Date: Thu, 22 Jun 2017 13:14:33 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: Remko Lodder <remko@FreeBSD.org> Cc: Ed Maste <emaste@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: The Stack Clash vulnerability Message-ID: <187b2241-510e-20f8-50c6-16b318e22e89@sorbs.net> In-Reply-To: <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org> References: <F9B7242B-ED83-45C5-9196-6FD095AD9497@gvcgroup.com> <CAPyFy2CicxYBZpyy-pHS%2BQ=wTvwhpqi0fOKahEBDqiVe5h084A@mail.gmail.com> <CAPyFy2C4-hKG=hh0=th%2BRDwBzmMUqMqdg4YYZ76WxGS-JLnLBA@mail.gmail.com> <a1c45d20-78f9-e7d7-2f3e-d18c1723c5d5@sorbs.net> <0F042A4B-CB52-47EB-A191-D7617E51789A@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Remko Lodder wrote: > >> On 22 Jun 2017, at 03:10, Michelle Sullivan <michelle@sorbs.net >> <mailto:michelle@sorbs.net>> wrote: >> >> Ed Maste wrote: >>> On 20 June 2017 at 16:22, Ed Maste <emaste@freebsd.org >>> <mailto:emaste@freebsd.org>> wrote: >>>> On 20 June 2017 at 04:13, Vladimir Terziev <vterziev@gvcgroup.com >>>> <mailto:vterziev@gvcgroup.com>> wrote: >>>>> Hi, >>>>> >>>>> I assume FreeBSD security team is already aware about the Stack >>>>> Clash vulnerability, that is stated to affect FreeBSD amongst >>>>> other Unix-like OS. >>>> Yes, the security team is aware of this. Improvements in stack >>>> handling are in progress (currently in review). >>> I would like to provide some additional background on this issue. >>> First I'd like to thank Qualys for their detailed and thorough >>> investigation, which is contributing directly to improving FreeBSD. >>> >>> The FreeBSD security team is aware of and is monitoring this issue, >>> but is not directly developing in the changes that are in progress. >>> The issue under discussion is a limitation in a vulnerability >>> mitigation technique. Changes to improve the way FreeBSD manages stack >>> growth, and mitigate the issue demonstrated by Qualys' >>> proof-of-concept code, are in progress by FreeBSD developers >>> knowledgeable in the VM subsystem. These changes are expected to be >>> committed to FreeBSD soon, and from there they will be merged to >>> stable branches and into updates for supported releases. >> >> One would hope considering the nature and potential threat this would >> be one of those fixes back ported to previous -STABLE trees as well. >> > > Hi Michelle, > > On a general note: > > When we fix issues, they go to the supported branches / releases. 7.x > for example is no longer supported and is not likely to receive this > care and attention unless someone is willing to support such a change > to that branch. For supported branches, such a change is likely to be > merged to those branches and also to supported releases depending on > the determination. E.g. A Security Advisory (SA) or Errata Notice (EN) > will be merged to affected -RELEASES as well. If an issue does not get > one of those two markers, the issue will not be merged to -RELEASES > but can be merged to -STABLE branches. > > The above is a general note and not specifically pointed towards “The > Stack Clash” documents, so this can support potential future questions > in the same area as well :-) > > I know, but with potentially serious issues even M$ issue patches for older release...I think given the time the code has been broken this is a serious issue (and my employer has set this to a 'high risk'... should a remote PoC be release it will be upgraded to the next and top level 'critical'. This issue has been around in the source for sometime (years) and is potentially remote rootable... there are many machines out there that are not running 'supported releases' that you would want patched. Some are not running supported releases because it is not possible to put the supported releases on the hardware (one recent (this week) case in the ports list, had a user asking how they could go from 9.x -> 11.x directly because all the 10.x are unbootable on their hardware.... I have 9.x servers that 10.x/11.x and even 12.x are unbootable (and given the nature of the hardware I expect people to say 'too old, you should replace the hardware' - not my call, and currently not possible.) Not asking for new versions or new releases.. just patches applied for previous -STABLE trees.... For example I have 9.3 on half my servers, 9.2 on 2 servers that 9.3 doesn't run on, and 4 servers running 6.x - because until I physically get my hands on the blades they can't be upgraded - the other 16 blades were upgraded when the drives were changed to new SSDs 6 months ago ... we ran out of time in the location for the last 4 being that they are production servers and reloading the OS and applications is not something trivial.... won't be back in Australia until October so can't upgrade the remainder until then. Regards, -- Michelle Sullivan http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?187b2241-510e-20f8-50c6-16b318e22e89>