ESB-2018.1404 - [NetBSD] ipsec: Denial of service - Remote/unauthenticated 2018-05-08

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1404
                     Several vulnerabilities in IPsec
                                8 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ipsec
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Denial of Service -- Remote/Unauthenticated
                   Reduced Security  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-007.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		NetBSD Security Advisory 2018-007
		=================================

Topic:		Several vulnerabilities in IPsec

Version:	NetBSD-current:		source prior to Tue, May 1st 2018
		NetBSD 7.1 - 7.1.2:	affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	Remote DoS, Remote Memory Corruption

Fixed:		NetBSD-current:		Tue, May 1st 2018
		NetBSD-7-1 branch:	Thu, May 3rd 2018
		NetBSD-7-0 branch:	Thu, May 3rd 2018
		NetBSD-7 branch:	Thu, May 3rd 2018
		NetBSD-6-1 branch:	Thu, May 3rd 2018
		NetBSD-6-0 branch:	Thu, May 3rd 2018
		NetBSD-6 branch:	Thu, May 3rd 2018

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract and Technical Details
==============================

Several bugs and vulnerabilities were discovered in the IPsec code. They
can be triggered before, or after, authentication or decryption.

Before authentication/decryption:

 1) In the AH entry point, a length check was missing, and it was possible
    for a remote attacker to crash the system by sending a very small AH
    packet. Also, a use-after-free was present in this same entry point.

 2) An inverted logic in the common IPsec entry point allowed an attacker to
    remotely crash the system when both IPsec and forwarding were enabled.

 3) A miscomputation in an IPsec function in charge of handling mbufs
    resulted in the wrong length being stored in the mbuf header. This
    allowed an attacker to panic the system when at least ESP was active.

 4) A sanity check in the IPsec output path was not strong enough and
    allowed an attacker to remotely panic the system when both IPsec and
    IPv6 forwarding were enabled.

After authentication/decryption:

 5) A use-after-free existed in the common Tunnel code. Also, a mistake in
    pointer initialization allowed an IPv6 packet to bypass the "local
    address spoofing" check.

 6) A missing length check in the common IPsec entry point could allow an
    attacker to crash the system.

 7) A memory leak and a use-after-free bug could allow an attacker to
    crash the system when both IPv6 and forwarding were enabled.


Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel. In these instructions, replace:

  ARCH     with your architecture (from uname -m),
  KERNCONF with the name of your kernel configuration file and
  VERSION  with the file version below

File versions containing the fixes:

 FILE     HEAD     netbsd-7     netbsd-7-0     netbsd-7-1
 ----     ----     --------     ----------     ----------
 src/sys/netipsec/xform_ah.c
          1.80     1.42.4.2     1.42.8.2       1.42.12.2
 src/sys/netipsec/ipsec.c
          1.130    1.63.2.1     1.63.4.1       1.63.8.1
 src/sys/netipsec/ipsec_mbuf.c
          1.24     1.12.30.1    1.12.34.1      1.12.42.1
 src/sys/netipsec/ipsec_output.c
          1.75     1.40.4.1     1.40.8.1       1.40.12.1
 src/sys/netipsec/xform_ipip.c
          1.56     1.31.2.2     1.31.6.2       1.31.10.2
 src/sys/netipsec/ipsec_input.c
          1.58     1.32.4.1     1.32.8.1       1.32.12.1
 src/sys/netinet6/ip6_forward.c
          1.91     1.73.2.3     1.73.2.1.2.2   1.73.2.1.6.2

 FILE              netbsd-6     netbsd-6-0     netbsd-6-1
 ----              --------     ----------     ----------
 src/sys/netipsec/xform_ah.c
                   1.37.2.2     1.37.6.2       1.37.8.2
 src/sys/netipsec/ipsec.c
                   1.55.8.1     1.55.12.1      1.55.14.1
 src/sys/netipsec/ipsec_mbuf.c
                   1.12.10.1    1.12.16.1      1.12.24.1
 src/sys/netipsec/ipsec_output.c
                   1.38.2.1     1.38.8.1       1.38.16.1
 src/sys/netipsec/xform_ipip.c
                   1.28.8.2     1.28.14.2      1.28.22.2
 src/sys/netipsec/ipsec_input.c
                   1.29.2.1     1.29.8.1       1.29.16.1
 src/sys/netinet6/ip6_forward.c
                   1.69.2.2     1.69.6.2       1.69.8.2


To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P -r VERSION sys/netipsec/xform_ah.c
	# cvs update -d -P -r VERSION sys/netipsec/ipsec.c
	# cvs update -d -P -r VERSION sys/netipsec/ipsec_mbuf.c
	# cvs update -d -P -r VERSION sys/netipsec/ipsec_output.c
	# cvs update -d -P -r VERSION sys/netipsec/xform_ipip.c
	# cvs update -d -P -r VERSION sys/netipsec/ipsec_input.c
	# cvs update -d -P -r VERSION sys/netinet6/ip6_forward.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Maxime Villard for finding and fixing these issues.


Revision History
================

	2018-05-07	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-007.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJa8GKzAAoJEAZJc6xMSnBuHEMP/jkbNaVYUnC9ALUXctbeFm8S
6V4Jgda2Vv48P6HOLLc+m/IWJC/1IIlUJ/a1fb1oZW4MDg8ELudXAqP5GfwD0fKT
gF6qKdhGp4ISLPZVnOAZVaQe3pTRhJQnhXaoupxUcsl1jjgRWU5/UxJA4mByo+F0
tyfAxR0+JWgreBOUlekEIxs2ZGRWsDAmj0B7Me8OO6Jpb7SmHuqokgRb9Q1ExpB/
oGW3b3VX/9EWtVfaDGhUAHCj8ZARmyrK9ultD8+Ql8eacjeVgdr5CNvp4gy/OcSk
8DzG0v5E7pdpJc7WI4YA4qC3NuWjAuS/1gZ6fu1nTAK2Mp0PEvrEFvIi4cQePpne
28yK5oCc4dV3Y4amFKcqqPvWakJhTmNldv6nxRdhthdb9Uf6v2sCEgSark4UwLjv
gDbpZF9MOvzQjXSMdmhjmfj5Yi+lytmyDXyT/WFxhE8xS6+l4l8DTutsvFh26D5m
OZ1hWTa4Z90zxPrS5GX3hizn44Tq72HVSne9zE0JLgBgHb+YbF7aZO5rwAMh47gB
UFpiEbPFBNLMGPr57vxIhOwrsvIH8XLUKP/g4x7NeVPdSvJ5LoJCSk+iueOt06vd
HGjF29nivsnJ9uGTWIQiGo9EYOyR/IQH3EevafUvAz+10Hj62JnHmWvoxK0XGGVe
bTGEsDCmMFjmd7YoeKB+
=hIq7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvEnfox+lLeg9Ub1AQgEYw//ckDUNiWWU4T9Fs6DxAbOjle2TZR0U0SG
9vFOVH8vz4CSd8X4sDkFNes+KSvYzjoBOd8tXnJw/bPtrxM1i+8tSckv+q1a7Don
uJ89Pb3qZipDbDT1CnsRu3DH1H/a3FA6MO5UQRnZ+27g6lICIHfpRtzNukUyqx/M
gO9IDPGdswxjoksVAQ3TsopvlJZIT53pTwSlkLli0EonvubQAPoMG1XEbJ4vMy01
LhiYwTylU29Thz2M8UQEn67uU8P+mZHg7P6Lb5eJHuCuDGBQRPOPNLt8P0s8oGpJ
9KY7uumGifgapLg6b8il47LYcTto0uB5MIp3fkBc1L9WCN8OcxbbsCQAIgjF0lmC
S81k5mFmdFDRqHAl4zD/nh88r1EKUsYDpYEWPi4iqSck0Qi+nf2iPMfFpDVDyRQK
/d6WyLLphsZ3R1sppLfXuKq+Ud2ysoG5VupyPBouQ9ybZB0oPUuV5KJxwOEbvWoX
gIYf6A+yl1MJzC1HwktjKchbP5rUt8hzunLQsGg/xU93cRjNWC7S8f0SU8Os8yoZ
uhmT+nO5Vqz54Fm6iwyQuNIx1zkvF7LPvAAnfKeMtBVqjv0WIV/5qtzYFJYs2glu
wF4i/aQhotpJYANNMULVgzOxq3vpfAXnQcioDIzaksal3b7ZDgpgTCCSYCzjkQxZ
f+tTZfr3734=
=Ke4/
-----END PGP SIGNATURE-----

« Back to bulletins