From owner-freebsd-questions@freebsd.org Tue Aug 20 21:54:15 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B9C8BE1FBB for ; Tue, 20 Aug 2019 21:54:15 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46Cl1f5vC8z47rd for ; Tue, 20 Aug 2019 21:54:14 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:191:9a13:82fe:5708] ([IPv6:2607:f3e0:0:4:191:9a13:82fe:5708]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x7KLsBGb072829 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 20 Aug 2019 17:54:13 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:22.mbuf To: freebsd-questions@freebsd.org References: <20190820201253.1EF2E1F87A@freefall.freebsd.org> From: mike tancsa Message-ID: Date: Tue, 20 Aug 2019 17:54:12 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20190820201253.1EF2E1F87A@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 46Cl1f5vC8z47rd X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.50 / 15.00]; ARC_NA(0.00)[]; RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_SHORT(-0.98)[-0.985,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.57), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2019 21:54:15 -0000 Anyone know if this impacts strictly endpoints and firewalls that would do re-assembly ? I am guessing not just forwarding ipv6, can it trigger the DoS? Also, when it says, "On systems with IPv6 active, IPv6 fragmentation may be disabled"... How does one disable / check if IPv6 is enabled / disabled ? Is this via sysctl net.inet6.ip6.maxfrags=0 ?     ---Mike On 8/20/2019 4:12 PM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-19:22.mbuf Security Advisory > The FreeBSD Project > > Topic: IPv6 remote Denial-of-Service > > Category: kernel > Module: net > Announced: 2019-08-20 > Credits: Clement Lecigne > Affects: All supported versions of FreeBSD. > Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE) > 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10) > 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE) > 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3) > 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14) > CVE Name: CVE-2019-5611 > > For general information regarding FreeBSD Security Advisories, including > descriptions of the fields above, security branches, and the following > sections, please visit . > > I. Background > > mbufs are a unit of memory management mostly used in the kernel for network > packets and socket buffers. m_pulldown(9) is a function to arrange the data > in a chain of mbufs. > > II. Problem Description > > Due do a missing check in the code of m_pulldown(9) data returned may not be > contiguous as requested by the caller. > > III. Impact > > Extra checks in the IPv6 code catch the error condition and trigger a kernel > panic leading to a remote DoS (denial-of-service) attack with certain > Ethernet interfaces. At this point it is unknown if any other than the IPv6 > code paths can trigger a similar condition. > > IV. Workaround > > For the currently known attack vector systems with IPv6 not enabled are not > vulnerable. > > On systems with IPv6 active, IPv6 fragmentation may be disabled, or > a firewall can be used to filter out packets with certain or excessive > amounts of extension headers in a first fragment. These rules may be > dependent on the operational needs of each site. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot. > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for security update" > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch > # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc > # gpg --verify mbuf.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/12/ r350828 > releng/12.0/ r351259 > stable/11/ r350829 > releng/11.3/ r351259 > releng/11.2/ r351259 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD > MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n > 5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o > VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U > Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr > 6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB > jPbG7u23C3a2KcRImCWM2vJ5dZFoa0Mz5+vHzaSMwPT49KRRRRkcd7+azqUfbGg0 > k9Py6KuwGhclNmehpUth0NlvR89JV58Fbkh7TaCWHV51hAWoH/1EQdJNY9yb0eAZ > AgsvAiotWU1VNDcF2xWaf5m3VE87jl0/Bz9BgpVFI0kHuof4OwiG9PkdFI1q0Yl2 > TdkksZj1iRETN8/Qt5HGzY1pGQFRc7b+nE9GIfIUcEH1B7d7Gb58DVElZ95Og+EF > bGwR6/e7r39mBsqs0qloYgk/2c6B4vuFyt8b9Yhuw4ns0SpO4cP9XYXawUff7+p3 > oLo7dqPKn8fMRLhT0/QZfPRyluUshVvJW1Yg9HWdYMYm7wFAilemnMWMxJKIUOmt > pkQx3e6Tvk3VNkls4yv7GbApO5iMNXaBvC2JYMP0GUiQ1FOkB9M= > =ip7/ > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" >