMmuXCNWThZjh5T4+T+te 3utr4FmdzwgRdEyDPA7ROL6oyCsiZqYc4xtmBl9cOE9Ujy/NMF50Xp7XblwKO68PxOxnnv 1Q/FB3/Sx9cyy3Q1HWFOqY+nim8qvf3ElQL1Brw9VnN39xATTHlp1DDgktW6co+2uqEmcu Wlxi20QPp7XnMv+DONN0f6qt1iOsACKTPYfVBLmrqBd/xcsZxdjD2i82/eBtxQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493037; a=rsa-sha256; cv=none; b=rEasK1p2yy8Nm4MdqWoMP/CO0zsHR/xH+g24YitHhRysAAeoQHGHc8cRq/NGbkYw8hkT9d feZQ9ma20wZHIc4rly8kU65O9Fnl+47R9vQ60cp5xV423u5agzJ8PD0+6rE0xuShnbNis5 WbB8sKVWBkSgfXsfKdx4WiNZ46ZXCJd03RDy2jYKFwh9j/KFYyzCfhsq0VVHnlgv+4HUiF 8M5G9+hW0V/+RlJXrKqePFCLCwR+fe6B9QWzTHEBvYTrEVEKoGZZtZGoZjuaDP0CCSHh1K bvG4Pe+502M2j8iXdb3opZGFSwMWRMbNu34d0l9vnib49yFNezOBNbZz90Q8KA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=d1Tm1gpEaqcTY7U571clUDT/ADVHp2ijW7RSnlwFASw=; b=Jr9kHjY8xxHrToCV2wc97qA3LP00Hjdg+KvO3UK2BIxmAWo3u2xW17SNmF6Ld4QaN6VtXS 1QqNYkrMVMPCaJy+JD1CfPBJSnxectsWOQAqTQG+TeJDNqE6UNpeAWeYkzSea1ncwD3txT ybGKSRWT9zHWoC4WmckWgLazeTeL+3jzIakDUNYb7X6U1apdIPfeZjYcuwBDzkU5XhQ7lq cbqiIb6odD1J7dl1UiqOUiwl/494KWtuBfOh5lv2OvKghaYKW4yYRZ1rbkWr11x/ajuGEn Cbn4dSL+q2ldWgyR1Ja6/qm6AWx2lTCtDg6oMJaEgWPYWBFC5tTx54AwfV0rLg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 96063273B9; Wed, 04 Sep 2024 23:37:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:11.ctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233717.96063273B9@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:17 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:11.ctl Security Advisory The FreeBSD Project Topic: Multiple issues in ctl(4) CAM Target Layer Category: core Module: ctl Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 15:51:07 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:33 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:18 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 15:53:53 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:25 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:45 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-8178, CVE-2024-42416, CVE-2024-43110, CVE-2024-45063 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ctl subsystem provides SCSI target devices emulation. The bhyve(8) hypervisor and ctld(8) iSCSI target daemon make use of ctl. II. Problem Description Several vulnerabilities were found in the ctl subsystem. The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing (CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it (CVE-2024-8178). The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory (CVE-2024-42416). The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace (CVE-2024-43110). Guest virtual machines in the bhyve hypervisor can send SCSI commands to the corresponding kernel driver via the virtio_scsi interface. This provides guests with direct access to the vulnerabilities covered by this advisory. The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI connections, performs authentication and passes connections to the kernel ctl(4) target layer. III. Impact Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. IV. Workaround No workaround is available. bhyve VMs that do not make use of virtio_scsi (for instance, via `bhyve -s NN,virtio-scsi,...`), and hosts that do not export iSCSI targets, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The system should be rebooted in order to effectively mitigate the issue with certainty. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3, 14.0, 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch.asc # gpg --verify ctl.patch.asc [FreeBSD 13.4] # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch.asc # gpg --verify ctl-13.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 803e0c2ab29b stable/14-n268660 releng/14.1/ d30ffde0806e releng/14.1-n267701 releng/14.0/ 4c60b8289d0e releng/14.0-n265438 stable/13/ c8afc072690f stable/13-n258314 releng/13.4/ 004298792002 releng/13.4-n258243 releng/13.3/ 639494a3c1e6 releng/13.3-n257453 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54sACgkQbljekB8A Gu9gEBAArLEF2hSMAo63riezMWcREkF+3r7GfgOmKNq1CWFgfA/ikjZKxIxAojEj il6LBgEPQl7jhcC/eG2/U80gze5AtSsQpdCN5DgaQa4rrq4C8dIu8Q8DI/ZGkkAD 1oFQ5iz9IW0fszjCgwvdnEZt0wEvcMi8d3GzJddouVVxPgcTatw0VbMZWH9ZrpFA pwgybyntTE3IG1DqOmFWqjZmjV55BESlphp3LoheWYR21iGwuMsZWBWZ7+c9IK2j 6RP7ZBN6F/IEr0Np0G22iqUcgQOyA20zL1EJPq93Hp7OdxTMLSgggg1zq3GMEZi6 A8rjLHmiC6SIIjv7cFohU6vHHrUQkvkx1U0xmtI32StHowKf/Mn5wL8e+i+5g/JE vPG6vmFRDUvMqWjB/GK0atyZ7pFHMX9s75NcI7q846Rg0IW9birlgFfqZEQOndH+ O4AM2oQWOENg9FavMkZ9ScaR2/m2wQR8c4H3BLmAz6Q4R2+QQAjlDu2DtsLWFEeW 3DNna0/Lw67yDXv2+hJcj+WwQxxWBW3yEz6OVVdszdOofLy8eyUXHo2XGUFJZQKG ZpplFPuvq1ZEci544hRDmjGhdKH9h6UoUAOiZQz9vJbx0GyCnhiunyIcM9gN+Rmk KGP0t+jEDaMjkAWsu5w0qju68cFMRwEP1E+fT5atsmvnzQR+Zqo= =eocJ -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:20 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6T1YTvz5VrnY for ; Wed, 04 Sep 2024 23:37:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6S71Ghz43Nr; Wed, 4 Sep 2024 23:37:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493041; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WVhedY1QcnK9jX3fE7k0D6aYtPhVxZCdJRVfQhAZcLU=; b=i/YFGPaVnNL0A7huRM7VL8R6MigfvxI1nLV/wyGC1BafbOkhR9lKRqEg+4+KS4aOop6V+U jeqWto2BK44NePlw4tSZNqNFdfBn9eNHRR8ueeqAPQM9fUFuW1KP6BOHo0jDdrxiyBelLR rFHZedhbhSL2uiX0kP3lpIlgVWEL7bdvSwaKtb6QaPb1daDqjAgDRioZZlZhylKh8UGHBp yvvaMO05tSivCoA+ifw1r8ODLHtiK0lRLEX8a/uDwli1epMGQ/s9hFEykpv6avNiEGjB1Y yK5I/7t/ISYeF0ZI16k65r3+2vKOT2/hDbmi/wWDsP/P2oD1mLcbTEDMfN9oug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493041; a=rsa-sha256; cv=none; b=eboMo8cV/IGB7N6/n8HMhMgKC+JvCEdKrxYlQ67fgDqQZIf7MBeZKZCLmABJAAQEM9jGUo E7Lu3JCnE0LkmgD4sa+QQPrA+HPvGurSLQ9L1sdpB8OfOaIMIy0qqiF7HFeAR9hMp69uWn fbuti33BsmU49Kep9+4CmDxsiXqLlXGHNK3luRJmyvpZbPFbiiU3M6bcvz3ZAAJsQaTYJp yGzijjf0rWnlPwan0V3BdPw/dG/q6171yn6dlQOPOz3vMkk8uxv5jWVhxlVYe1EP/m5RpL 1lzlmm0lCHct1cgXvRcDDXJSWFFccHcgO9BBpDQkeudiR4yOxuZ1AC+e/VRCsA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493041; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WVhedY1QcnK9jX3fE7k0D6aYtPhVxZCdJRVfQhAZcLU=; b=VL7HaE2H9+t7yDb3lBWG39rTZfRmM9BKdo61UKHibukbNw+ulgxh9Jq8vhLQSWAMAhCVaf IXm+XjcTBs96CoiHxc2bTbGdDZxF4D1UnXaBMWb8q24n/X8Gaii3MQsugmGGZQd46yz4xd 4NBV9xI8PVff8Bi9ikDZIqzxba/WHf/UdWebyyHHvCQlXnEDgs0B1JX51FxwdyRV/9j8SQ FyBs3z7uozxbd8oqS1bhis3FXfllQHHbfLzwc3JRVO57sjKmpuZa3H+iFiMRLY/yesJD8x Dw3nKdqJhTnpI4UuZF9G+DGSpZv/vmZWHzVMt9xVNuBuObtqYSGjnKgg8cKa6A== Received: by freefall.freebsd.org (Postfix, from userid 945) id E982B2733B; Wed, 04 Sep 2024 23:37:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:12.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233720.E982B2733B@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:20 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:12.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) privileged guest escape via USB controller Category: core Module: bhyve Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 15:42:30 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:34 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:19 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 15:45:38 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:26 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:46 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-32668 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. III. Impact A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but VMs that do not make the XHCI device available to the guest (via `bhyve -s xhci,...`) are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems emulating USB devices with XHCI need to be restarted for the correction to be applied. (i.e., their corresponding bhyve process needs to be terminated and started again) Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 90af1336ed5e stable/14-n268657 releng/14.1/ bb245c142075 releng/14.1-n267702 releng/14.0/ 1d01a6c11210 releng/14.0-n265439 stable/13/ 5920b7e6eea1 stable/13-n258311 releng/13.4/ b3f0e555781c releng/13.4-n258244 releng/13.3/ 5d6576f4f000 releng/13.3-n257454 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY544ACgkQbljekB8A Gu+rCw/9FKPcF1L1kRh6J9Y6TLEmMIQx95YwodI4O11KMjgEL3wnz36p/Mrkrj8Z g8h2+OBmqdr8NegyKHIuOHo8j9M892dnZpGWjyCgtbpnc57rXZhm83DDzRQ2r9OP 7yOWftWjgje1cyTphlFAr2p6IWg6z+6UicGwmeV17FSaG5rPjWuYoOOt63kzk3NA 0viDPIgLpoyGRCaiXa/sdoM2YQH9FxzKEC2yeURF/mLSPEFhaMO6SS8nrxmRC9Wc f8DP5G00I3RPjAQ5ehXc5n0z88SHGKJc/dstI4jSzguyBNO8HQtCD6HC6uEo0ACV EEJ80FJ+TOfZ9fhHkyEpGfMxwsAjpzud0zZWKV8+4jeY3kIp94g8MCKrHkLr6hXL 0+DMBsdqNS3T7lPzIimhJ7cwk/fXVQvUWu3rGBO33l3IUK0BWz/o3cTARTPEl/Zi MMBETwn+ga6JioRBTmmOMazufAyA3Nlf/eRzIc9RGTUBjoqnY0jHzdwfPI8hDKXR 1bi1Rii8IcAmaHvMkGww6PJOkRTV8uyuW6JZ2te8V8PC5ojdUniYq5JN6mbrkpOR RIYt3f16o6ANZ9qgMqmq2gdBBnJ80LDkQa71FV1bDf9g/LEd5aDynloaZb5D3EMp 0J0ZIPKKy/qprhVzEjxROzhLzNH0bJy6yaQhoxPY3QLzU78qrE4= =nYwM -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:24 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6Y0NVRz5Vrnq for ; Wed, 04 Sep 2024 23:37:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6X5f0Pz43S4; Wed, 4 Sep 2024 23:37:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493044; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WBP+DwqDy2+AM/34xnxVjlSHebu3ry1kv9fzTmE6S6g=; b=Y/RKNu2irCPHAMLr3W3CKnswSB2Iqh6KhTwBSvfaYjUV8WVBQrxjUTdMM+8dWTwGFT3K37 CdQcY5n+/me2WBGah3LsTbbwwTYSEJwXi0GKeEk50eTnbWbl6Ca3kUH9JwKO4Qh4MfqJB1 a/sgusyypXu5zNuH5n7hf/gC31UYn7czyQnLmhXc7edBMZbJHjnXtPgAx/0HYIkCslY9eR P8BkjzZWnZ8sPC5Cv5kZ/1i6+1RGuvgSDcwfv0SXgotAu6uXOtN23A6sxXYq+P7piNi6UR 0XnXIIX+9+GJ9c6R5s2f2KTqZBADYE96OLng40yKQFb0cn5vS7z4V8q9NVeJWA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493044; a=rsa-sha256; cv=none; b=w58soQiZYJqidA2hgJUEDeQG3xdaGc42aYijZodq2GnMQXIlpRAOW8Sr7/mL3o8MePEWco EBtfRETgJaPLqwSaryjguCt227l3bNVZaOSzWQnJnmzldE7v2+ZqeL4S3pFZMxeDsGfDve Dcf9MJH0kxMhW3hKfGQCpauDDK1kmYfGpRr5CAiu8ieU1f9+2a0rA2/rlVuPSz5ChmEwp8 CHZguhPtveO0OvnkJgAMTW/6h8hef6Lob4YtTGCqstVycP6I7R4pi3dPo9I9jspykyWeTs GRKK6/o582t7rKqByTuGZavqSbnvvOdJlFO+fDVbrjjf06NxhTRjIKktE7p2MQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493044; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WBP+DwqDy2+AM/34xnxVjlSHebu3ry1kv9fzTmE6S6g=; b=a7ymJxi5FBFC290KBCMF4Ca460jsXYwruqsKZe0DN5cA+6Xf7CzFnTh4Zy4DjktwVOGlwM 88OQ+1M28DhNbi1zMekvjxcWJ6zlqMqGwok4t5AmwmuJLjhmdeIUqF/zL92jTosy844HXR Nj1SJo0Q1bC3GCa3NWPAKGe8Dd5W+dXrS7uALiiu4/bFdaxj9YJ+UqpXhcBKc9wxfqqZtU 8z04vgdlw183Dn4v8ywaglgAseLwfI0v8hQr2whRwzGFczPb4QnP4GA9CD4vK0PtK6IQ7Q mMTp8EJkN7DcBnWdWgxadS/BxYDKjobTWiJUa1fwI9i4/O/ZJTGxqNkfb1zd0A== Received: by freefall.freebsd.org (Postfix, from userid 945) id BA2A7271F9; Wed, 04 Sep 2024 23:37:24 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:13.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233724.BA2A7271F9@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:24 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:13.openssl Security Advisory The FreeBSD Project Topic: Possible DoS in X.509 name checks in OpenSSL Category: contrib Module: openssl Announced: 2024-09-03 Credits: David Benjamin (Google) Affects: FreeBSD 14.x Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-6119 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. Basic certificate chain validation is not affected. The issue only occurs when an application also specifies an expected DNS name, Email address or IP address. III. Impact Applications affected by the problem may result in a termination, leading to a denial of service. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 5946b0c6cbc7 stable/14-n268645 releng/14.1/ 9a5a7c90d5e5 releng/14.1-n267703 releng/14.0/ abd3a7939117 releng/14.0-n265440 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65 SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt 07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3 rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU= =JDHd -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:29 2024 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6f3Ddzz5Vrdp for ; Wed, 04 Sep 2024 23:37:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6d73TCz43bq; Wed, 4 Sep 2024 23:37:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493050; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WmMlfa3aJUKbFkAieYG9YzTkYWRyO+FAm6pw0xJdeak=; b=Gnuepgb23mlileIsXFR6JrPq47j18QqM75mp+GFdkVGmcLzz5jPth84c9l4FJI0AYK+bM2 DDXnRNdgyYEkywkdYcmXy4lvOYupRBN98nkaETBmW6crR8TOni6uYyScIbDd8pEIFQ0baW H2fNLd9cz6Ck2UfJv4t5JegW7pPtMMF86QcWEXA1iTpcDXKgm6gQhqrJemZ4uqikeOlyJ/ 9feGe4ZS2T5NwWZb08DK+rapINeEEDkGJH/tCuWAx/GP6NMvLUY09psUPFA23xcPxNKNsI tECkgF8or/BjzoO++H/9LHrryz1T+YR3aJJjuXiV275aIPeRb0QeriXkpAOzkQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493050; a=rsa-sha256; cv=none; b=RDRNpUs1/b4rzmJZaRZOwTjBSH6pavMA3BZLc/zDM6a/PbpkH99T/VBMQFlhNeNlBSjges CzXjDkR8WRbG8J3Ml6twDhOmaLqtVbDbZIDaA1nKdpgoqC6ezHweXJXBVbAe10C8VklSn8 vZJLnyaissQRNnMftYDySdTSj/FsMiu+MWt0ZZGhFeeA2CcpJyHsav958m0JytO4ABj9r7 46RzWZWDVdxiVwTAweQUwJqH/0AVhKh8gDG89c6RP1xcUum6Pc0OxRI5NT/XUs4iXNIm7K KRJJDlBJOyWunK5TdLHeawsf6kfdQj4BgQ6jiH452mU/mYHbwBVBzIkncZTKlw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493050; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WmMlfa3aJUKbFkAieYG9YzTkYWRyO+FAm6pw0xJdeak=; b=e59V67nnGWMRYd5Y7bbkoApI/PMJf6QC/LXVINzcy0ZYUj58d5WtYHdqpiNYZdmKzRC4PD muhpvt3+/xLAPB0ePNDcX2F6dCJnCMKh5icWsPQknYvYFwdflyKYf2PnHJvpHhfgEMgst0 NTwjuSHi+pH2OSxotfJZiD1s/J6M5DGlplO0PURocfItd1DiSJamVX/4VhcpgsnT190101 9totuZAhptABAIQakbGs0QnB+nMejCS941HmZbN6wmlxz64dUiK9NUTdg4ehwdgBdMZc6h iGKmXCm98K9cNQ0H1SouJLXddmt/3W0UGPFyLAYlHxZCyvaeudfuwwsifSafYQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id EAF61271FB; Wed, 04 Sep 2024 23:37:29 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:14.umtx Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233729.EAF61271FB@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:29 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:14.umtx Security Advisory The FreeBSD Project Topic: umtx Kernel panic or Use-After-Free Category: core Module: kern Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 16:00:58 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:40 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:24 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 16:05:17 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:30 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:50 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-43102 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The _umtx_op(2) system call provides support for the implementation of synchronization primitives between threads, and is used by the 1:1 Threading Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 (“POSIX.1”) pthread locks, like mutexes, condition variables and so on. In particular, its UMTX_OP_SHM operation provides support for anonymous shared memory associated to a particular physical address, which is used to implement process-shared mutexes (PTHREAD_PROCESS_SHARED). II. Problem Description Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. III. Impact A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch # fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch.asc # gpg --verify umtx.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 4938f554469b stable/14-n268665 releng/14.1/ f4a2dbb81603 releng/14.1-n267707 releng/14.0/ 37823ca38148 releng/14.0-n265444 stable/13/ a73a70472c47 stable/13-n258319 releng/13.4/ 7739dab97433 releng/13.4-n258248 releng/13.3/ 8fd0fa88b5a6 releng/13.3-n257458 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55IACgkQbljekB8A Gu9grQ/+J7wLENdAwj/vclXgEwiqMtVBud/oWWXL6/h8YzSCOGRW88NsGrhkS+I4 ykWVdCcTvOqP8FvArarQVTfmMD/dQvAZZciHMkYDrQhjd7BwBuWVkLe1YdA1VR0o TT5gVclbJFJP3kvC+ivusN+hVn8Iacb0bvLn47/7pBKL96cCx1aTcP9XtHJqPZAr W80C5+4Z6qE0bUcCZ5lT8/6XvBtQNiD7otA7h5vBGMoIlBHgrxvYIz+QxAoOJ9Ke DvwNKjAm1nYrgiAzAF7lgPWLe6TxYxfYVcyEdm2UJnVpZqldnZevjIFD4DgaijKF dPT99EJdgkDQMqaiRM4VqlkcQvzZC/MatV9ypcStoRvQhQZczemLZdEVcf2luEdo r6RLvCGQPiSbeANc2DV/J35oX/Zwr9KN29ttkOqisVfadIba2LXANUiAF/x3SReo B/Gyilla4SU42obSaDuOe7fuDxj1HS4vAcJ03BQP0VfMNFkUaqb6ZoXioWhgtHAO E1zRIJcht1Ad2mEJtMid51co40g1Gd0lcxgEF0UOaIm5gTbYGKD+9tiOBaxvXlxC eDiKChtB31XWmfnuK4fSKh28dfyu+ltRUVsmQbakpQyufWx/RhSk3neZs44SNrwq SEX5SZ9Rt+E8uBZYU/rDzP2N6cd9ayMANCanuh2GPjorf15Em3g= =/sml -----END PGP SIGNATURE-----