From owner-freebsd-security@FreeBSD.ORG Tue Apr 7 20:54:06 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 05D9B3FC; Tue, 7 Apr 2015 20:54:06 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB84E31D; Tue, 7 Apr 2015 20:54:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t37Ks5eB015123; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t37Ks5Wh015114; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 7 Apr 2015 20:54:05 GMT Message-Id: <201504072054.t37Ks5Wh015114@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 20:54:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:04.igmp Security Advisory The FreeBSD Project Topic: Integer overflow in IGMP protocol Category: core Module: igmp Announced: 2015-02-25; Last revised on 2015-04-07 Credits: Mateusz Kocielski, Logicaltrust, Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Affects: All supported versions of FreeBSD. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27) CVE Name: CVE-2015-1414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2015-02-25 Initial release. v1.1 2015-04-07 Revised patch to address a potential overflow issue. I. Background IGMP is a control plane protocol used by IPv4 hosts and routers to propagate multicast group membership information. IGMP version 3 is implemented on FreeBSD. II. Problem Description An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation. III. Impact An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash. IV. Workaround Block incoming IGMP packets by protecting your host/networks with a firewall. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc # gpg --verify igmp.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch.asc # gpg --verify igmp-errata.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r281231 releng/8.4/ r281233 stable/9/ r281231 releng/9.3/ r281233 stable/10/ r281230 releng/10.1/ r281232 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD39AAoJEO1n7NZdz2rnewwQAN9xI01nzOO71Q7qP7xDq+wu RW2C+2A4viIZIId1od6GiDY7Qpigy1CMwHsae6qJ62R+D5F2x9vANV4U6AS44oNy 2jDwbrByM7QQ3qeCh8NzCUvOwPuXyKsAGKV73t3QPk0leKdbqUyjTooWJtZAv0dN VgQ4VCQh+2ZlxjMT0igUScmCVqOncRUm33xKBLeTif5LZHi/afkR6CToMlACOvl3 syJNhEeM+zYU9XLzb90hAjvqn1xLDkoS4qJNbrekj0/dI0jkgZdk18QAualwWgeZ i39Da6IQ4wCn8Sx9o8pc8NdtzHn37rmOcdzBIodzxa1vALmNhDWuBpIIysffsZvf ewVdI83pabRdZZxO1YAPjJi34CTXmvwf8Hit/hh0n1AO21lhr0NhwQzEn7gmLqSh JZYg46k6tNGy6qUa1NU/ywja0kLCG0KdR1FO9IKaN6TCgB30bpndGq1Y0esX1Mo8 5xq/P/KoNPE9BzifyhbDBt77eEmfpiKIuQXQVP3B1n3KEDDUlSSeiz3x0h9ZOjfm vLb1hinfp1RPC4S72a0Zts6r60aee9dMWd/DvC8RqWQqEE0PUamipL2ClzBmOpTK F9b2y9776hfPV/mvGUwS7H63mAMJkMOTDGZn3WWIT3Dmr6Eru0/t1XXqCPB4cNUl uf5sxNtEDjXadkeM20lu =y2yR -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 7 20:54:06 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0D31A3FE; Tue, 7 Apr 2015 20:54:06 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EC7AE321; Tue, 7 Apr 2015 20:54:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t37Ks5S3015125; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t37Ks5Iq015120; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 7 Apr 2015 20:54:05 GMT Message-Id: <201504072054.t37Ks5Iq015120@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:09.ipv6 Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 20:54:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:09.ipv6 Security Advisory The FreeBSD Project Topic: Denial of Service with IPv6 Router Advertisements Category: core Module: ipv6 Announced: 2015-04-07 Credits: Dennis Ljungmark Affects: All supported versions of FreeBSD. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27) CVE Name: CVE-2015-2923 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer address of other nodes, find routers, and maintain reachability information. Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message, using Router Advertisement (ICMPv6 type 134). II. Problem Description The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system. III. Impact When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets may get dropped before they reached their destinations. By sending specifically crafted Router Advertisement packets, an attacker on the local network can cause the FreeBSD system to lose the ability to communicate with another IPv6 node on a different network. IV. Workaround Only systems that are manually configured to use "accept_rtadv" ifconfig(8) flag on an interface are affected. The system administrator may decide to disable acceptance of Router Advertisements from untrusted network in a per-interface basis, by removing accept_rtadv flag at run time using ifconfig(8): ifconfig em0 inet6 -accept_rtadv Note that an interface does not accept Router Advertisement messages by default even if an IPv6 address is configured. One can know whether an interface is accepting Router Advertisement message or not from existence of ACCEPT_RTADV in "nd6 options" line in an output of ifconfig(8): nd6 options=23 V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r281231 releng/8.4/ r281233 stable/9/ r281231 releng/9.3/ r281233 stable/10/ r281230 releng/10.1/ r281232 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn13cQANJCk2LXSX8GDHGzWnD+D5gN rNC4Q8n9CnN80ZO/0Pk0Xx2VAtr3CKxflBTXBKISKuY+dWOzNvuUuUUkrB9SlyTj MYpqAljnBT0JkosGGBKJwt39DjW34HWlaj9wEPr1SdIq5vQO0cXS2glVPI/CQuy3 NwnpaAmftAG4eMSYojOeodXniha/ZasFap5Zj+1dgofFHEP87zxefP2IamG1Cq72 d8YJSCD8yy51mZ7dVFM29R3FAFdMpponci31dXGb5p8pj0yzVfvI/HF1MRK+x8Nz R0/jFOHY4TR26BfKsc4Nc6Ze7jdZHUP1qWoL2O6HiLVqws0nQp3jma7FkMrUMuui H9kAQaIc27tJOkSK4Gdc/dwzHgb3xr2fNfOjvbUv3VNjzijTzbzKfRlVH77EAxAi sQfUcql/toGdC/QaOlhC8+v5jHdwkLdpfRc4QdsV1rKDAA8mj068sJQS/yAig8E8 QUNmB3UK1QsX3tmy0JuDJk7tr/jjnhl2Jt9Skvm70xUiA7G05Z1qouErkIAjwikY zQSPpSQebi3am9TtK/GViOjEVpWLYzLFYo6laR8wMw9eJsj0xlF8Qqz+0HudqfSt lMOfpVfUmBSIxlFdiIzMBfbpLdD1gSo4oBLIYA/xw7UtDMiWi2Iji/mBY1Jg/i5V ZCTwZmnmaVuPcsGOzv5W =A2Am -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 7 20:54:05 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E7A703F9; Tue, 7 Apr 2015 20:54:05 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D2B5B31B; Tue, 7 Apr 2015 20:54:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t37Ks5jW015122; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t37Ks5i3015112; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 7 Apr 2015 20:54:05 GMT Message-Id: <201504072054.t37Ks5i3015112@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:08.bsdinstall Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 20:54:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:08.bsdinstall Security Advisory The FreeBSD Project Topic: Insecure default GELI keyfile permissions Category: core Module: bsdinstall Announced: 2015-04-07 Credits: Pierre Kim Affects: FreeBSD 10.1. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) CVE Name: CVE-2015-1415 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The GEOM ELI class, or geli(8) implements encryption on GEOM providers which supports various cryptographic encryption and authentication methods as well as hardware acceleration. Each geli(8) provider has two key slots, and each slot holds a copy of its master key encrypted by a keyfile and/or a passphrase chosen by the system administrator. The bsdinstall(8) installer is the default system installer of FreeBSD since FreeBSD 10.0-RELEASE. II. Problem Description The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open. III. Impact A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location. IV. Solution Note well: due to the nature of this issue, there is no way to fix this issue for already installed systems without human intervention. System administrators are advised to assume that the keyfile have already been leaked and a new keyfile is necessary. The system administrator can create a new keyfile with the correct permissions, and change the key slot that holds the master key encrypted with the old keyfile. For example, if the GELI provider is /dev/ada0, the system administrator can do the following: # umask 077 # dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1 # umask 022 # geli setkey -K /boot/encryption.key.new /dev/ada0p3 Enter new passphrase: Reenter new passphrase: (Repeat the geli setkey command if multiple providers are used) # mv /boot/encryption.key.new /boot/encryption.key # ls -l /boot/encryption.key Make sure that the new /boot/encryption.key can only be read by root. The FreeBSD stable and security branch (releng) and the changes are mainly intended for system integrators who build their own installation image for new installations. V. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r281230 releng/10.1/ r281232 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VI. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9 OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D /B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/ ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1 COcciZEksTS0JwEpOGi5 =wg1b -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 7 20:54:06 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E9CC43FA; Tue, 7 Apr 2015 20:54:05 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D363931C; Tue, 7 Apr 2015 20:54:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t37Ks5OF015124; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id t37Ks5BU015118; Tue, 7 Apr 2015 20:54:05 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 7 Apr 2015 20:54:05 GMT Message-Id: <201504072054.t37Ks5BU015118@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:07.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 20:54:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:07.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-04-07 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27) CVE Name: CVE-2014-9297, CVE-2015-1798, CVE-2015-1799 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The vallen packet value is not validated in several code paths in ntp_crypto.c. [CVE-2014-9297] When ntpd(8) is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not that there actually is any MAC included, and packets without a MAC are accepted as if they had a valid MAC. [CVE-2015-1798] NTP state variables are updated prior to validating the received packets. [CVE-2015-1799] III. Impact A remote attacker who can send specifically crafted packets may be able to reveal memory contents of ntpd(8) or cause it to crash, when ntpd(8) is configured to use autokey. [CVE-2014-9297] A man-in-the-middle (MITM) attacker can send specially forged packets that would be accepted by the client/peer without having to know the symmetric key. [CVE-2015-1798] An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can periodically send a specially crafted or replayed packet which will break the synchronization between the two peers due to transmit timestamp mismatch, preventing the two nodes from synchronizing with each other, even when authentication is enabled. [CVE-2015-1799] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r281231 releng/8.4/ r281233 stable/9/ r281231 releng/9.3/ r281233 stable/10/ r281230 releng/10.1/ r281232 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn4doQAKwA67MgX6jiCS4dm1roREi+ G1moTCtqO8LXzH3nOOOk6R/MqFGOs6Jq8D+K/YmdD+4l3c/qCNR0qtv0YcVL0kE+ +xfaIYoGxTzlPjEfpWtceCM0wcAThaF8085hi0IAzG7ozhKPt+Inv33ISgos5c7h zYcbTqBYgQqcJGWdftnYpZ1Nxvoa3wiOlxsOMa4qnNeUakeXcGLZ+1XB5pLjXMZF dHfKhMS6KxcUdHoPgOj468D3bQE05puLk13Kjy+Ti38GhcgMROAsMZVOzgno3J7g D7Hk4dR1dms+6xcSJ0BV4ej0ZfypGv0xiFmUiTk/p7AVbnqrChyjvGca+8reu+Gc Ks/67oZjP5rc0glvRFgjJBmQV/xK2rUK805e4eAm8qBecRjDv6M3mUmPdw5BlgcA 7fcj4VdGkOzLB0Vj7uJFjf3p9cyT+x8yvMtknxehiYmrYnFDsM5d7lcv0+KnRzb2 3bt6maO40wqWIcLErFthcT/nLP+wi35aykNIbGh7PXvqL92gWX+h/xB6YY9Ouo4N hb32W/F5O50MjL6BeY+k5J6usoFrk0EHWK+2Fxm2/AA/5K/JnryWN44F8PVPNzxE f+Vb6CzxBvmflpa/29tF/wSD0oU78AhuShtVrnEVT5ZWJj+/PHBZtcLk2Z+s5hgd hKFvV5Xqix0/U//+yGhj =1fHm -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 7 21:48:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4BBA5E21 for ; Tue, 7 Apr 2015 21:48:00 +0000 (UTC) Received: from mail-ig0-f181.google.com (mail-ig0-f181.google.com [209.85.213.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 18745F95 for ; Tue, 7 Apr 2015 21:47:59 +0000 (UTC) Received: by igblo3 with SMTP id lo3so23864660igb.0 for ; Tue, 07 Apr 2015 14:47:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=B5nJvsSetYMx52O/Kcy1n791Z+Oe0qjJ6lbtdR4FvlA=; b=CpiDe/UdkeAUl/ynhdNKHM2swRV9Vqt4Yf9eVTrud1VmnnT4aWK23mbb7HjGuLa0vB 0zLvnMLNhHwNhXHF4DOgBYwv+3HQPKT5nN18xGLCV8/aCom9hz/X1hxeaua8r/qSw1hb k91JHsjJMnTK5Gfs9QGWjYTpb8pMSxJXtOxCg8+jHsBu0mEVzqzMPnjWAdZHo8J7NZTa ag8ZIn5D8T3plRwwwunpRPp8l8fIlgQYByEX2CM9Lhu/hNNXBwEqamy/aq7XaLUOE4E9 //VIlZYNxkIgOEOHD4XvHUGvWHPJ1KbYlWHDwmXGZsJ86kzBRDWKyiLC4ZLoUzjtHNHv uzCg== X-Gm-Message-State: ALoCoQkIuWzPNQB0knTqfzeNinCkdroL1cRYO6yOebaUT/jiw0BFTpGzJ4LuzlXUB7n2HUayJ/10 MIME-Version: 1.0 X-Received: by 10.50.107.36 with SMTP id gz4mr7139696igb.25.1428443273477; Tue, 07 Apr 2015 14:47:53 -0700 (PDT) Received: by 10.36.42.14 with HTTP; Tue, 7 Apr 2015 14:47:53 -0700 (PDT) Date: Tue, 7 Apr 2015 17:47:53 -0400 Message-ID: Subject: openssl certificates From: el kalin To: freebsd-security@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 21:48:00 -0000 hello... are there any issues with openssl certificates being verified with CA files provided by third party? anytime i try: openssl verify -CAfile company-root-ca.crt company_signed.crt the thing just hangs forever without anything being returned at the prompt. i have tried this with both company_signed.crt being just the signed certificate and also a pfx in pem format - with the key in it. also how to add a CA cert to ca_root_nss file? thanks=E2=80=A6 From owner-freebsd-security@FreeBSD.ORG Tue Apr 7 22:13:16 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1E847414 for ; Tue, 7 Apr 2015 22:13:16 +0000 (UTC) Received: from mail-ie0-f171.google.com (mail-ie0-f171.google.com [209.85.223.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DFADA306 for ; Tue, 7 Apr 2015 22:13:15 +0000 (UTC) Received: by iebrs15 with SMTP id rs15so59656300ieb.3 for ; Tue, 07 Apr 2015 15:13:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=zmiOeTSPov9DDOLGs4GYqu6SDQt3uLCo21o1NCQKvx8=; b=DJpIXDiNSBA9tzC6HvR540fm5sCQArggNjepTuaJGqZvPo8/l6ldkI39LLeCP1wre/ iiwqkxVUTPHRvJjDpdaBwaDxy0UKYRU3vMa/RfxJNtN6BkFk1VH7Z0sTt96I9Gpl9boI yhi0KkJfDsbEJFIBItJ80dudh0FhXQ7cLjeaN3NGwRW3A/wp2gd4r0nhwg2WxPDzIjec jDOs5EZkWCXQBTYZ24xpn4XP0p+7Hu7RjJ+cPzKymR+xxEBmMHI7wLYZeD4G7KGANCgE 2czhoY5qDKodHeEZu+vJvsiAyGJEYZxASsiBQFep4Ed6auENmP3OBEfaGlW6tFxm64HW ekmw== X-Gm-Message-State: ALoCoQlmN2clBT2nZDO7nnWveJyW81TQ+eL3B3dZeoEcg+i3NiBc2Fd4cJVnOoBbKwyzH4XVvIDa MIME-Version: 1.0 X-Received: by 10.50.138.68 with SMTP id qo4mr7162380igb.33.1428444789044; Tue, 07 Apr 2015 15:13:09 -0700 (PDT) Received: by 10.36.42.14 with HTTP; Tue, 7 Apr 2015 15:13:08 -0700 (PDT) In-Reply-To: <5524525D.50500@obluda.cz> References: <5524525D.50500@obluda.cz> Date: Tue, 7 Apr 2015 18:13:09 -0400 Message-ID: Subject: Re: openssl certificates From: el kalin To: Dan Lukes , freebsd-security@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 22:13:16 -0000 > > > > also how to add a CA cert to ca_root_nss file? > > If in PEM format then just append it. In DER format it is not possible. ok. it's in pem. but for each cert my ca-root-nss.crt has a bunch of other sections - like date, signature algorithm,etc - wheres the company-root-ca.= crt has only whats in-between the begin and end lines. does that matter? thanks=E2=80=A6 From owner-freebsd-security@FreeBSD.ORG Wed Apr 8 00:12:55 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 745D6ED5 for ; Wed, 8 Apr 2015 00:12:55 +0000 (UTC) Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3DA2F28D for ; Wed, 8 Apr 2015 00:12:54 +0000 (UTC) Received: by iedfl3 with SMTP id fl3so69319478ied.1 for ; Tue, 07 Apr 2015 17:12:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=PcFZ/O5bI06M0lv81GTGbyjSuPVF9P6L+sYQgRpNz4M=; b=Ueh5mUq9gYeCP41bxM9WSJve8GcCvC/Dk6O/Mexqh2hbHkwXTZaKJn5huWfdusJ/LB dKWrQ8y0tvWPmvB7uerVN96lWxPNxxRBC1KMQsssUTw3PPhd7/ayIUCOH76z9KtMNDSh fZmFPXzX2+7Ulrdqw9StfrmvQNif4xXu+zZ6CnI6ypV7knqCsX2f8wNrCGjbF4UI6Gxo 0SRaado1bkjV3qVF3jsCxC1JYwTrFtkwH0iZqeZnNnqDZjqh3X5nU9dL3mjkHL421LgB WiSklpWKnpD16gvedf5dzNg27NbRrT6s4qDmujqM5Q1/Qwm3mBKONnRyj5+VLzS/cbfu MxtQ== X-Gm-Message-State: ALoCoQlxu3kk8PfspI0VsshpfmVwzpBiLSlNUOd0sYXJFCuyibNKUF8FhEZSfrlg0rDo9j42ZgOz MIME-Version: 1.0 X-Received: by 10.50.107.36 with SMTP id gz4mr7936611igb.25.1428451968029; Tue, 07 Apr 2015 17:12:48 -0700 (PDT) Received: by 10.36.42.14 with HTTP; Tue, 7 Apr 2015 17:12:47 -0700 (PDT) In-Reply-To: <55245C8B.3020303@obluda.cz> References: <5524525D.50500@obluda.cz> <55245C8B.3020303@obluda.cz> Date: Tue, 7 Apr 2015 20:12:47 -0400 Message-ID: Subject: Re: openssl certificates From: el kalin To: Dan Lukes , freebsd-security@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Apr 2015 00:12:55 -0000 On Tue, Apr 7, 2015 at 6:39 PM, Dan Lukes wrote: > el kalin wrote: > >>> also how to add a CA cert to ca_root_nss file? > > > ok. it's in pem. but for each cert my ca-root-nss.crt has a bunch of > other > > sections - like date, signature algorithm,etc - wheres the > company-root-ca.crt > > has only whats in-between the begin and end lines. does that matter? > > The certificate is located between BEGIN and END marker only. The rest > is comment. In most cases the text dump of certificate is used as > comment, but it's up to you. thanks dan=E2=80=A6 i have added the certs to the ca-root-nss.crt. it stil= l doesn't help much in my case. the problem really is that i can not get any https requests from a freebsd 10 box using a third party signed certificate with my private key and their ca certs to work. mostly testing with wget on the command line (it's a remote machine) like: wget --verbose --no-cookies --certificate=3Dlocal.pem --ca-certificate=3D/usr/local/share/ca-root-nss.crt " https://domain.org/soapservice.asmx?WSDL" this is for a soap call. and the local.pem is a conversion from a pkcs12 file. every time i do that i get: HTTP request sent, awaiting response... 405 Method Not Allowed does that mean that the web server actually verified the certificate and the problem is coming from the soap server application? i am able to make a successful requests to retrieve the wsdl using firefox after importing the signed certificate=E2=80=A6 also when i test the certificates agains the server with: openssl s_client -cert local.pem -connect domain.org:443 -CAfile /usr/local/share/ca-root-nss.crt -debug i get to: Timeout : 300 (sec) Verify return code: 0 (ok) --- and then it just hangs, nothing happens - there is no a prompt back=E2=80= =A6 any help at this point will be appreciated=E2=80=A6. thanks... From owner-freebsd-security@FreeBSD.ORG Wed Apr 8 00:53:52 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E6BFC68 for ; Wed, 8 Apr 2015 00:53:52 +0000 (UTC) Received: from mail-ig0-f180.google.com (mail-ig0-f180.google.com [209.85.213.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 066E8909 for ; Wed, 8 Apr 2015 00:53:51 +0000 (UTC) Received: by iggg4 with SMTP id g4so27436171igg.0 for ; Tue, 07 Apr 2015 17:53:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=UaCswRQ5R6eqeuKugDaI2GcfmxtTPlVjrrKNfP5LKUE=; b=IPYgIx1+1Qybj40WzZVVdRERuHwrWQhgcJZNFBGxwfdGazlRDFByk+XG2eZkwVsk/C eGe7F1y2FUGQFfNGknR9UNobFyyAVpNMVSc14DI3N0XjAn0aMYfKMMTABxOEwnbM1qk1 rIiv0RTHfZ3JdFFUVrf23eurSn2yBgtmpJTMEraQU4wqlzIZV/Y4Sc+4BuD+wTe6gJHd BehN9NKppOtafWYT1TZZwtDLGOxG+uXFOURH9uxw5Gwrz9IJyINkyOdOvZz1443XXWdi WSHp6ySVyJPYjlyoXYgT9LVujSjzF7tIb+Tyiwl/f3JNaNpTXMfeGgAztZyeY9WWtMuy nKIA== X-Gm-Message-State: ALoCoQnFebZoq2hEQMEWPtDLIAal828ZKmCGStn5TVA5VJkmjyyr37zOHPi2hCyZJO5RpQyPtV56 MIME-Version: 1.0 X-Received: by 10.42.147.9 with SMTP id l9mr28962162icv.41.1428454425065; Tue, 07 Apr 2015 17:53:45 -0700 (PDT) Received: by 10.36.42.14 with HTTP; Tue, 7 Apr 2015 17:53:44 -0700 (PDT) In-Reply-To: <552479C4.4030108@obluda.cz> References: <5524525D.50500@obluda.cz> <55245C8B.3020303@obluda.cz> <552479C4.4030108@obluda.cz> Date: Tue, 7 Apr 2015 20:53:44 -0400 Message-ID: Subject: Re: openssl certificates From: el kalin To: Dan Lukes , freebsd-security@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Apr 2015 00:53:52 -0000 On Tue, Apr 7, 2015 at 8:43 PM, Dan Lukes wrote: > el kalin wrote: > > thanks dan=E2=80=A6 i have added the certs to the ca-root-nss.crt. it = still > > doesn't help much in my case. > > You didn't described your's issue in the original post. > > > the problem really is that i can not get any https requests from a > freebsd > > 10 box using a third party signed certificate with my private key and > their > > ca certs to work. mostly testing with wget on the command line (it's a > > remote machine) like: > > > > wget --verbose --no-cookies --certificate=3Dlocal.pem > > --ca-certificate=3D/usr/local/share/ca-root-nss.crt " > > https://domain.org/soapservice.asmx?WSDL" > > Well ... > > 1. wget is third party utility, not the native FreeBSD one, so if it is > wget's issue, you should as wget's authors/support team. But don't > forget local.pem should contain private key as well as certificate. they are both together - the signed certificate and the key... > > this is for a soap call. and the local.pem is a conversion from a pkcs1= 2 > > file. every time i do that i get: > > HTTP request sent, awaiting response... 405 Method Not Allowed > > > does that mean that the web server actually verified the certificate an= d > > the problem is coming from the soap server application? > > 2. we don't know the true reason for "405 Method Not Allowed" response. > It has nothing to do with FreeBSD. It's matter of either configuration > of HTTP server software (another third party application) or SOAP > application. It may or may not be related to a certificate. The > administrator of the www server/SOAP application in question should help > you. We are unable to disclose a reason for particular behavior of > unknown SOAP application. > > For example, you may use wrong HTTP method to access the application > (just idea derived from error message). > i think it's just GET. like firefox does. > > i am able to make a successful requests to retrieve the wsdl using > firefox > > after importing the signed certificate=E2=80=A6 > > May be it is using correct method ? Just guessing ... > > > also when i test the certificates agains the server with: > > > > openssl s_client -cert local.pem -connect domain.org:443 -CAfile > > /usr/local/share/ca-root-nss.crt -debug > > > > i get to: > > > > Timeout : 300 (sec) > > Verify return code: 0 (ok) > > --- > > > > and then it just hangs, nothing happens - there is no a prompt back=E2= =80=A6 > > What kind of prompt you are wishing for ? You ordered connection to the > HTTPS server. You got it. Now you need to write a HTTP/SOAP request. > Then you can wish for a response. > > I can't tell you the SOAP request format. There's nothing like generic > SOAP request. It's matter of the application in question. Consult it's > documentation or ask the author. > > thank you. i think i have an idea of where to look for the answers next. appreciate your replies...