-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4709
      Denial of service and possible privilege escallation in filemon
                             18 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           filemon
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Create Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2019-006.txt.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2019-006
		=================================

Topic:		Denial of service and possible privilege escallation in filemon

Version:	NetBSD-current:		affected up to 9.99.17
		NetBSD 8.1:		affected
		NetBSD 7.x:		unaffected

Severity:	Local users can crash the machine

Fixed:		NetBSD-current:		October 28, 2019
		NetBSD-9 branch:	October 28, 2019
		NetBSD-8 branch:	October 28, 2019

Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

An unprivileged user can write filemon output to arbitrary files,
or crash the system.

Technical Details
=================

The filemon module is experimental and not suitable for general
use. Unfortunately it can be inadvertently auto-loaded when
/dev/filemon is opened, and /dev/filemon is accessible to any user.

There was a missing write check in the filemon module thus permitting
any user to overwrite any file in the system. While we are not
currently aware of an exploit, it is conceivable that one can
overwrite a configuration file parsed by a privileged daemon that
does not abort on syntax errors.

Additionally the way filemon does filesystem interception is racy
and can lead to random crashes if the system calls are in use
while the module is unloaded.

Solutions and Workarounds
=========================

Unloading and removing the filemon module, either manually:

# modunload filemon
# rm -rf /stand/*/*/modules/filemon/

Or by updating the machine to a newer build and running
postinstall fix obsolete

Thanks To
=========

Ilja Van Sprundel for reporting this vulnerability.

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-006.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2019, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2019-006.txt.asc,v 1.1 2019/12/17 00:55:08 christos Exp $
- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJd+CdCAAoJEIkmHhf170n/sRwP/iepxkQCzWM7NUSZWDmbJ6A2
pJzJVlmwOwqqvRFlPWhfiLAryeWIaM6mO4mCdqQUodvZGE8+9q9/1Qyga41YQji5
mYCiFCAM1ezUzhr9FXHsJZf8rvEp6qt9E7DjqNpzJy9ut9bSEMLVq3M4GLqcQZn3
t2067Cl0OIkOrenxU5aM5cYuQe62DotQR254HmGKGzG5SbNOM9Q1fLJECNECRFt2
7N72RsOcDMnEKepVoFcH200oMKM5/tgweRKTxcrq3NsrFORSwgpobSN1Q2g5Uzc3
+PvB7wsy2xb1XbHT7VYn+vspbrzlSDm+vrQCTNPUm26iOnyvl4XdFPOXwlUuHSXk
GU2m5uqX3KvWkU4DDVhZ5DRmQHi8tY0sri53qvI0sazOlKtHau+qt0TI6pbizhPV
o7CBsTytvw1ztL0q4g4pweRHiIT+jILTfeAaojNLAqDnLgzm4lBcUzg5WX552lCx
vNb+2B6WHmIbAx/Jtr60ei97PWQVJ8ECckyrh+vvo2dD/izJg8JkB1rJa1ihydtu
bvv3+MHO24wwBjlfcnoPvOETcakMRRH3Fkp9CNRx894eTn8bwrz3xPtyAhAwqzuc
z2s/9foAs53wneKlnT6BCtUMx9v6FVT+9oOUmYGnQ7OneqZMKTSDHj2WsJEQNHXP
5Zkm7k2HHV6xcFF7tAo6
=uQGc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfmgqWaOgq3Tt24GAQh8Mw//emrnoAsOWMmiwgrND/3aNi2Cbalo0ndT
9aH43P16vMu2kNmXz8eJfv04ewsB8ta4SDDJ8WJwOXjQ1b2i7GKaI5Ceva9ub3To
DA2u/RqroUT9DlFTJ0lXhj4fu67X9PQTiFo0wf6Ga5kTNPlSc/NWdrwkNCyrvMvB
LUuO63erX9RXY/G4p7g/ED2rmjvb7+H1XJNm7f85ESY9Wbql5yK382JbSDr8F5+9
KjxcQQpDTJR1737dTpHZ9cpmSmgCxJGpt94xjzp/FHwZNXploaOzOl4SbLWs7cd4
FQhz2Tkro2J0Fo6JRCQFJvTTGLmx56tRBugQfBJMCAI5d7sa/bD2PksZ0E+cmBrv
jKGnebIL6T4GaHWmEuLn7F2yhiOWcI8RzRtHXTA5N39QPeLxwabQHhLBa7fMAwDW
dTPuiIeN7Q9mX9H3Fwml03K8mkTWVCULO+1yZYIk35DXDbaJwvWZ6D9H4ZBpyydT
4NkYrxAxVZMMz7JQ52iaj+vvO7PysoWgG+tCofK6i1FEz7f5ABbi5391zJGTg0fG
ah6hoCt9/kATXnSE0rg1UuwUGle9S7fg48msa2g5qGT56HjKkHJuvuQbhFzPv5F5
buBY2EOUhfKxdxynmUfgMRcT7q0NpBb8qb8mvpYe+TrTKNTi+ar5WzjlUlf2Ycpw
6elDNb+UwuY=
=HgZt
-----END PGP SIGNATURE-----