Date: Tue, 12 Dec 2023 21:51:42 +0200 From: Andrey Blochintsev <bag@zurbagan.org> To: freebsd-security@freebsd.org, FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-23:18.nfsclient Message-ID: <2f99ee85-a5ad-432f-9f48-8062a461afcb@zurbagan.org> In-Reply-To: <20231212194629.B040A17550@freefall.freebsd.org> References: <20231212194629.B040A17550@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Меняется в том числе kernel Мы nfs не используем, так что fetch install сделаю, а reboot-ить не буду 12.12.2023 21:46, FreeBSD Security Advisories пишет: > ============================================================================= > FreeBSD-SA-23:18.nfsclient Security Advisory > The FreeBSD > Project > > Topic: NFS client data corruption and kernel memory disclosure > > Category: core > Module: nfsclient > Announced: 2023-12-12 > Credits: Hostpoint AG > Affects: FreeBSD 13.2 and 14.0 > Corrected: 2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE) > 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3) > 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE) > 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8) > CVE Name: CVE-2023-6660 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > The Network File System (NFS) is a distributed file system that allows > remote > systems to access files and directories over a network as if they were > local. > FreeBSD includes both server and client implementations of NFS. > > II. Problem Description > > In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the > performance of IO_APPEND writes, that is, writes which add data to the > end of > a file and so extend its size. This uncovered an old bug in some routines > which copy userspace data into the kernel. The bug also affects the NFS > client's implementation of direct I/O; however, this implementation is > disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only > used to handle synchronous writes. > > III. Impact > > When a program running on an affected system appends data to a file via an > NFS client mount, the bug can cause the NFS client to fail to copy in the > data to be written but proceed as though the copy operation had succeeded. > This means that the data to be written is instead replaced with > whatever data > had been in the packet buffer previously. Thus, an unprivileged user with > access to an affected system may abuse the bug to trigger disclosure of > sensitive information. In particular, the leak is limited to data > previously > stored in mbufs, which are used for network transmission and > reception, and > for certain types of inter-process communication. > > The bug can also be triggered unintentionally by system applications, in > which case the data written by the application to an NFS mount may be > corrupted. Corrupted data is written over the network to the NFS > server, and > thus also susceptible to being snooped by other hosts on the network. > > Note that the bug exists only in the NFS client; the version and > implementation of the server has no effect on whether a given system is > affected by the problem. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date > and reboot. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 > platforms, > or the i386 platfrom on FreeBSD 13 and earlier, can be updated via > the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch > # fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc > # gpg --verify nfsclient.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash or > Subversion > revision number in the following stable and release branches: > > Branch/path Hash Revision > ------------------------------------------------------------------------- > stable/14/ 8d42f85d9d7b stable/14-n265954 > releng/14.0/ ab60666a00c9 releng/14.0-n265397 > stable/13/ f1d1d50e1d08 stable/13-n256860 > releng/13.2/ 3f079b3f2f33 releng/13.2-n254649 > ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6660> > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:18.nfsclient.asc>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2f99ee85-a5ad-432f-9f48-8062a461afcb>