Date: Wed, 01 May 2013 17:23:16 +0200 From: Johann Kois <jkois@FreeBSD.org> To: Per olof Ljungmark <peo@intersonic.se> Cc: freebsd-security@FreeBSD.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver Message-ID: <51813364.2040502@FreeBSD.org> In-Reply-To: <5180E940.80107@intersonic.se> References: <201304292055.r3TKtcrk039951@freefall.freebsd.org> <5180E940.80107@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help
You are using an old version of the Security Advisory. The path mentioned was fixed and the Security Advisory was re-released, also via email: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=30985+0+current/freebsd-security Or use the link on the FreeBSD homepage to get directly to fixed version. jkois -- Johann Kois jkois(at)FreeBSD.org FreeBSD Documentation Project FreeBSD German Documentation Project - https://doc.bsdgroup.de On 05/01/2013 12:06, Per olof Ljungmark wrote: > Path to patch seems wrong? > > On 2013-04-29 22:55, FreeBSD Security Advisories wrote: >> ============================================================================= >> FreeBSD-SA-13:05.nfsserver Security Advisory >> The FreeBSD Project >> >> Topic: Insufficient input validation in the NFS server >> >> Category: core >> Module: nfsserver >> Announced: 2013-04-29 >> Credits: Adam Nowacki >> Affects: All supported versions of FreeBSD. >> Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE) >> 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8) >> 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1) >> 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1) >> 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE) >> 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3) >> CVE Name: CVE-2013-3266 >> >> For general information regarding FreeBSD Security Advisories, >> including descriptions of the fields above, security branches, and the >> following sections, please visit <URL:http://security.FreeBSD.org/>. >> >> I. Background >> >> The Network File System (NFS) allows a host to export some or all of its >> file systems so that other hosts can access them over the network and mount >> them as if they were on local disks. FreeBSD includes server and client >> implementations of NFS. >> >> FreeBSD 8.0 and onward has two NFS implementations: the original CSRG >> NFSv2 and NFSv3 implementation and a new implementation which also >> supports NFSv4. >> >> FreeBSD 9.0 and onward uses the new NFS implementation by default. >> >> II. Problem Description >> >> When processing READDIR requests, the NFS server does not check that >> it is in fact operating on a directory node. An attacker can use a >> specially modified NFS client to submit a READDIR request on a file, >> causing the underlying filesystem to interpret that file as a >> directory. >> >> III. Impact >> >> The exact consequences of an attack depend on the amount of input >> validation in the underlying filesystem: >> >> - If the file resides on a UFS filesystem on a little-endian server, >> an attacker can cause random heap corruption with completely >> unpredictable consequences. >> >> - If the file resides on a ZFS filesystem, an attacker can write >> arbitrary data on the stack. It is believed, but has not been >> confirmed, that this can be exploited to run arbitrary code in >> kernel context. >> >> Other filesystems may also be vulnerable. >> >> IV. Workaround >> >> Systems that do not provide NFS service are not vulnerable. Neither >> are systems that do but use the old NFS implementation, which is the >> default in FreeBSD 8.x. >> >> To determine which implementation an NFS server is running, run the >> following command: >> >> # kldstat -v | grep -cw nfsd >> >> This will print 1 if the system is running the new NFS implementation, >> and 0 otherwise. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your vulnerable system to a supported FreeBSD stable or >> release / security branch (releng) dated after the correction date. >> >> 2) To update your vulnerable system via a source code patch: >> >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >> >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch >> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc >> # gpg --verify nfsserver.patch.asc >> >> b) Apply the patch. >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile your kernel as described in >> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the >> system. >> >> 3) To update your vulnerable system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >> >> VI. Correction details >> >> The following list contains the revision numbers of each file that was >> corrected in FreeBSD. >> >> Branch/path Revision >> ------------------------------------------------------------------------- >> stable/8/ r250058 >> releng/8.3/ r250059 >> releng/8.4/ r250062 >> stable/9/ r250060 >> releng/9.1/ r250061 >> ------------------------------------------------------------------------- >> >> VII. References >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 >> >> The latest revision of this advisory is available at >> http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc >> _______________________________________________ >> freebsd-announce@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-announce >> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51813364.2040502>