ESB-2018.1131 - [NetBSD] kernel: Denial of service - Remote/unauthenticated 2018-04-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1131
               Several vulnerabilities in the network stack
                               12 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Denial of Service -- Remote/Unauthenticated
                   Reduced Security  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		NetBSD Security Advisory 2018-006
		=================================

Topic:		Several vulnerabilities in the network stack

Version:	NetBSD-current:		source prior to Fri, Feb 9th 2018
		NetBSD 7.1.2:		not affected
		NetBSD 7.1 - 7.1.1:	affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	Remote DoS, Remote Memory Corruption

Fixed:		NetBSD-current:		Fri, Feb 9th 2018
		NetBSD-7-1 branch:	Sat, Feb 24th 2018
		NetBSD-7-0 branch:	Sat, Feb 24th 2018
		NetBSD-7 branch:	Sat, Feb 24th 2018
		NetBSD-6-1 branch:	Tue, Mar 13th 2018
		NetBSD-6-0 branch:	Tue, Mar 13th 2018
		NetBSD-6 branch:	Tue, Mar 13th 2018

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Several vulnerabilities were discovered in the network stack:

 1) Several bugs in MPLS.
 2) Memory leak in IPv6-NBR.
 3) Double free in Pim6.
 4) IPv4 source-routed packets allowed by default.
 5) Signedness bug in PF.


Technical Details
=================

 1) Several possible use-after-frees existed in the MPLS code. This could
    cause the system to panic.

 2) A memory leak existed in the IPv6-NBR entry point. An attacker could
    cause the kernel to run out of memory.

 3) A double-free bug existed in the Pim6 (IPv6 multicast) entry point. This
    could cause the kernel to panic.

 4) Two sysctls wrongfully allowed IPv4 source-routed packets to be accepted
    by the kernel. Source-routed packets are known to have several security
    implications.

 5) A signedness bug existed in NetBSD's implementation of the PF firewall.
    A length check was unintentionally made unsigned, while it was expected
    to be signed. This could cause a read overflow (leading to a page fault)
    if a specially-crafted TCP-SYN packet was received while PF had a
    configuration of the type "pass in [...] tcp [...] modulate state".


Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel. In these instructions, replace:

  ARCH     with your architecture (from uname -m),
  KERNCONF with the name of your kernel configuration file and
  VERSION  with the file version below

File versions containing the fixes:

 FILE     HEAD     netbsd-7     netbsd-7-0     netbsd-7-1
 ----     ----     --------     ----------     ----------
 src/sys/net/if_mpls.c
          1.33     1.16.2.1     1.16.6.1       1.16.10.1
 src/sys/netmpls/mpls_ttl.c
          1.9      1.4.4.1      1.4.8.1        1.4.12.1
 src/sys/netinet6/nd6_nbr.c
          1.145    1.100.2.3    1.100.2.2.2.1  1.100.2.2.6.1
 src/sys/netinet6/ip6_mroute.c
          1.120    1.107.2.1    1.107.6.1      1.107.10.1
 src/sys/netinet/ip_input.c
          1.366    1.319.2.1    1.319.6.1      1.319.10.1
 src/sys/dist/pf/net/pf.c
          1.78     1.72.2.1     1.72.6.1       1.72.10.1


 FILE              netbsd-6     netbsd-6-0     netbsd-6-1
 ----              --------     ----------     ----------
 src/sys/net/if_mpls.c
                   1.8.8.2      1.8.14.2       1.8.22.2
 src/sys/netmpls/mpls_ttl.c
                   1.3.18.1     1.3.24.1       1.3.32.1
 src/sys/netinet6/nd6_nbr.c
                   1.95.2.1     1.95.6.1       1.95.8.1
 src/sys/netinet6/ip6_mroute.c
                   1.103.2.1    1.103.8.1      1.103.16.1
 src/sys/netinet/ip_input.c
                   1.298.2.1    1.298.6.1      1.298.8.1
 src/sys/dist/pf/net/pf.c
                   1.68.2.1     1.68.6.1       1.68.8.1


To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P -r VERSION sys/net/if_mpls.c
	# cvs update -d -P -r VERSION sys/netmpls/mpls_ttl.c
	# cvs update -d -P -r VERSION sys/netinet6/nd6_nbr.c
	# cvs update -d -P -r VERSION sys/netinet6/ip6_mroute.c
	# cvs update -d -P -r VERSION sys/netinet/ip_input.c
	# cvs update -d -P -r VERSION sys/dist/pf/net/pf.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Maxime Villard for finding and fixing issues 1) 2) 3) 4), Lucio Albornoz
for reporting a problem that was discovered to be 5).


Revision History
================

	2018-04-09	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJay9YUAAoJEAZJc6xMSnBu/cwQAM8lQOVwwMopocNAtLsMzdKi
Ytzc++SxwDDJEdpwSvmkxfLOUJx7BbxgWYSLoaBnEvh1BPYHsVr7NxxsYlCzXQrI
VcWH3Z5EqZvEKDeWmaTLLmlpSjy6+uy5mrTXKaCNwKyYiXtlxkylbW/U6rJ71vZu
UGK+psQkbGGuqFH23yT70LVZ9ZHXwCTbElprpGq5Wx89ZHIgwSe6RPZb12gBQ63Y
WoW0y5zLQaBzZgxSq9bqNipDpd4lwXmfpXmhWKK0eSNU+EvkV24P79rqFXfwP00Z
+KJxc7U39EoS81EFu9zHYs6+eO1164NuWnB9mYCJgB+tgz3ZnDivhWWH7hKFJo44
MuhODNvoby+9eStB49lX5WjwnCMeqvX1eMmv7IgDPruGh0vQCeN+jUYHYqaVwmKb
bJpvH7wX/iFizjASVTC+CtpTBrYgJJ5PkLIdGRFITo+EnSFx2PAEjiHkTuYLvKO5
j0EQHxA8OaeX6LU+or3ccNtl+EVv+62tu0dI2JZBk7MxyljlRN2/ayH5I/nVBwQS
Bvqdv3Fk8tHkFZlRhaCaftGjUcO3rI0yhLttse1hzkfSWulaslEdBxfg4oa+TxvA
L8VlGbhVpYFPB8CeYZKsXmKFV5YwkHPe/ZvQj2hQbhAgXBoQz83ql9s08XqtOiY9
ext9mwIu67I/Z9TioyAc
=C1y0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs7EIYx+lLeg9Ub1AQg9lhAApLpa1kEYv9iSpGdiEQfS6wXLOt9CcFAo
FM3xBvZod6Ut+esNF3aOtUUb3O0yN8vowkzPWWWKBA0zvGgWdI+jvKO2rFK2O9Pr
P1sSV0Q0fMiNgxT9qmUa3epKO0HIBX4gooqOefhsLNItb3E1/sB02HGh+JjK4wFW
UbQR61vrbIdvD7f0mAijgXM7r/qsG5azkRb9mDjlEVEoXCAqKpqFwPp/5OxyjQhy
y2k8Q2fy4ksQWguL1e+vdokLivhYLJZ0qeyVCw42xzbPeWBgW0Hbw0l/VI0y5lNp
kes003bBYcEf0ktl0tW2eTk6XlvD3WEMSDAphCDhAMSh8EHg7S9CIQ8Jd57wzaSm
OIySImiOM8GPbb+BgzVmbWIm6JRNlpQiItq4hhbcOcPKuAuZmxccLww1kUNrHJBz
8oloVI4P1ee5pgDAKoGLiRIf82Ng9oB3s9sI9Jf2UFLxTAPWH3jBbbuWb7WzMGFF
OnEjTdyNI8e6tw1pd5qBEVV7+OUi7ePPpuSvD2LaLZkujxOiZlWXZesJgkf2rqky
S18drwfA3ViKUd/nh/AuZWoK1lXWwA8iW8Y+Oz5D8xL4bf9RjBOa/c2RGGE75uKd
mJ1UL/DlIXw+rQAuPLuwI+DJLYsAN3gMEfHkGnNzrTFHr0Wnwgho44yOepqCaBIy
OclamK63/7g=
=/f/b
-----END PGP SIGNATURE-----

« Back to bulletins