Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1258 Insufficient credential checks in network ioctl(2) 11 September 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ifioctl Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-5691 Original Bulletin: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-13:12.ifioctl.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:12.ifioctl Security Advisory The FreeBSD Project Topic: Insufficient credential checks in network ioctl(2) Category: core Module: sys_netinet6 sys_netatm Announced: 2013-09-10 Credits: Loganaden Velvindron Gleb Smirnoff Affects: All supported versions of FreeBSD. Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) CVE Name: CVE-2013-5691 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The ioctl(2) system call allows an application to perform device- or protocol-specific operations through a file or socket descriptor associated with a specific device or protocol. The SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK ioctl requests are used to associate a network address, broadcast address, destination address (for point-to-point interfaces) or netmask with an interface. They operate on the assumption that each interface only has one address per protocol, and are therefore of limited use for IPv4, where interfaces may have more than one address. They were never implemented for IPv6, where interfaces nearly always have at least two, and in many cases three, addresses; nor were they ever implemented for ATM. II. Problem Description As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code. Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware. III. Impact An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer. Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context can not be ruled out. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch # fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch.asc # gpg --verify ifioctl.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - ------------------------------------------------------------------------- stable/8/ r255445 releng/8.3/ r255446 releng/8.4/ r255447 stable/9/ r255443 releng/9.1/ r255448 releng/9.2/ r255444 - - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5691> The latest revision of this advisory is available at <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu8rUACgkQFdaIBMps37ImRQCdGUcSBvK6+kAN69aGChHT6fVb YI4AoJNveN9PSowTG0NnUkPJR9oJimZT =xb3g - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUi/FfBLndAQH1ShLAQJROA//f+sBXYxIOs/3CHEYDbJGbL5YHEAiyi2F rhrnjy27NlB7qKJi2Lz9R8SH0E4C2ZDGUge6Nj1MdZqMGR8oNq8lGOGZkmnlatR5 bMsp7/iXkk3gggsbPrWQTtMF/TpcQPs4hOzNSY4l+OJf5FnKZFrhFsMS/4u0Hj37 po+elze4V1VGyGRSo5Ko3gk806aJlK1frjR0WIiNJa5QePOGuXdLYABXIYUhJWwN JfOS8CwXG0T2fxfeDJFyzGcg8kKkvYb+Pv3L90bJGD84yy6H62i8mmw4O6/QSFKe zMrXW7ZNuajEIqmMDi2rM8EH5bFrcR1HXo3J0F+1mfYAl/BGpfi8GzL8YrgfpQv4 gvpG0r/AmDtYNTeMy5RpjO5jLw3GtPXcM8aiRvuPmjyYn08uwyxA1IwItHOQzYGl ZZ7K3pS1ENXvPZmCD4NCZYzreZwY/AOKdzHZPh3gxXkDBK+GmhVbdswOYswqRRPk iWjCy00TT8dFdXn0WyARaeyllz5t3uQe18ZIC8wS+d1GXgjqYkkwmWjGPCtTRXKT hiqlP9dySrQ9YXXsolZ4fbTOoksB4c29PXGtoxK0r5RB1u2N3SiUFMHY2nJyYA/B mXrWoyaJBstB7epxaacOTpk/4DAMUxeKahFxT52wsdizaqmYALHJdmaaR43kebuP Q46J+4EK2cU= =TYfN -----END PGP SIGNATURE-----