Date: Wed, 4 Sep 2024 23:18:38 GMT From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 82c36e5403 - main - Add EN-24:15 and SA-24:09 through SA-24:14. Message-ID: <202409042318.484NIcYO075213@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=82c36e540374ebb3c0822626f0b7f43086d249fe commit 82c36e540374ebb3c0822626f0b7f43086d249fe Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2024-09-04 23:18:00 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2024-09-04 23:18:00 +0000 Add EN-24:15 and SA-24:09 through SA-24:14. Approved by: so --- .../advisories/FreeBSD-EN-24:15.calendar.asc | 137 ++++++++++++ .../security/advisories/FreeBSD-SA-24:09.libnv.asc | 158 ++++++++++++++ .../security/advisories/FreeBSD-SA-24:10.bhyve.asc | 146 +++++++++++++ .../security/advisories/FreeBSD-SA-24:11.ctl.asc | 178 ++++++++++++++++ .../security/advisories/FreeBSD-SA-24:12.bhyve.asc | 148 +++++++++++++ .../advisories/FreeBSD-SA-24:13.openssl.asc | 136 ++++++++++++ .../security/advisories/FreeBSD-SA-24:14.umtx.asc | 143 +++++++++++++ .../security/patches/EN-24:15/calendar.patch | 11 + .../security/patches/EN-24:15/calendar.patch.asc | 16 ++ .../static/security/patches/SA-24:09/libnv.patch | 115 ++++++++++ .../security/patches/SA-24:09/libnv.patch.asc | 16 ++ .../static/security/patches/SA-24:10/bhyve.patch | 20 ++ .../security/patches/SA-24:10/bhyve.patch.asc | 16 ++ .../security/patches/SA-24:11/ctl-13.4.patch | 90 ++++++++ .../security/patches/SA-24:11/ctl-13.4.patch.asc | 16 ++ website/static/security/patches/SA-24:11/ctl.patch | 107 ++++++++++ .../static/security/patches/SA-24:11/ctl.patch.asc | 16 ++ .../static/security/patches/SA-24:12/bhyve.patch | 20 ++ .../security/patches/SA-24:12/bhyve.patch.asc | 16 ++ .../static/security/patches/SA-24:13/openssl.patch | 92 ++++++++ .../security/patches/SA-24:13/openssl.patch.asc | 16 ++ .../static/security/patches/SA-24:14/umtx.patch | 232 +++++++++++++++++++++ .../security/patches/SA-24:14/umtx.patch.asc | 16 ++ 23 files changed, 1861 insertions(+) diff --git a/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc b/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc new file mode 100644 index 0000000000..2b4ff86788 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-24:15.calendar.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-24:15.calendar Errata Notice + The FreeBSD Project + +Topic: cron(8) / periodic(8) session login + +Category: core +Module: periodic +Announced: 2024-09-04 +Affects: All supported versions of FreeBSD. +Corrected: 2024-08-08 20:07:04 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:34:23 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:10 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-08-08 20:07:07 UTC (stable/13, 13.4-STABLE) + 2024-08-14 03:37:16 UTC (releng/13.4, 13.4-BETA3) + 2024-09-04 20:29:38 UTC (releng/13.3, 13.3-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +periodic(8) is run via cron(8) as root to perform periodic system functions to +be executed on a daily, weekly, or monthly basis. + +II. Problem Description + +periodic(8) jobs are typically run in a context as the `root` user, but an +erratum in calendar(1) may clobber the login session of both cron(8) and +periodic(8) to a non-`root` user if the daily calendar job is enabled with +`daily_calendar_enable=YES`. + +III. Impact + +Mail sent after calendar(1) has run in the daily periodic run will have a +non-root sender on the envelope. This includes security jobs as well as other +cron jobs that may be run after the daily job has concluded. + +IV. Workaround + +No workaround is available. Systems that have not explicitly enabled the daily +calendar job are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch +# fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch.asc +# gpg --verify calendar.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 33708452aaab stable/14-n268432 +releng/14.1/ 86d01789bf41 releng/14.1-n267709 +releng/14.0/ d94dbaa516e0 releng/14.0-n265431 +stable/13/ 3a9010c98b3d stable/13-n258228 +releng/13.4/ 7088bf662d46 releng/13.4-n258220 +releng/13.3/ eab94c0fbb78 releng/13.3-n257447 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280418>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:15.calendar.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY53AACgkQbljekB8A +Gu+FxA/+JUfcaaoOhPcS8VabJS4UKYKH3S703qTSqaR1KsHj+nKXj5eSWCyGA4KI +C4p+9C4H7shzgO4SF18+HR679i+y0QNayEpEv9MkUsuYfevx3t8+E7joOH10usi1 +g92EPpAUYM5Cb0NpsjFS8gQk18qRlY76asdQlA+b8RDB0gU7lJkDTxrT4TUtJqKP +ysAa2ZruGuJbZpZlVPY/JLA9/liwBZcq6fij1g4dyQke6PbvTkoWxFD/3+/ufKXu +mWW+VsYxldNQRIJF9+8SuIcGTkDUr4HAP7EPYYKU8prX39lsAN0fA7oQO0ohvQ1b +20Oglq4PYQTEzv16KbAGZdByEzH2Tnzoz8jkaUeIfgnQrHEZbiaqckixi3bUOzPV +SJ037qikttpxVXrs6qxehl1f9tMLXFlbRSOrVrxg+YSb8Xy0nxRvdNwuJ+1OS2bD +DoPDXs3BVtecKrArDrZcbFcvzNbNiESZGRlFBI7hiy8DQFNFT755n1NnIDxjDerW +Qo9MELlWerWyP2djzS+C5YeTe3HPMw8dRbPORRKBD65+dXDn+W53TeJdVY/uwN/O +B9l/RRehDTB4pj79J6689h3mPSBgMC0tS33Nv1Xm42+58JPb9hP+RzHQkNVJcrxk +RDpKKxgJjTm5hQ+U8TMN+YOfWJnrEGk+mSWK8Vk96C0JQJSd0lI= +=Z1hr +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc new file mode 100644 index 0000000000..8fa9aa9e43 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:09.libnv.asc @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:09.libnv Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in libnv + +Category: core +Module: libnv +Announced: 2024-09-04 +Credits: Taylor R Campbell (NetBSD, CVE-2024-45287) + Synacktiv (CVE-2024-45287, CVE-2024-45288) +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-04 12:24:56 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:27 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:12 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-09-04 12:24:12 UTC (stable/13, 13.4-STABLE) + 2024-09-04 19:13:10 UTC (releng/13.4, 13.4-RC2-p1) + 2024-09-04 20:29:40 UTC (releng/13.3, 13.3-RELEASE-p6) +CVE Name: CVE-2024-45287, CVE-2024-45288 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +libnv (also called nvlist) is a general-purpose library designed for storing +name-value pairs. This library can serve as an Inter-Process Communication +(IPC) framework, enabling processes to exchange data. For example, it is +used in libcasper to communicate between privileged and unprivileged +processes. Additionally, libnv can function as an interface for communication +between userland and kernel. + +Originally, libnv was inspired by OpenZFS nvlist. However, the +implementations are separate. This advisory is only about base system +implementation of libnv, not a OpenZFS one. + +II. Problem Description + +CVE-2024-45287 is a vulnerability that affects both the kernel and userland. +A malicious value of size in a structure of packed libnv can cause an integer +overflow, leading to the allocation of a smaller buffer than required for the +parsed data. + +CVE-2024-45288 is a vulnerability that affects both the kernel and userland. +A missing null-termination character in the last element of an nvlist array +string can lead to writing outside the allocated buffer. + +III. Impact + +It is possible for an attacker to overwrite portions of memory (in userland +or the kernel) as the allocated buffer might be smaller than the data +received from a malicious process. This vulnerability could result in +privilege escalation or cause a system panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch +# fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch.asc +# gpg --verify libnv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +d) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 9c2ef102166e stable/14-n268655 +releng/14.1/ d87f821959fb releng/14.1-n267696 +releng/14.0/ b219ce1c5a93 releng/14.0-n265433 +stable/13/ 03bef9971d73 stable/13-n258309 +releng/13.4/ 3aa9be7e3334 releng/13.4-n258240 +releng/13.3/ 33b4e2361c82 releng/13.3-n257449 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45287>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45288>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:09.libnv.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A +Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL +lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE +K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS +5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ +ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ +zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6 +SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT +893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx +5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA +plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk +Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ= +=yX5r +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc new file mode 100644 index 0000000000..3c14fec494 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:10.bhyve.asc @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:10.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve(8) privileged guest escape via TPM device passthrough + +Category: core +Module: bhyve +Announced: 2024-09-04 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: FreeBSD 14.x +Corrected: 2024-09-04 15:42:29 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:28 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:13 UTC (releng/14.0, 14.0-RELEASE-p10) +CVE Name: CVE-2024-41928 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that runs guest operating systems inside a virtual +machine. + +II. Problem Description + +bhyve can be configured to provide access to the host's TPM device, where it +passes the communication through an emulated device provided to the guest. This +may be performed on the command-line by starting bhyve with the +`-l tpm,passthru,/dev/tpmX` parameters. + +The MMIO handler for the emulated device did not validate the offset and size +of the memory access correctly, allowing guests to read and write memory +contents outside of the memory area effectively allocated. + +III. Impact + +Malicious software running in a guest VM can exploit the buffer overflow to +achieve code execution on the host in the bhyve userspace process, which +typically runs as root. Note that bhyve runs in a Capsicum sandbox, so +malicious code is constrained by the capabilities available to the bhyve +process. + +IV. Workaround + +No workaround is available, but guests that do not use TPM passthrough are +not impacted. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Guest operating systems exposing the TPM device need to be restarted for the +correction to be applied. (i.e., their corresponding bhyve process needs to be +terminated and started again) + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the corresponding bhyve processes, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 6ce4821f0859 stable/14-n268656 +releng/14.1/ eab723be7542 releng/14.1-n267697 +releng/14.0/ 429f200688ca releng/14.0-n265434 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41928>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:10.bhyve.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54kACgkQbljekB8A +Gu9vGg//YkEx8/3PWE8GUfdwfGrzMD+bpXoJViBIW+CX4tYYDU05CzF9i/FbB93B +629nWU4HMmTrQfARtpC/VCRASz+v6kSJvsOwt2120GVx5SUuFkP2nw3fCWdH5tqu +c/M4GRT2Brl4ZJFZGdfXCKYvGKnw68qhuX6CWFhXgAPAlj2VHNCluElriGMsuPs9 +mmu6/YX5vwVps8dj1XJqx8TFv81PXyatBbzmDi4VMpeBkcM6RBjzDl3C9XVh2k9S +ahPVp9yW/bXLS2U5GA+rTK4PNIJukZ5tRb2DXH3g5Ku9l6s2l3b8oof6kNifhwf7 +1L8QeTYabkeeGgCfpKmQb7ouZoAHw2fe6M64X/IAkWM46XejiV0mzRokjrG9VIPf +Ushi7hnEbI7Kzxw/H280R/lgsQh/o8+fF+3iFDij/GPKoWlLVy4WnLluihXkE2Xd +wlFxD80CKVxGi18JBjCIo7sFrLPuec1rGPn9sULCf2Yi5TnRnBYp9OzD7wSx5zIR +ohm6zKfajdyVlis9HLm1Xee4B7dEEbZWn6seo3DclCTIO22esN3Kjs8ovSyv1KFn +B0m0bR8YbJ0qVT/jDYdWkZmJW/EmmZpMMAN91G0q+M9m8Od4e81iQZknvujPsw+I +QjM5FlKvEuYXjt2tMxP35Dq8PXdl3jvY0fqTNrkCpuzKK0q76sM= +=VI0d +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc b/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc new file mode 100644 index 0000000000..019935a17e --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:11.ctl.asc @@ -0,0 +1,178 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:11.ctl Security Advisory + The FreeBSD Project + +Topic: Multiple issues in ctl(4) CAM Target Layer + +Category: core +Module: ctl +Announced: 2024-09-04 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-04 15:51:07 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:33 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:18 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-09-04 15:53:53 UTC (stable/13, 13.4-STABLE) + 2024-09-04 19:58:25 UTC (releng/13.4, 13.4-RC2-p1) + 2024-09-04 20:29:45 UTC (releng/13.3, 13.3-RELEASE-p6) +CVE Name: CVE-2024-8178, CVE-2024-42416, CVE-2024-43110, + CVE-2024-45063 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The ctl subsystem provides SCSI target devices emulation. The bhyve(8) +hypervisor and ctld(8) iSCSI target daemon make use of ctl. + +II. Problem Description + +Several vulnerabilities were found in the ctl subsystem. + +The function ctl_write_buffer incorrectly set a flag which resulted in a +kernel Use-After-Free when a command finished processing (CVE-2024-45063). +The ctl_write_buffer and ctl_read_buffer functions allocated memory to be +returned to userspace, without initializing it (CVE-2024-8178). +The ctl_report_supported_opcodes function did not sufficiently validate a +field provided by userspace, allowing an arbitrary write to a limited amount +of kernel help memory (CVE-2024-42416). +The ctl_request_sense function could expose up to three bytes of the kernel +heap to userspace (CVE-2024-43110). + +Guest virtual machines in the bhyve hypervisor can send SCSI commands to the +corresponding kernel driver via the virtio_scsi interface. This provides +guests with direct access to the vulnerabilities covered by this advisory. + +The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI +connections, performs authentication and passes connections to the kernel +ctl(4) target layer. + +III. Impact + +Malicious software running in a guest VM that exposes virtio_scsi can exploit +the vulnerabilities to achieve code execution on the host in the bhyve +userspace process, which typically runs as root. Note that bhyve runs in a +Capsicum sandbox, so malicious code is constrained by the capabilities +available to the bhyve process. + +A malicious iSCSI initiator could achieve remote code execution on the iSCSI +target host. + +IV. Workaround + +No workaround is available. + +bhyve VMs that do not make use of virtio_scsi (for instance, via +`bhyve -s NN,virtio-scsi,...`), and hosts that do not export iSCSI targets, +are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The system should be rebooted in order to effectively mitigate the issue with +certainty. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.3, 14.0, 14.1] +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch.asc +# gpg --verify ctl.patch.asc + +[FreeBSD 13.4] +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch +# fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch.asc +# gpg --verify ctl-13.4.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 803e0c2ab29b stable/14-n268660 +releng/14.1/ d30ffde0806e releng/14.1-n267701 +releng/14.0/ 4c60b8289d0e releng/14.0-n265438 +stable/13/ c8afc072690f stable/13-n258314 +releng/13.4/ 004298792002 releng/13.4-n258243 +releng/13.3/ 639494a3c1e6 releng/13.3-n257453 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8178>; +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42416>; +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43110>; +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45063>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:11.ctl.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54sACgkQbljekB8A +Gu9gEBAArLEF2hSMAo63riezMWcREkF+3r7GfgOmKNq1CWFgfA/ikjZKxIxAojEj +il6LBgEPQl7jhcC/eG2/U80gze5AtSsQpdCN5DgaQa4rrq4C8dIu8Q8DI/ZGkkAD +1oFQ5iz9IW0fszjCgwvdnEZt0wEvcMi8d3GzJddouVVxPgcTatw0VbMZWH9ZrpFA +pwgybyntTE3IG1DqOmFWqjZmjV55BESlphp3LoheWYR21iGwuMsZWBWZ7+c9IK2j +6RP7ZBN6F/IEr0Np0G22iqUcgQOyA20zL1EJPq93Hp7OdxTMLSgggg1zq3GMEZi6 +A8rjLHmiC6SIIjv7cFohU6vHHrUQkvkx1U0xmtI32StHowKf/Mn5wL8e+i+5g/JE +vPG6vmFRDUvMqWjB/GK0atyZ7pFHMX9s75NcI7q846Rg0IW9birlgFfqZEQOndH+ +O4AM2oQWOENg9FavMkZ9ScaR2/m2wQR8c4H3BLmAz6Q4R2+QQAjlDu2DtsLWFEeW +3DNna0/Lw67yDXv2+hJcj+WwQxxWBW3yEz6OVVdszdOofLy8eyUXHo2XGUFJZQKG +ZpplFPuvq1ZEci544hRDmjGhdKH9h6UoUAOiZQz9vJbx0GyCnhiunyIcM9gN+Rmk +KGP0t+jEDaMjkAWsu5w0qju68cFMRwEP1E+fT5atsmvnzQR+Zqo= +=eocJ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc new file mode 100644 index 0000000000..8306450694 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:12.bhyve.asc @@ -0,0 +1,148 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:12.bhyve Security Advisory + The FreeBSD Project + +Topic: bhyve(8) privileged guest escape via USB controller + +Category: core +Module: bhyve +Announced: 2024-09-04 +Credits: Synacktiv +Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project +Affects: All supported versions of FreeBSD. +Corrected: 2024-09-04 15:42:30 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:34 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:19 UTC (releng/14.0, 14.0-RELEASE-p10) + 2024-09-04 15:45:38 UTC (stable/13, 13.4-STABLE) + 2024-09-04 19:58:26 UTC (releng/13.4, 13.4-RC2-p1) + 2024-09-04 20:29:46 UTC (releng/13.3, 13.3-RELEASE-p6) +CVE Name: CVE-2024-32668 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that runs guest operating systems inside a virtual +machine. + +II. Problem Description + +bhyve can be configured to emulate devices on a virtual USB controller (XHCI), +such as USB tablet devices. An insufficient boundary validation in the USB code +could lead to an out-of-bounds write on the heap, with data controlled by the +caller. + +III. Impact + +A malicious, privileged software running in a guest VM can exploit the +vulnerability to achieve code execution on the host in the bhyve userspace +process, which typically runs as root. Note that bhyve runs in a Capsicum +sandbox, so malicious code is constrained by the capabilities available to the +bhyve process. + +IV. Workaround + +No workaround is available, but VMs that do not make the XHCI device +available to the guest (via `bhyve -s xhci,...`) are not impacted. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Guest operating systems emulating USB devices with XHCI need to be restarted for +the correction to be applied. (i.e., their corresponding bhyve process needs to +be terminated and started again) + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the corresponding bhyve processes, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 90af1336ed5e stable/14-n268657 +releng/14.1/ bb245c142075 releng/14.1-n267702 +releng/14.0/ 1d01a6c11210 releng/14.0-n265439 +stable/13/ 5920b7e6eea1 stable/13-n258311 +releng/13.4/ b3f0e555781c releng/13.4-n258244 +releng/13.3/ 5d6576f4f000 releng/13.3-n257454 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The corresponding part of the security audit report as provided by Synacktiv +will be published in due course. + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32668>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:12.bhyve.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY544ACgkQbljekB8A +Gu+rCw/9FKPcF1L1kRh6J9Y6TLEmMIQx95YwodI4O11KMjgEL3wnz36p/Mrkrj8Z +g8h2+OBmqdr8NegyKHIuOHo8j9M892dnZpGWjyCgtbpnc57rXZhm83DDzRQ2r9OP +7yOWftWjgje1cyTphlFAr2p6IWg6z+6UicGwmeV17FSaG5rPjWuYoOOt63kzk3NA +0viDPIgLpoyGRCaiXa/sdoM2YQH9FxzKEC2yeURF/mLSPEFhaMO6SS8nrxmRC9Wc +f8DP5G00I3RPjAQ5ehXc5n0z88SHGKJc/dstI4jSzguyBNO8HQtCD6HC6uEo0ACV +EEJ80FJ+TOfZ9fhHkyEpGfMxwsAjpzud0zZWKV8+4jeY3kIp94g8MCKrHkLr6hXL +0+DMBsdqNS3T7lPzIimhJ7cwk/fXVQvUWu3rGBO33l3IUK0BWz/o3cTARTPEl/Zi +MMBETwn+ga6JioRBTmmOMazufAyA3Nlf/eRzIc9RGTUBjoqnY0jHzdwfPI8hDKXR +1bi1Rii8IcAmaHvMkGww6PJOkRTV8uyuW6JZ2te8V8PC5ojdUniYq5JN6mbrkpOR +RIYt3f16o6ANZ9qgMqmq2gdBBnJ80LDkQa71FV1bDf9g/LEd5aDynloaZb5D3EMp +0J0ZIPKKy/qprhVzEjxROzhLzNH0bJy6yaQhoxPY3QLzU78qrE4= +=nYwM +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc b/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc new file mode 100644 index 0000000000..7b3a152879 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:13.openssl.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-24:13.openssl Security Advisory + The FreeBSD Project + +Topic: Possible DoS in X.509 name checks in OpenSSL + +Category: contrib +Module: openssl +Announced: 2024-09-03 +Credits: David Benjamin (Google) +Affects: FreeBSD 14.x +Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE) + 2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4) + 2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10) +CVE Name: CVE-2024-6119 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) protocol. It is +also a general-purpose cryptography library. + +II. Problem Description + +Applications performing certificate name checks (e.g., TLS clients checking +server certificates) may attempt to read an invalid memory address when +comparing the expected name with an otherName subject alternative name of an +X.509 certificate. + +Basic certificate chain validation is not affected. The issue only occurs +when an application also specifies an expected DNS name, Email address or IP +address. + +III. Impact + +Applications affected by the problem may result in a termination, leading to +a denial of service. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 5946b0c6cbc7 stable/14-n268645 +releng/14.1/ 9a5a7c90d5e5 releng/14.1-n267703 +releng/14.0/ abd3a7939117 releng/14.0-n265440 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2024-6119>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:13.openssl.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A +Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65 +SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z +zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF +BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG +ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt +07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun +TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 +KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO +uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3 +rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA +E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU= +=JDHd +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc b/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc new file mode 100644 index 0000000000..7f5c4ee555 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-24:14.umtx.asc @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 *** 1052 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409042318.484NIcYO075213>