From owner-freebsd-security@FreeBSD.ORG Wed May 1 10:17:07 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DAD5E1F9 for ; Wed, 1 May 2013 10:17:07 +0000 (UTC) (envelope-from peo@intersonic.se) Received: from neonpark.inter-sonic.com (neonpark.inter-sonic.com [212.247.8.98]) by mx1.freebsd.org (Postfix) with ESMTP id 81D1C15EA for ; Wed, 1 May 2013 10:17:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at BSDLabs AB Message-ID: <5180E940.80107@intersonic.se> Date: Wed, 01 May 2013 12:06:56 +0200 From: Per olof Ljungmark Organization: Intersonic AB User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130310 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver References: <201304292055.r3TKtcrk039951@freefall.freebsd.org> In-Reply-To: <201304292055.r3TKtcrk039951@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 01 May 2013 11:21:07 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 10:17:07 -0000 Path to patch seems wrong? On 2013-04-29 22:55, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-13:05.nfsserver Security Advisory > The FreeBSD Project > > Topic: Insufficient input validation in the NFS server > > Category: core > Module: nfsserver > Announced: 2013-04-29 > Credits: Adam Nowacki > Affects: All supported versions of FreeBSD. > Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE) > 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8) > 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1) > 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1) > 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE) > 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3) > CVE Name: CVE-2013-3266 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The Network File System (NFS) allows a host to export some or all of its > file systems so that other hosts can access them over the network and mount > them as if they were on local disks. FreeBSD includes server and client > implementations of NFS. > > FreeBSD 8.0 and onward has two NFS implementations: the original CSRG > NFSv2 and NFSv3 implementation and a new implementation which also > supports NFSv4. > > FreeBSD 9.0 and onward uses the new NFS implementation by default. > > II. Problem Description > > When processing READDIR requests, the NFS server does not check that > it is in fact operating on a directory node. An attacker can use a > specially modified NFS client to submit a READDIR request on a file, > causing the underlying filesystem to interpret that file as a > directory. > > III. Impact > > The exact consequences of an attack depend on the amount of input > validation in the underlying filesystem: > > - If the file resides on a UFS filesystem on a little-endian server, > an attacker can cause random heap corruption with completely > unpredictable consequences. > > - If the file resides on a ZFS filesystem, an attacker can write > arbitrary data on the stack. It is believed, but has not been > confirmed, that this can be exploited to run arbitrary code in > kernel context. > > Other filesystems may also be vulnerable. > > IV. Workaround > > Systems that do not provide NFS service are not vulnerable. Neither > are systems that do but use the old NFS implementation, which is the > default in FreeBSD 8.x. > > To determine which implementation an NFS server is running, run the > following command: > > # kldstat -v | grep -cw nfsd > > This will print 1 if the system is running the new NFS implementation, > and 0 otherwise. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch > # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc > # gpg --verify nfsserver.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch/path Revision > ------------------------------------------------------------------------- > stable/8/ r250058 > releng/8.3/ r250059 > releng/8.4/ r250062 > stable/9/ r250060 > releng/9.1/ r250061 > ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > -- Intersonic AB Registered in Solna, Sweden SE556539368201