From owner-freebsd-security@freebsd.org Mon Mar 9 17:17:37 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 239AF267F25 for ; Mon, 9 Mar 2020 17:17:37 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48blKC2C0Cz4XtG for ; Mon, 9 Mar 2020 17:17:34 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 029HG6QS074019 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 9 Mar 2020 17:16:07 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: Cy.Schubert@cschubert.com Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id 029HG3dY002853 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 10 Mar 2020 00:16:03 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: Critical PPP Daemon Flaw To: Cy Schubert , freebsd-security@freebsd.org, Miroslav Lachman <000.fbsd@quip.cz> References: <13df3361-87b6-c6c1-e79d-2bbdd0146518@quip.cz> <5FD9E59C-1B15-4B07-AA5E-1B6F40CBDD08@cschubert.com> From: Eugene Grosbein Message-ID: Date: Tue, 10 Mar 2020 00:15:54 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <5FD9E59C-1B15-4B07-AA5E-1B6F40CBDD08@cschubert.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 48blKC2C0Cz4XtG X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-3.94 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.991,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[]; IP_SCORE(-1.85)[ip: (-5.12), ipnet: 2a01:4f8::/29(-2.55), asn: 24940(-1.56), country: DE(-0.02)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2020 17:17:37 -0000 09.03.2020 20:49, Cy Schubert wrote: > On March 9, 2020 4:23:10 AM PDT, Miroslav Lachman <000.fbsd@quip.cz> wrote: >> I don't know if FreeBSD is vulnerable or not. There are main Linux >> distros and NetBSD listed in the article. >> >> https://thehackernews.com/2020/03/ppp-daemon-vulnerability.html >> >> The vulnerability, tracked as CVE-2020-8597 [1] with CVSS Score 9.8, >> can >> be exploited by unauthenticated attackers to remotely execute arbitrary >> >> code on affected systems and take full control over them. >> >> [1] https://www.kb.cert.org/vuls/id/782301/ >> >> Kind regards >> Miroslav Lachman >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > Probably not. Ours is a different codebase from NetBSD. > I haven't looked at what Red Hat has, no comment about theirs. > However it would be prudent to verify our pppd isn't also vulnerable. We have not pppd at all, in any supported branch. We had pppd(8) and ppp(4) kernel driver used by pppd upto FreeBSD 7 and they did panic kernel if used with MPSAFE knob enabled, because ppp(4) was not mp-safe. Due to that reason (and nobody updated the driver), both of ppp(4) and pppd(8) were removed before 8.0-RELEASE. We have net/mpd5 daemon that can be used instead of pppd and mpd5 is not vulnerable due to its completely different code base including part parsing EAP messages. And, of course, we have ppp(8) "user-ppp" utility.