From nobody Tue Aug 1 21:38:04 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPT38pLz4pt78 for ; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPS51X6z3NmK; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8A3nTx/aWsLePUrDcCYnsUOtY0O5BZbkQ5Q7RgSsOKE=; b=RcxsIBhGRdYRFpJnCCjWJBFRmDi4ENHQPTeq6A1ShpbDBS9tgnCuouQQ4wEuPvbV6YBnSl lhLNfyT/ksZHq8YEAG7FKiqENSEmLuE5OavoaA782qab56p0wSO0IRRHLdyNhpJXVsuBpX MH7C/3d56NiTsTy64J1KDnUJen3XdNb0jdl0vH5s1H5Cdp6kIf5p3lhKTIY3hTTvI3GFVB P9h1Uinvaa8GXaa4kB+v0KhjEIHrKegNbSfmJtMKiYz8UYi3XxweBPoVnkl9gDpZN3c7rI +M1vw8DY/f5+RgFHvqL4QC3QiGkiJes63C3DjJdZlI6BlSvcL+iK3odmal+aQg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925884; a=rsa-sha256; cv=none; b=Zrm7qrK+QS8N2ZNJEzLfZOkpDpzmddIyk4naUjfu9DxyZG/QMFRtqvs2m9s1KCfCJAMtJ6 jhxJsUjETd031YpRYL9hhO4VD7D8jbEo4XYMO9Iedk62nRLVZ47iiqeRyXN4+PovPT0yoS 5dUpsMbXxbq7IOd/vsmFPBkSaisn5Pw7M6U1/4H3BB5Cz5FpNimZvWKWb4bZwqD1OQcmXw wt1oPlZpLa4qvK3ntFn8raON4DExQqBWfV3rcPYqICnphlA3ZEr3E4bOhDVpSPRIuDup/5 RAk1V4h9UrWOKLbxr5WBezZhCnilUMKpW3lWNiDS0TzSJOynSQqXY44qDzbbcw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8A3nTx/aWsLePUrDcCYnsUOtY0O5BZbkQ5Q7RgSsOKE=; b=sfd/oIsz+tN/hpjpKJnjmsGt9XyDdRK2B52EyB6FFMqCwCxQSXOX1c1YR/0H14zUwKFFkm QBuB8jro0DQ4njuL9PRWu2ZNaNMvLdI8J0rHrLRwx3hJSnJ0c+qP1eu3s1au1GDUAD9+r+ xC16dt+qwhJnm0sG/2q1NbkLtPbP+RGYRZQL2EULPP2AVX0FugGzjK8vq969bJZXNg8X3r P2H3iWaQUZoWXeqYhQu6vzs0EgVvsY0SKOEXrHCxzMFpcEg8/d5jOX2xa9547O+aY9wZI+ vTXMTd+O/bOz0tILpc6IXcxZQqqb12NMEMqPWguFMbwFvaa/tEZeyZ8sWP1w/w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 55F9719E99; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:06.ipv6 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213804.55F9719E99@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:04 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:06.ipv6 Security Advisory The FreeBSD Project Topic: Remote denial of service in IPv6 fragment reassembly Category: core Module: ipv6 Announced: 2023-08-01 Credits: Zweig of Kunlun Lab Affects: All supported versions of FreeBSD Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE) 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-3107 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 packets may be fragmented in order to accommodate the maximum transmission unit (MTU) of the network path between the source and destination hosts. The FreeBSD kernel keeps track of received packet fragments and will reassemble the original packet once all fragments have been received, at which point the packet is processed normally. II. Problem Description Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header. Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field. III. Impact Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service. IV. Workaround Users with IPv6 disabled on untrusted network interfaces are not affected. Such interfaces will have the IFDISABLED nd6 flag set in ifconfig(8). The kernel may be configured to drop all IPv6 fragments by setting the net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from being triggered, with the caveat that legitimate IPv6 fragments will be dropped. If the pf(4) firewall is enabled, and scrubbing and fragment reassembly is enabled on untrusted interfaces, the bug cannot be triggered. This is the default if pf(4) is enabled. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9515f04fe3b1 stable/13-n255919 releng/13.2/ da38eaca4a22 releng/13.2-n254626 releng/13.1/ 4e548c72914a releng/13.1-n250191 stable/12/ r373149 releng/12.4/ r373152 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66 4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/ dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0 mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c= =V/jE -----END PGP SIGNATURE----- From nobody Tue Aug 1 21:38:10 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPg07v3z4pt7G for ; Tue, 1 Aug 2023 21:38:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPZ1vs9z3Npf; Tue, 1 Aug 2023 21:38:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925890; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zYC8cFpOR5T8CjoO2Zz8jJoWc4Vkdi+UpAhQbNAxqbw=; b=ynKNkv2d/cfhZxWp46TTghBp4Fn2PFZUiQEcR2DC3aXFzwfwWoxLbbUwzaOuU0VSdofsc0 u6I8utmq3Ly4ipSUr6oJnDd60S/VrEY4oqJ3IPpW9Ccpt69qZAmbRp1eFcZny6+kvb5YQU YQvGMiZVt1nUEq4YZYtVtskq1RzgTMk/ZvMXn5/eWvZ24lDzc1SHc81YOt4RX88/drckBk URLcUr5Qkp3tKoymLjEb1zlc2dzd+vW1XNrbMxGyyXzZQKcIxQetU4+hLUpk3Q0nE/zYnO xf+i8ukIK0yj1TJxQAChbBWTR/obkBWz38XgGXcuIFYlpbyWpW2FGU523s6GWg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925890; a=rsa-sha256; cv=none; b=SS+gNhMSiAeXGP4KeZzHI7Dng1x8FarVcJU21boMLoKD9L+WcCRKLTwcqsmH1tfAcAwQ6B RaV3kjmYNifNLcuYnB/ZyqsoDtXHOw9js2zMV1oUK2leSIJcj/lD0M+va7dnlLZFGdRYe8 NAmhdgOxB9Zy6wM5+dKWmPdutzL74dMF6o6y+m3DqKKjRjUEt+9abmX4cMk/JflHV3fUcZ Wrz9Aa4hUD2gtVhfTNvX9tAdZMMKmz+N8rKD35xEZlxUi/JVaCzVxP/edFWOmuISYbhb87 JywOdFsp0U7iyjGfW50yzMiRHEYdNVuoSTXGUplaJnkWocz2uh48r6CQJd0cvA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925890; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zYC8cFpOR5T8CjoO2Zz8jJoWc4Vkdi+UpAhQbNAxqbw=; b=bxKLB9kbwI7G7o3u41sen16k7jdDRlEMJ8Efdpe3HD3umqAOQJ4P/HtTV3UIjSn80t/IJ3 P4oIB3AVOoqQ9jQIsVVg+knWp5TQeGQjngIvPfYsbVMdUMx4VuP/HqeVgZJ9FVP/75KvyH RjCF9rn81jTrl3H1GJ6oqIDIPseVUfCzOwtFv8M2bP+GxoDBujcAwpjcCqXPH8ohKThJUg DwtVcp6artPaCJmxdJTNTD3vZiiS9uMMcaJz/6gKbd0Hk2gGi5SIo3XxJLa6CCNWLId4Bx XfhqX9YY0ESR+ibNOrmjlQBGeAESlOGJuRFFJ66QfZopv0EbbCVHJ7dnFwlN6g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 235D219CC3; Tue, 1 Aug 2023 21:38:10 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:07.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213810.235D219CC3@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:10 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:07.bhyve Security Advisory The FreeBSD Project Topic: bhyve privileged guest escape via fwctl Category: core Module: bhyve Announced: 2023-08-01 Credits: Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft Affects: FreeBSD 13.1 and 13.2 Corrected: 2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) CVE Name: CVE-2023-3494 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8)'s fwctl interface provides a mechanism through which guest firmware can query the hypervisor for information about the virtual machine. The fwctl interface is available to guests when bhyve is run with the "-l bootrom" option, used for example when booting guests in UEFI mode. bhyve is currently only supported on the amd64 platform. II. Problem Description The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. III. Impact A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available. bhyve guests that are executed without the "-l bootrom" option are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all affected virtual machines. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc # gpg --verify bhyve.13.2.patch.asc [FreeBSD 13.1] # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch # fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc # gpg --verify bhyve.13.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all affected virtual machines. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9fe302d78109 stable/13-n255918 releng/13.2/ 2bae613e0da3 releng/13.2-n254625 releng/13.1/ 87702e38a4b4 releng/13.1-n250190 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0 drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0 JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4 LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI= =MlAY -----END PGP SIGNATURE----- From nobody Tue Aug 1 21:38:15 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPz0ycwz4psSd for ; Tue, 1 Aug 2023 21:38:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPh4myrz3Nty; Tue, 1 Aug 2023 21:38:16 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925896; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=EvJV/k5pchuM+8dL8rwzBZd47FwpBIwrG+Cr/w5yndo=; b=JVR6vKx9hQmpmWv3H5AMKQNfmNVq/hQnXX8YZTEJRD19CAPizIOwvBm9ijtnSrDHvvVUpv Van+n4jdUi0W3SdLhFSmuP7uSrX8xEppdBvYGrBBoZLyCE8s6p0QNACx8zJ7YBhG5T82mU WuRAvRCBGFD8UDv5cBZ/cTrip/s5TRy8vVxcvomo/q6LkBQkTxj4gDDCmd7iGEPBmgL4XU xIQuNp8Oscv+YJIppS7QK4jHEhq6G+utpk/Ff8N085Q2vazHAZGAWKkH1yBNQSnjhcU/vw VAp+l5XX/cbWyHqj+UMm7HQThvnc3jQdcJVZQWXgTIMFgGKoq9gLoKJNw+3uug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925896; a=rsa-sha256; cv=none; b=EuYLmkIe8KkUC33UksOcn/+Jw/vmraIgS8do49hpTCi5o8bogW8ztbz/jlxDyj+bi8tgM4 Is++mL1T++A6uayKms+9t8DCSmECCR1vYdcpZTAU5BBSge2hY+gxELKL6WXZi66AsJBHlt n1iSaKK3PZaUFOYSEjgmC2daFlFXNrXnRVnceycS3j1yHZd3bl9SnE9WLKMtcCi3dzM7GM iW08lpxoGb0Zz1u8OFf/UOrkwYlSaZ18ye3TnVunnW2cuViwwm/UJwbxfsEwcrHXEXtwM4 5RwlErZOamNfpatqe9ueTjSawQfDwqGXFd3WzsinFiDwPXKeR9MAqZlkAVr+gg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925896; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=EvJV/k5pchuM+8dL8rwzBZd47FwpBIwrG+Cr/w5yndo=; b=epSRae+lUV8u4h1d2MBUPLRTiBTMeHn0t7VpE0chXuVKD5aRAvpjYHYHirjTK19SuGo1KZ uwzv/o89+uUxQGg9TsgdgQNoa3W78v26ZxLQcrQLRQGuyUGse6o73uKvjzEA30VStWAbQo GhuBP9yZZacToGqChjMUAWON4xFt80TF2aE0NVkzyD/1uif8ltDxdKeTVO3oAX7YeZoIQm yz23uI9AOVxF8+FL0jLlctbdhrAM2Bo+XeTtjwLDkPh40a5cWUjwUrbt7Zx3t9YRJmnqiz /RWyKwXX9zXDKiNtY6QqdbGABo6OfS89fGk96kj7oxHdv+Uo9yB3R7BIebem1A== Received: by freefall.freebsd.org (Postfix, from userid 945) id C579219E32; Tue, 1 Aug 2023 21:38:15 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:08.ssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213815.C579219E32@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:15 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:08.ssh Security Advisory The FreeBSD Project Topic: Potential remote code execution via ssh-agent forwarding Category: contrib Module: OpenSSH Announced: 2023-08-01 Credits: Qualys Affects: All supported versions of FreeBSD. Corrected: 2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE) 2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-38408 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ssh-agent is a program to hold private keys used for OpenSSH public key authentication. Connections to ssh-agent may be forwarded from further remote hosts using the -A option to ssh. The server to which the ssh-agent connection is forwarded may cause the ssh-agent process to load (and unload) operating system-provided shared libraries to support the addition and deletion of PKCS#11 keys. II. Problem Description The server may cause ssh-agent to load shared libraries other than those required for PKCS#11 support. These shared libraries may have side effects that occur on load and unload (dlopen and dlclose). III. Impact An attacker with access to a server that accepts a forwarded ssh-agent connection may be able to execute code on the machine running ssh-agent. Note that the attack relies on properties of operating system-provided libraries. This has been demonstrated on other operating systems; it is unknown whether this attack is possible using the libraries provided by a FreeBSD installation. IV. Workaround Avoid using ssh-agent forwarding, or start ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and restart any ssh sessions using ssh-agent forwarding. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.2.patch.asc # gpg --verify ssh.13.2.patch.asc [FreeBSD 13.1] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.13.1.patch.asc # gpg --verify ssh.13.1.patch.asc [FreeBSD 12.4] # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch # fetch https://security.FreeBSD.org/patches/SA-23:08/ssh.12.4.patch.asc # gpg --verify ssh.12.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all ssh sessions that use ssh-agent forwarding, or reboot. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d578a19e2cd3 stable/13-n255848 releng/13.2/ 20bcfc33d3f2 releng/13.2-n254624 releng/13.1/ 3d3a1cbfd7a2 releng/13.1-n250189 stable/12/ r373142 releng/12.4/ r373151 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsUACgkQbljekB8A Gu9M3A//ftE38dmRBx//0dm0sY6Pb++OprS7SKkm/dPlv2ywFMrUOZJl47pcfEuJ h+jeHOMWzQJYwSQBxPii/PbJRbxd4w4c0pjLDKXO3fc74anmuLQh7b8DLip6jQ/S C4LM11e0lGfxwJmrQl49r8eKkm4ta+TOn+IoSzGzsYUYkpqX3jpBuP/yhFvueXO7 9ZaXCIsg99/tZvXU34b4ZA5t3vVjkAhtbV9HSAza0RnM4ZFJnXJoZbheVMgp63qp yg2pieDnA5U/c1exC8joRQoiyXtSZjmq2+8e4HYXc9+LZvWr+/fyfBXO6BXn4hmU KSB6t2aldvB0ywWEbge+mM9I+h0jPKHNo/HsAwwF4gKfLqzZ1XNLnHC+LVTTe0cD lNHw6kBgH9qx4oLBXg8fZwxtPGv5qvSjC4qisDWi/BMDeVsTfr8wa+LoKHIp0KOH AnhuNKs1/TYpyHZfa2l7OfvSc70jSGYyG6Flcr5lYrhfDnXEFR6En4qbRLjIS6GA +8otM6AyuLLiwfaLdha2G9scuA/RUfyixB7AAhrFrxJPBQypC/kIi+lF0TKmEx69 Q2TlWktN/zzHzPJLafor5g9W9dft2Kt4T8hHsmQVwwwN58l3Q49FSrKAib5Agv66 1QuQDP5hhsq7VISG81ZzMZbgvhNgCM5EPjggZ65Qrk9/NCyWhOw= =scNH -----END PGP SIGNATURE----- From nobody Tue Aug 1 21:38:23 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPz0DC7z4psSb for ; Tue, 1 Aug 2023 21:38:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPq1nLlz3Nv0; Tue, 1 Aug 2023 21:38:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925903; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4FyxMhvJhYkw1CS3aiqAAMu1SpXXfB5UAEx5SvteShM=; b=w/QTUgfHMawQLmNPSLiF0sqNe8fvwJk4C6GQfQKZ7ZYcCWRnzxkBXwGKC4gTLPkcJYsR40 9VlmYB0aidXiZstF+mgAVnZNoUjPGMJ0Gsdg+q5gN+pB/9qXazBElfTiLeMMQwd6hoQpSF qPsj6LIcG0+Us32Vh+fSEnZvKH2XBcZ9pX87ZvilcsjymsNFYNVuZy6OqesQomzXQRTjtT C7AqUk3gRhPK3YIZyuVQuvUAXthWjXhx1iJ1RJu5bng7TwYiDOBB9fGoTxDOlfw0j/zqHF +VIJqoPDZC7Mrt4OJsfLvyCb5kNqdPDT9koJj0bDDxhklx5TArDxLQIcx/eVYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925903; a=rsa-sha256; cv=none; b=Egbe+kqtLq12yYrr4O8TCD8YoR/8yYwt69ngQwsF4qeiiufnv1NCICB+cHUlPQH0nugnhR ZfwtRzqnipwFIEgRb/Tgjx0huItBymbVpo4rFmd/AaCgtFYuY1iN0aPfHkgspAdha+fW4+ zcZVdqtlJXG9cCA+zHSHqopH902bLMZYmoZDvjP5+8b0L5q83dhr/MCVEzWVeQciwG0Eik ngCw5rzskG/iUZW45catnjTXw21nJ4RbA6Jdn3YKtQt6ZFsrfa/AZW/tWLxvcxhoWXP/rT vVinuKOQe6TR/v//Vhwc3eItLO6GAhmUl8MuYXU80ZyUQyeKgNC0tpKSM5yQNQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925903; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4FyxMhvJhYkw1CS3aiqAAMu1SpXXfB5UAEx5SvteShM=; b=RL9LyLvfLNoTfIH/agXzEz8LOx2kTKQLLdm5KR18EAv9LP0s5i7L1di2/eYizPGNq6H9zv CyDbGAMwMigj1awC+Uw8w7RFv8BWjieUzpjHcW2aMcft1WtG69gg7IfRUdS6xIBQQ3QPMJ YwGSXtTOTGVBDyB0z+ooBDLx8bBR/KqDD3OG4AZtSI4+eWC3pNlJjoB5U+Z8gqvKHd7vUw PkbVcYc7Sk8KRq1JqoYUpg1pDPd4EG4gFBG4QYnO/k9gijiO3MdHu8ZkTnbzx1v7GEEo9D Sw4ltDulmnz+vGTI/JvcZrAllNuQLUa6B1UMZTFi5VrvkiAe/4ZF3m9tMChVjg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0B04719D42; Tue, 1 Aug 2023 21:38:23 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:09.pam_krb5 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213823.0B04719D42@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:23 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:09.pam_krb5 Security Advisory The FreeBSD Project Topic: Network authentication attack via pam_krb5 Category: core Module: pam_krb5 Announced: 2023-08-01 Affects: All supported versions of FreeBSD Corrected: 2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE) 2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-3326 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Kerberos 5 (krb5) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. pam_krb5 is a PAM module that allows using a Kerberos password to authenticate the user. pam_krb5 is disabled in the default FreeBSD installation. pam_krb5 uses passwords for authentication, which is distinct from Kerberos native protocols like GSSAPI, which allows for login without the exchange of passwords. GSSAPI is not affected by this issue. II. Problem Description The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following the patch for that advisory. III. Impact The impact described in FreeBSD-SA-23:04.pam_krb5 persists. IV. Workaround If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from your system. Additionally, ensure pam_krb5 is commented out of your PAM configuration located as documented in pam.conf(5), generally /etc/pam.d. Note, the default FreeBSD PAM configuration has pam_krb5 commented out. If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is commented out of your PAM configuration located as documented in pam.conf(5), generally /etc/pam.d. Note, the default FreeBSD PAM configuration has pam_krb5 commented out. If you are using pam_krb5, ensure you have a keytab on your system as provided by your Kerberos administrator. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch # fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch.asc # gpg --verify pam_krb5.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the PAM module, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d295e418ae7e stable/13-n255792 releng/13.2/ 9b45d8eddfac releng/13.2-n254622 releng/13.1/ 140f65a20533 releng/13.1-n250188 stable/12/ r373127 releng/12.4/ r373150 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdskACgkQbljekB8A Gu9QjQ/7BlRQJGHtf/tljjCbzVKAOTcknk/d2VncZ4dDidsHWgO4umaYIrQzYxX0 1mBtLEPZ7vHt2t4IC4NZ1FP7wrdLNDWCfHcKlP9p9tCzhh2zQXgv6NHbruUTMtJX /LN+fxdOcRo++23ae0ohaBUwFVo69/nel0KnSq3QOeSwzJdvaW9cggimOK96pvB1 QXsqJvb9uBZGdv0yufZ4xJ174xDVnchBY/wvLx2qSdAsXGPO6ihvoeJHFJ7JAYLP JYtEAKkgHnkDtG9cw9DQigskwr8VC0x8J+9JG5H4zTXtzofng4pFD7+LBDhozoPy FRGi5IfWA4VkeQYDaMB9mE37R333PpKFfJZWF8cwOyeLXNTTUvtPEu2k0DRvljqs 6lmKcqNLJMbbHa7jIDwdYs5wrSqXJuKOD0Fsj/QScfqWphK86oz6VBdft71A+g55 D9QFVoXZ2kYTdJ3mMvcKPCdsnixVdtIaaTQ+Embeu2dnMUemc9xsRiPNp18a5y1a EgLJ5WHIVJoCjte7HROnPKN6IeB7G/laPeewpoO8AJqL46Z+Ch0PMJacYLhNp5fn 9rDnJkurJBa4hqii05MztQvhvaoJyy1WFQbObrzfNQI7Hl+EtMb8dlP09qsiWeGq 27gca8AB1KaMbG+Wwc92n1cn8ZSiF6WT0cV/+Cx3lYuIbmMgnBU= =eKnj -----END PGP SIGNATURE-----