Date: Thu, 27 Apr 2017 06:57:53 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r50208 - in head/share: security/advisories security/patches/SA-17:04 xml Message-ID: <201704270657.v3R6vr4N014809@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Thu Apr 27 06:57:53 2017 New Revision: 50208 URL: https://svnweb.freebsd.org/changeset/doc/50208 Log: Add SA-17:04. Added: head/share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc (contents, props changed) head/share/security/patches/SA-17:04/ head/share/security/patches/SA-17:04/ipfilter.patch (contents, props changed) head/share/security/patches/SA-17:04/ipfilter.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:04.ipfilter.asc Thu Apr 27 06:57:53 2017 (r50208) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:04.ipfilter Security Advisory + The FreeBSD Project + +Topic: ipfilter(4) fragment handling panic + +Category: contrib +Module: ipfilter +Announced: 2017-04-27 +Credits: Cy Schubert +Affects: All supported versions of FreeBSD. +Corrected: 2017-04-21 01:51:49 UTC (stable/11, 11.0-STABLE) + 2017-04-27 06:52:30 UTC (releng/11.0, 11.0-RELEASE-p10) + 2017-04-21 01:51:49 UTC (stable/10, 10.3-STABLE) + 2017-04-27 06:52:30 UTC (releng/10.3, 10.3-RELEASE-p19) +CVE Name: CVE-2017-1081 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +IP Filter, also known as ipfilter(4), is a cross-platform, open source packet +filter (firewall) originally written for BSD operating systems, including +FreeBSD, NetBSD, and OpenBSD, and for Solaris. ipfilter(4) is one of three +firewalls included in FreeBSD (the others being ipfw(4) and pf(4)). It +performs firewall and NAT functions using the pfil(9) framework as do the +other firewalls in FreeBSD in the kernel. + +II. Problem Description + +ipfilter(4), capable of stateful packet inspection, using the "keep state" +or "keep frags" rule options, will not only maintain the state of +connections, such as TCP streams or UDP communication, it also maintains +the state of fragmented packets. When a packet fragments are received they +are cached in a hash table (and linked list). When a fragment is received it +is compared with fragments already cached in the hash table for a match. If +it does not match the new entry is used to create a new entry in the hash +table. If on the other hand it does match, unfortunately the wrong entry is +freed, the entry in the hash table. This results in use after free panic +(and for a brief moment prior to the panic a memory leak due to the wrong +entry being freed). + +III. Impact + +Carefully feeding fragments that are allowed to pass by an ipfilter(4) +firewall can be used to cause a panic followed by reboot loop denial of +service attack. + +IV. Workaround + +No workaround is available, but systems not using ipfilter(4) are not +vulnerable. A default installation doesn't enable ipfilter(4). +ipfilter(4) configurations not using "keep state" pr "keep frags" are not +vulnerable. Users may be able to temporarily replace stateful inspection +with stateless rules however this is not as secure as stateful inspection. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Reload the ipl.ko kernel module or reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reload the ipl.ko kernel module or reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch +# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch.asc +# gpg --verify ipfilter.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system or reload the ipl.ko kernel module. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r317241 +releng/10.3/ r317487 +stable/11/ r317241 +releng/11.0/ r317487 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1081>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:04.ipfilter.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.20 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlbAACgkQ7Wfs1l3P +auejpBAAtsITE8qn04H5gT8EGq/ntkN8DQydmVHn0OpmwDGg/XD4Wrwye8jqHhFb +XdOj5aMb0QbEK3WjDZwbvHNqTkyzl5QXc3PPs7V5mHdYGHsMRWvSyXutRmopgmsp +ee59qLeKxvWGss0gqkUWZQQcbdIVN8hTXnumBZ8ncrpjluaYZuO8DvyZQ1Cy4f+f +sd6PCZHemjs4MtSriV4AKOtM1QPuBQEkrQ6clA5j55Txk6fkcy1CUoyP0KmW20Iu +VFY/UyrfvbVDgbsFMMFsSn/F9DlKVLLtgjpXqztuOu1QhLbAs7spMnUjRnilfOE6 +rsyOh26sjEIlQ3sNf7IrFsXdoqLWgn7CDToZEk5xfyv7MyEuEd5INfAkcLz9Mcp+ +AymVRmC29CDt8dIJlEaXPyYXDLx5PGPB+SUR2VghzPQkHM9X9EOnJcVEbAn3QnQ1 +sFkh4mlsh3cQ9iw2+RYzIybgBzv0OjxIasU3QtnbRNXgdNVnoV/yTeEUFSyVzvC2 +6JcjJCq7WZ3U9EBKbPoVzRBsHAal/3EWMnXMprcdNPuxjd+9357K5OnMXiP9ab9G +KthAVRN1y+bZ/SNEtqE/T1vrxH9JV/BEqQjtx+DMp7v7TzGgK8rqSJT8H/bIu2h3 +IecRnQRkDipqITFQKSoPiqJZeuoVcXaYw8Cp5gUpL618m4DwZ3w= +=C7OI +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:04/ipfilter.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:04/ipfilter.patch Thu Apr 27 06:57:53 2017 (r50208) @@ -0,0 +1,11 @@ +--- sys/contrib/ipfilter/netinet/ip_frag.c.orig ++++ sys/contrib/ipfilter/netinet/ip_frag.c +@@ -474,7 +474,7 @@ + IPFR_CMPSZ)) { + RWLOCK_EXIT(lock); + FBUMPD(ifs_exists); +- KFREE(fra); ++ KFREE(fran); + return NULL; + } + Added: head/share/security/patches/SA-17:04/ipfilter.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:04/ipfilter.patch.asc Thu Apr 27 06:57:53 2017 (r50208) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.20 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlcIACgkQ7Wfs1l3P +audqyBAAgRyBZtlZ8/VZ/nF+JG/aIutr2sQrgIrKT7/3Tnc3fU/+gN35T44A2pjD +04mtVe1LsBxNnyeqjb5sxu/ppFgmT6JxhVpARAey7m8fJS0VPbk6K57RtbQUAOTZ +B54VE15y+Eh8MAveJvnxd5gqjxZW69j3jpZ5aIKYOWoIWNs+OeOu8x4HAyVGPksA +L93+AqbRRN56t++ief6SCTErukWjj6HYF1KSf+9CDncouMgKY2e4+Dr6I1fmNOUg +tCZDtnyOM6dcxVI+dz4I88xl3RpGSPZFaXgVpkbeLw8NO+w6g8OV7wPqTPZ+WvdC +pQ/A2MDUJgNWrLFHYUwdra/RENi6pYjixiTK4Qv7bN8QBGQcFdDU53HAco/yT3pe +6G1nz+SVYtJRjUGPOeej1YtFxTFSI/I0ACo3S7ohDTy4BbAeTHb3s2OXaNUQGxE2 +KwvwCatsqX74FDkSXlk4bYaCFJNI/8mL3W+lkSxOkJX4d+lsxI/iBcBNmphzBM5A +WGPtvBnXVNhLRe2o0KNFL7KGp/2es8EZjhf23G9bU3faUCoSgLEQADSz2UVfw7+O +EjjtNHR0ZDKi7FTJhwLfokE3151mMjD04D8V0Tw68TeoUFJE1//AzElxEH/gxufi +bjhA1kK7+Z6ML5uZke+nYpUvyolmYJitmmGFd+HObFDfUEn4Nks= +=wUgH +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Thu Apr 27 02:16:13 2017 (r50207) +++ head/share/xml/advisories.xml Thu Apr 27 06:57:53 2017 (r50208) @@ -11,6 +11,14 @@ <name>4</name> <day> + <name>27</name> + + <advisory> + <name>FreeBSD-SA-17:04.ipfilter</name> + </advisory> + </day> + + <day> <name>12</name> <advisory>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704270657.v3R6vr4N014809>