From nobody Thu Aug 31 06:03:32 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RbrFJ55BWz4rmPc; Thu, 31 Aug 2023 06:03:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RbrFJ4nhnz4Kgp; Thu, 31 Aug 2023 06:03:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693461812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uS0CKh4+HoUowcSl9xb4W5Tv7/sOUIZQ/NwWCeM6xyE=; b=RR06Q/NDoAB0AM6BbOAyFBBPeL95tO8tCgWBg2++Fv7SHS34Twowqis3ucYfuboDnzH9TG LJgSXW6z8+U5xrqRZYUo1FyI4CRTm35/FhSrQsAt4xqcpf92nBlcf7RW8F5x3bCON93RXr V8x4IpuoVbdkccdOvW5gbfCnN2EudKzL+65B6MpEm+oRMZqtHqKAJIolYcohAYe4j49dsW x2mAUhiC2p152HkREN1shHlUzBT+DM744YXdnvCytqPwoqxntcuborFBhr5B2ML9gkeg1z MalAFbI/D1im62EktwWrng7Z1xUdbUc/kpWRCpFewakRGzt5C/0KJZDS5SoW9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693461812; a=rsa-sha256; cv=none; b=Soa2O8NtRv7dTbG795g9OTAwk+QNXqEcpA4TlQ4cfmw07zF60HtJqBTxTdnZH0Qs7Oa22K j8BKsMBgQ+KXWyR8B7z6kbdPpjPiVqH8m/ezrtNAnLhc+6ti6FJZfzQSnxgbzvMxipnPpF qW+cdbbXPiQ+12LsEGgXYwZYzpSpTIpAUzkHUVSWtCboO31lbcvBKUbEmUWIJ2Iiiw9s44 Qt+71jfOSRqLWd9ktyfm03MDfx4MGE6iRESr8NLDm7mUcaZBnEWQEpX3RMEruEU9PL6MF4 EQ6oCg0VB/JUoP3r+6zRUpvdUaybk2Ht5haOhjQLMoGgcbi5OCjW4BnBMr0q9Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693461812; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uS0CKh4+HoUowcSl9xb4W5Tv7/sOUIZQ/NwWCeM6xyE=; b=Jem2APtXGCFMlYH/sEkoYIpM/9iCE8eIK2h5eDvGW08IYAX+uQs0ohH4IbLfEJPCEDvd9q 9jP03vtod5VtQpTCFe8DXkxMvzCNM799x7OTDFnMKc9SOlzGPA7OKummLvjZd2fm4Fu4ZW 9qcRCqbUM5ye8vYqMtYi5j01pytiHRWgNi2TonJ4/Hb7b40OIhzQ6Hgpgf21ab4MH3c7NE Ef7PsgKH8laswKXPkpOr+OYzfIOeJ8Cg6NYeFIng5axURUR8MCqc4EBaGb36keGkZQRy/V oIWWITQVdQeQLvToRYKkX4Nk5JMZs1FKZEq8H5vDxdhbRWEb/bjNKJ4ba47KtQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RbrFJ3rXnz15mg; Thu, 31 Aug 2023 06:03:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37V63Wqn001104; Thu, 31 Aug 2023 06:03:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37V63WGV001101; Thu, 31 Aug 2023 06:03:32 GMT (envelope-from git) Date: Thu, 31 Aug 2023 06:03:32 GMT Message-Id: <202308310603.37V63WGV001101@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Philip Paeps Subject: git: d6f580f7470f - main - security/vuxml: catch up with recent FreeBSD SAs List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: philip X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d6f580f7470f1b7714bb26ea743ccc83344add2b Auto-Submitted: auto-generated The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=d6f580f7470f1b7714bb26ea743ccc83344add2b commit d6f580f7470f1b7714bb26ea743ccc83344add2b Author: Philip Paeps AuthorDate: 2023-08-31 06:01:56 +0000 Commit: Philip Paeps CommitDate: 2023-08-31 06:01:56 +0000 security/vuxml: catch up with recent FreeBSD SAs Add FreeBSD SAs issued since FreeBSD-SA-22:13.zlib in August 2022. 2022-11-15 FreeBSD-SA-22:14.heimdal 2022-11-29 FreeBSD-SA-22:15.ping 2023-02-08 FreeBSD-SA-23:01.geli 2023-02-16 FreeBSD-SA-23:02.openssh 2023-02-16 FreeBSD-SA-23:03.openssl 2023-06-21 FreeBSD-SA-23:04.pam_krb5 2023-06-21 FreeBSD-SA-23:05.openssh 2023-08-01 FreeBSD-SA-23:06.ipv6 2023-08-01 FreeBSD-SA-23:07.bhyve 2023-08-01 FreeBSD-SA-23:08.ssh 2023-08-01 FreeBSD-SA-23:09.pam_krb5 --- security/vuxml/vuln/2023.xml | 451 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 451 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 2a5ec150d30c..004ff289d908 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,454 @@ + + FreeBSD -- Network authentication attack via pam_krb5 + + + FreeBSD + 13.213.2_2 + 13.113.1_9 + 12.412.4_4 + + + + +

Problem Description:

+

The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following + the patch for that advisory.

+

Impact:

+

The impact described in FreeBSD-SA-23:04.pam_krb5 persists.

+ +
+ + 2023-3326 + SA-23:09.pam_krb5 + + + 2023-08-01 + 2023-08-31 + +
+ + + FreeBSD -- Potential remote code execution via ssh-agent forwarding + + + FreeBSD + 13.213.2_2 + 13.113.1_9 + 12.412.4_4 + + + + +

Problem Description:

+

The server may cause ssh-agent to load shared libraries other than + those required for PKCS#11 support. These shared libraries may have + side effects that occur on load and unload (dlopen and dlclose).

+

Impact:

+

An attacker with access to a server that accepts a forwarded + ssh-agent connection may be able to execute code on the machine running + ssh-agent. Note that the attack relies on properties of operating + system-provided libraries. This has been demonstrated on other + operating systems; it is unknown whether this attack is possible using + the libraries provided by a FreeBSD installation.

+ +
+ + 2023-38408 + SA-23:08.ssh + + + 2023-08-01 + 2023-08-31 + +
+ + + FreeBSD -- bhyve privileged guest escape via fwctl + + + FreeBSD + 13.213.2_2 + 13.113.1_9 + + + + +

Problem Description:

+

The fwctl driver implements a state machine which is executed when + the guest accesses certain x86 I/O ports. The interface lets the guest + copy a string into a buffer resident in the bhyve process' memory. A + bug in the state machine implementation can result in a buffer + overflowing when copying this string.

+

Impact:

+

A malicious, privileged software running in a guest VM can exploit + the buffer overflow to achieve code execution on the host in the bhyve + userspace process, which typically runs as root. Note that bhyve runs + in a Capsicum sandbox, so malicious code is constrained by the + capabilities available to the bhyve process.

+ +
+ + 2023-3494 + SA-23:07.bhyve + + + 2023-08-01 + 2023-08-31 + +
+ + + FreeBSD -- Remote denial of service in IPv6 fragment reassembly + + + FreeBSD-kernel + 13.213.2_2 + 13.113.1_9 + 12.412.4_4 + + + + +

Problem Description:

+

Each fragment of an IPv6 packet contains a fragment header which + specifies the offset of the fragment relative to the original packet, + and each fragment specifies its length in the IPv6 header. When + reassembling the packet, the kernel calculates the complete IPv6 payload + length. The payload length must fit into a 16-bit field in the IPv6 + header.

+

Due to a bug in the kernel, a set of carefully crafted packets can + trigger an integer overflow in the calculation of the reassembled + packet's payload length field.

+

Impact:

+

Once an IPv6 packet has been reassembled, the kernel continues + processing its contents. It does so assuming that the fragmentation + layer has validated all fields of the constructed IPv6 header. This bug + violates such assumptions and can be exploited to trigger a remote + kernel panic, resulting in a denial of service.

+ +
+ + 2023-3107 + SA-23:06.ipv6 + + + 2023-08-01 + 2023-08-31 + +
+ + + FreeBSD -- ssh-add does not honor per-hop destination constraints + + + FreeBSD + 12.412.4_3 + + + + +

Problem Description:

+

When using ssh-add(1) to add smartcard keys to ssh-agent(1) with + per-hop destination constraints, a logic error prevented the constraints + from being sent to the agent resulting in keys being added to the agent + without constraints.

+

Impact:

+

A malicious server could leverage the keys provided by a forwarded + agent that would normally not be allowed due to the logic error.

+ +
+ + 2023-28531 + SA-23:05.openssh + + + 2023-06-21 + 2023-08-31 + +
+ + + FreeBSD -- Network authentication attack via pam_krb5 + + + FreeBSD + 13.213.2_1 + 13.113.1_8 + 12.412.4_3 + + + + +

Problem Description:

+

pam_krb5 authenticates the user by essentially running kinit(1) with + the password, getting a `ticket-granting ticket' (tgt) from the Kerberos + KDC (Key Distribution Center) over the network, as a way to verify the + password.

+

Normally, the system running the pam_krb5 module will also have a + keytab, a key provisioned by the KDC. The pam_krb5 module will use the + tgt to get a service ticket and validate it against the keytab, ensuring + the tgt is valid and therefore, the password is valid.

+

However, if a keytab is not provisioned on the system, pam_krb5 has + no way to validate the response from the KDC, and essentially trusts the + tgt provided over the network as being valid.

+

Impact:

+

In a non-default FreeBSD installation that leverages pam_krb5 for + authentication and does not have a keytab provisioned, an attacker that + is able to control both the password and the KDC responses can return a + valid tgt, allowing authentication to occur for any user on the + system.

+ +
+ + 2023-3326 + SA-23:04.pam_krb5 + + + 2023-06-21 + 2023-08-31 + +
+ + + FreeBSD -- Multiple vulnerabilities in OpenSSL + + + FreeBSD + 13.113.1_7 + 12.412.4_2 + 12.312.3_12 + + + + +

Problem Description:

+

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

+

There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but + the public structure definition for GENERAL_NAME incorrectly specified the type + of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by + the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an + ASN1_STRING.

+

Timing Oracle in RSA Decryption (CVE-2022-4304)

+

A timing based side channel exists in the OpenSSL RSA Decryption + implementation.

+

Use-after-free following BIO_new_NDEF (CVE-2023-0215)

+

The public API function BIO_new_NDEF is a helper function used for streaming + ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support + the SMIME, CMS and PKCS7 streaming capabilities, but may also be called + directly by end user applications.

+

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter + BIO onto the front of it to form a BIO chain, and then returns the new head + of the BIO chain to the caller. Under certain conditions, for example if a + CMS recipient public key is invalid, the new filter BIO is freed and the + function returns a NULL result indicating a failure. However, in this case, + the BIO chain is not properly cleaned up and the BIO passed by the caller + still retains internal pointers to the previously freed filter BIO.

+

Double free after calling PEM_read_bio_ex (CVE-2022-4450)

+

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. In + this case PEM_read_bio_ex() will return a failure code but will populate the + header argument with a pointer to a buffer that has already been freed.

+

Impact:

+

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

+

When CRL checking is enabled (i.e. the application sets the + X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass + arbitrary pointers to a memcmp call, enabling them to read memory contents or + enact a denial of service. In most cases, the attack requires the attacker to + provide both the certificate chain and CRL, neither of which need to have a + valid signature. If the attacker only controls one of these inputs, the other + input must already contain an X.400 address as a CRL distribution point, which + is uncommon. As such, this vulnerability is most likely to only affect + applications which have implemented their own functionality for retrieving CRLs + over a network.

+

Timing Oracle in RSA Decryption (CVE-2022-4304)

+

A timing based side channel exists in the OpenSSL RSA Decryption implementation + which could be sufficient to recover a plaintext across a network in a + Bleichenbacher style attack. To achieve a successful decryption an attacker + would have to be able to send a very large number of trial messages for + decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, + RSA-OEAP and RSASVE.

+

Use-after-free following BIO_new_NDEF (CVE-2023-0215)

+

A use-after-free will occur under certain conditions. This will most likely + result in a crash.

+

Double free after calling PEM_read_bio_ex (CVE-2022-4450)

+

A double free may occur. This will most likely lead to a crash. This could be + exploited by an attacker who has the ability to supply malicious PEM files + for parsing to achieve a denial of service attack.

+ +
+ + 2023-0286 + 2023-0215 + 2022-4450 + 2022-4304 + SA-23:03.openssl + + + 2023-02-16 + 2023-08-31 + +
+ + + FreeBSD -- OpenSSH pre-authentication double free + + + FreeBSD + 12.412.4_2 + + + + +

Problem Description:

+

A flaw in the backwards-compatibility key exchange route allows a + pointer to be freed twice.

+

Impact:

+

A remote, unauthenticated attacker may be able to cause a denial of + service, or possibly remote code execution.

+

Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of + OpenSSH, and are not affected. FreeBSD 13.2-BETA1 and later include the + fix.

+ +
+ + 2023-25136 + SA-23:02.openssh + + + 2023-02-16 + 2023-08-31 + +
+ + + FreeBSD -- GELI silently omits the keyfile if read from stdin + + + FreeBSD-kernel + 13.113.1_6 + 12.412.4_1 + 12.312.3_11 + + + + +

Problem Description:

+

When GELI reads a key file from a standard input, it doesn't store it + anywhere. If the user tries to initialize multiple providers at once, + for the second and subsequent devices the standard input stream will be + already empty. In this case, GELI silently uses a NULL key as the user + key file. If the user used only a key file without a user passphrase, + the master key was encrypted with an empty key file. This might not be + noticed if the devices were also decrypted in a batch operation.

+

Impact:

+

Some GELI providers might be silently encrypted with a NULL key + file.

+ +
+ + 2023-0751 + SA-23:01.geli + + + 2023-02-08 + 2023-08-31 + +
+ + + FreeBSD -- Stack overflow in ping(8) + + + FreeBSD + 13.113.1_5 + 12.312.3_10 + + + + +

Problem Description:

+

ping reads raw IP packets from the network to process responses in + the pr_pack() function. As part of processing a response ping has to + reconstruct the IP header, the ICMP header and if present a "quoted + packet," which represents the packet that generated an ICMP error. + The quoted packet again has an IP header and an ICMP header.

+

The pr_pack() copies received IP and ICMP headers into stack buffers + for further processing. In so doing, it fails to take into account the + possible presence of IP option headers following the IP header in either + the response or the quoted packet. When IP options are present, + pr_pack() overflows the destination buffer by up to 40 bytes.

+

Impact:

+

The memory safety bugs described above can be triggered by a remote + host, causing the ping program to crash.

+

The ping process runs in a capability mode sandbox on all affected + versions of FreeBSD and is thus very constrained in how it can interact + with the rest of the system at the point where the bug can occur.

+ +
+ + 2022-23093 + SA-22:15.ping + + + 2022-11-29 + 2023-08-31 + +
+ + + FreeBSD -- Multiple vulnerabilities in Heimdal + + + FreeBSD + 13.113.1_4 + 12.312.3_9 + + + + +

Problem Description:

+

Multiple security vulnerabilities have been discovered in the Heimdal + implementation of the Kerberos 5 network authentication + protocols and KDC.

+
    +
  • CVE-2022-42898 PAC parse integer overflows
  • +
  • CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
  • +
  • CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
  • +
  • CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
  • +
  • CVE-2019-14870 Validate client attributes in protocol-transition
  • +
  • CVE-2019-14870 Apply forwardable policy in protocol-transition
  • +
  • CVE-2019-14870 Always lookup impersonate client in DB
  • +
+

Impact:

+

A malicious actor with control of the network between a client and a + service using Kerberos for authentication can impersonate either the + client or the service, enabling a man-in-the-middle (MITM) attack + circumventing mutual authentication.

+

Note that, while CVE-2022-44640 is a severe vulnerability, possibly + enabling remote code execution on other platforms, the version of + Heimdal included with the FreeBSD base system cannot be exploited in + this way on FreeBSD.

+ +
+ + 2019-14870 + 2021-44758 + 2022-3437 + 2022-42898 + 2022-44640 + SA-22:14.heimdal + + + 2022-11-15 + 2023-08-31 + +
+ chromium -- use after free in MediaStream