Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4709 Denial of service and possible privilege escallation in filemon 18 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: filemon Publisher: NetBSD Operating System: NetBSD Impact/Access: Create Arbitrary Files -- Existing Account Resolution: Patch/Upgrade Original Bulletin: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2019-006.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2019-006 ================================= Topic: Denial of service and possible privilege escallation in filemon Version: NetBSD-current: affected up to 9.99.17 NetBSD 8.1: affected NetBSD 7.x: unaffected Severity: Local users can crash the machine Fixed: NetBSD-current: October 28, 2019 NetBSD-9 branch: October 28, 2019 NetBSD-8 branch: October 28, 2019 Please note that NetBSD releases prior to 7.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An unprivileged user can write filemon output to arbitrary files, or crash the system. Technical Details ================= The filemon module is experimental and not suitable for general use. Unfortunately it can be inadvertently auto-loaded when /dev/filemon is opened, and /dev/filemon is accessible to any user. There was a missing write check in the filemon module thus permitting any user to overwrite any file in the system. While we are not currently aware of an exploit, it is conceivable that one can overwrite a configuration file parsed by a privileged daemon that does not abort on syntax errors. Additionally the way filemon does filesystem interception is racy and can lead to random crashes if the system calls are in use while the module is unloaded. Solutions and Workarounds ========================= Unloading and removing the filemon module, either manually: # modunload filemon # rm -rf /stand/*/*/modules/filemon/ Or by updating the machine to a newer build and running postinstall fix obsolete Thanks To ========= Ilja Van Sprundel for reporting this vulnerability. More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2019-006.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2019, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2019-006.txt.asc,v 1.1 2019/12/17 00:55:08 christos Exp $ - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJd+CdCAAoJEIkmHhf170n/sRwP/iepxkQCzWM7NUSZWDmbJ6A2 pJzJVlmwOwqqvRFlPWhfiLAryeWIaM6mO4mCdqQUodvZGE8+9q9/1Qyga41YQji5 mYCiFCAM1ezUzhr9FXHsJZf8rvEp6qt9E7DjqNpzJy9ut9bSEMLVq3M4GLqcQZn3 t2067Cl0OIkOrenxU5aM5cYuQe62DotQR254HmGKGzG5SbNOM9Q1fLJECNECRFt2 7N72RsOcDMnEKepVoFcH200oMKM5/tgweRKTxcrq3NsrFORSwgpobSN1Q2g5Uzc3 +PvB7wsy2xb1XbHT7VYn+vspbrzlSDm+vrQCTNPUm26iOnyvl4XdFPOXwlUuHSXk GU2m5uqX3KvWkU4DDVhZ5DRmQHi8tY0sri53qvI0sazOlKtHau+qt0TI6pbizhPV o7CBsTytvw1ztL0q4g4pweRHiIT+jILTfeAaojNLAqDnLgzm4lBcUzg5WX552lCx vNb+2B6WHmIbAx/Jtr60ei97PWQVJ8ECckyrh+vvo2dD/izJg8JkB1rJa1ihydtu bvv3+MHO24wwBjlfcnoPvOETcakMRRH3Fkp9CNRx894eTn8bwrz3xPtyAhAwqzuc z2s/9foAs53wneKlnT6BCtUMx9v6FVT+9oOUmYGnQ7OneqZMKTSDHj2WsJEQNHXP 5Zkm7k2HHV6xcFF7tAo6 =uQGc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfmgqWaOgq3Tt24GAQh8Mw//emrnoAsOWMmiwgrND/3aNi2Cbalo0ndT 9aH43P16vMu2kNmXz8eJfv04ewsB8ta4SDDJ8WJwOXjQ1b2i7GKaI5Ceva9ub3To DA2u/RqroUT9DlFTJ0lXhj4fu67X9PQTiFo0wf6Ga5kTNPlSc/NWdrwkNCyrvMvB LUuO63erX9RXY/G4p7g/ED2rmjvb7+H1XJNm7f85ESY9Wbql5yK382JbSDr8F5+9 KjxcQQpDTJR1737dTpHZ9cpmSmgCxJGpt94xjzp/FHwZNXploaOzOl4SbLWs7cd4 FQhz2Tkro2J0Fo6JRCQFJvTTGLmx56tRBugQfBJMCAI5d7sa/bD2PksZ0E+cmBrv jKGnebIL6T4GaHWmEuLn7F2yhiOWcI8RzRtHXTA5N39QPeLxwabQHhLBa7fMAwDW dTPuiIeN7Q9mX9H3Fwml03K8mkTWVCULO+1yZYIk35DXDbaJwvWZ6D9H4ZBpyydT 4NkYrxAxVZMMz7JQ52iaj+vvO7PysoWgG+tCofK6i1FEz7f5ABbi5391zJGTg0fG ah6hoCt9/kATXnSE0rg1UuwUGle9S7fg48msa2g5qGT56HjKkHJuvuQbhFzPv5F5 buBY2EOUhfKxdxynmUfgMRcT7q0NpBb8qb8mvpYe+TrTKNTi+ar5WzjlUlf2Ycpw 6elDNb+UwuY= =HgZt -----END PGP SIGNATURE-----