Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1671
FreeBSD Security Advisories for cryptodev
13 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: cryptodev
Publisher: FreeBSD
Operating System: FreeBSD
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Overwrite Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-15880 CVE-2019-15879
Original Bulletin:
https://security.freebsd.org/advisories/FreeBSD-SA-20:15.cryptodev.asc
https://security.freebsd.org/advisories/FreeBSD-SA-20:16.cryptodev.asc
Comment: This bulletin contains two (2) FreeBSD security advisories.
This advisory references vulnerabilities in products which run on
platforms other than FreeBSD. It is recommended that administrators
running cryptodev check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:15.cryptodev Security Advisory
The FreeBSD Project
Topic: Use after free in cryptodev module
Category: core
Module: cryptodev
Announced: 2020-05-12
Credits: Yuval Kanarenstein
Affects: All supported versions of FreeBSD.
Corrected: 2020-01-20 11:19:55 UTC (stable/12, 12.1-STABLE)
2020-05-12 16:57:47 UTC (releng/12.1, 12.1-RELEASE-p5)
2020-01-20 11:19:55 UTC (stable/11, 11.3-STABLE)
2020-05-12 16:57:47 UTC (releng/11.3, 11.3-RELEASE-p9)
CVE Name: CVE-2019-15879
Note: The upcoming release of FreeBSD 11.4 was branched after the original
commit to the stable branch and already includes the fix for this advisory.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The cryptodev module permits userland applications to offload
cryptographic requests to device drivers in the kernel. Applications
create sessions via file descriptors opened from /dev/crypto.
II. Problem Description
A race condition permitted a data structure in the kernel to be used
after it was freed by the cryptodev module.
III. Impact
An unprivileged process can overwrite arbitrary kernel memory.
IV. Workaround
Unload the cryptodev kernel module if it is loaded:
# kldunload cryptodev
Note that the cryptodev module is not loaded by default and is not
used by most applications. Specificially, use of accelerated software
cryptography, such as AES-NI, in userland applications via libraries such
as OpenSSL do not make use of the cryptodev module.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.12.patch.asc
# gpg --verify cryptodev.12.patch.asc
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:15/cryptodev.11.patch.asc
# gpg --verify cryptodev.11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/12/ r356908
releng/12.1/ r360976
stable/11/ r356908
releng/11.3/ r360976
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15879>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:15.cryptodev.asc>
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLW2A//VW8iJqNaBHhMnCrpl+oDTadzGM3gYVxnM+EEQYzru2Ze0z0tShiAkXrQ
NryjwBpMA3r1nyWDYaWMgbHjcG+jQdsIvoiA+fSU9hXEUbpxwX9ZKlaSZUBDX48X
YScJMewgHCXNpgkTnIckaIyIadOXX+zWhi5T0LN2tS5M5oejTLndAKo9mQm1Ni50
PYiHFkLzO7v4H6K0cKuJRuHF8+kU1IhvOinZuXwZXoGqmPGTVsA0+T27dWhosaWv
Yqh3Pbp5oS1y3NbbOadLPhY146pT2Qrb2mQOEiHvsXMFRgjIEQzH1MYXx5gvpa4K
CkMwCV/MuNotscVZ00qhVQEGEVlrhgi2IXinzxde5HYCc3mD/KdcYnYz9zOCeIfb
9RfdvKk8uzUITLyz8ZinZBqIHghnSG3M9/cNj2o/97yRfFJazXF/SI41YoV3hcyE
Gb1ncYfaAJ4rL9U6xHMw7V+1LSlMrVsIcWxCM2PS4NTwWcZ8K7mEX51ARjx4k7lx
IBEsJ+ExSfZHNkS6/DLZiuLEQKFxIOKlRyZQTALnzNaNTp763idW7zA+9k8ceBRH
VO7x3EGNqNPhIss+JHOxDUaXTFfJTcd7XGv291unkZwBJuFhJBfH3S+ZCcF38xVK
aweHOoJW5V+D9GKygb9oLjOxOupRkFuRrHFQcvj57FYqs9/GDVc=
=8E1l
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:16.cryptodev Security Advisory
The FreeBSD Project
Topic: Insufficient cryptodev MAC key length check
Category: core
Module: cryptodev
Announced: 2020-05-12
Credits: Yuval Kanarenstein
Affects: FreeBSD 12.1
Corrected: 2020-01-20 11:54:00 UTC (stable/12, 12.1-STABLE)
2020-05-12 16:59:09 UTC (releng/12.1, 12.1-RELEASE-p5)
CVE Name: CVE-2019-15880
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The cryptodev module permits userland applications to offload cryptographic
requests to device drivers in the kernel. Applications create sessions via
file descriptors opened from /dev/crypto.
II. Problem Description
Requests to create cryptography sessions using a MAC did not validate the
user-supplied MAC key length. The cryptodev module allocates a buffer whose
size is this user-suppled length.
III. Impact
An unprivileged process can trigger a kernel panic.
IV. Workaround
Unload the cryptodev kernel module if it is loaded:
# kldunload cryptodev
Note that the cryptodev module is not loaded by default and is not
used by most applications. Specificially, use of accelerated software
cryptography (e.g. AES-NI) in userland applications via libraries such
as OpenSSL does not make use of the cryptodev module.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:16/cryptodev.patch
# fetch https://security.FreeBSD.org/patches/SA-20:16/cryptodev.patch.asc
# gpg --verify cryptodev.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/12/ r356911
releng/12.1/ r360977
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15880>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:16.cryptodev.asc>
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKFbg/+Ou239S9yDp+FTyDlqq4w8p08kh8nHqB6FO6Q6aIxkEgSu/yO9IZsKSnM
o05O8iOVOTRR5xSIBN/aW5d4adH81AV6X66NKUZ0bJwAp16v7YIyivY3ySLOB093
oOTy/wlv0jxAYVzOlqMTuVm4dr9dh+9I9kwF94SDY7/maY0pCuUmVCRi2Y5gvCqu
LYkDdG0Mq0pka1sGY8aFvG63oMyZ98gkbBNk666SzJnBDq/QDSL0FASCgYDjG1fE
R/BciJpucIFi3JPZgSaKi4j56HiN/LaX63A1rdjza3aRh/sLMr7+GHFI3sn474tu
xrkRjwnxr7/dghjspHAvsv+8U1oRIGVxeyaQB+Hd4WvNcVzp2McNBJ9c/z7Ugt1r
affyXl0JBBkdVa45xDf/weGwwxcmCWxXxv7gDPelf07p3MNjl5G3pPUCUoRA3XE5
Am1v5E0Eui5s/H4ncodY/ECIAHuOfenzdcpK5xCQUMHkgikfiLftNfLWSVOrqEJn
Wxl8/ttKWLYYwYDSYrN0kNvQWc6LHsuA1I7Zt7wpRW09wB2OlZ7Hn2nZebTrXjKG
P/AeGa+JVCJ2HZzj1+8qxcFHgq8IRINICvq743e2vIQak0KsgqmtvnLavAlv/p3d
zPxFJOPAw0bhJj14qLT+cXGC9u3/qrZWWR0b4S7qeMlLG3Cw4fk=
=j3X1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXrt6lmaOgq3Tt24GAQjC0xAAr+HD/akPwdTHfcv146YUhgln2VrpKcnM
Jos3jPZ97/4XIAi9hHsw6L8kfhYzS0CG4b85eD49FVeN8pSN5m2yjgH+KSuDhG/g
7M+HqTm7T23pUH6DaGs63+/WdtCTta/FOl7yhGZPuSXnuifsExEmbz6VL+YuETmE
BTP188BbY/xrhaGcWC6CUXDSTk7ryKUX/CBbxHvuUuRWScK2GkQS3earlef10Hoh
V0o64nO8Qw/fEShMKvdrctr2QzOsQJSissx9J9fBQ5jO/GKbNKDDosms5pSvFAdF
T7nbdWnEzVIJb2ezGcE0BojG2CWE1/hnGemeBCEyPk8qZh/IPzsAoqyL4V4i3AVL
kuebHR71db23DmTQfO9i25qaiLwveAF+pQQZip8RPpAhnHmmECRtvVF8OGc1KJ24
w6mNy0XbH+EjdD3vO7pq+oVmD9/w8eUMFoNDfsiBrLVCeuqMEJNLa8r/N0sX6T71
HkbuKYYsfju9oSDOH031joApruEb9WT4+aNo+zeQM+5Wj9lV5bRHnhtjUOHEiOOu
DZK9Iu5XlLm39QPsEcdAPkDYW5f6Tl6JHb1411jqCgz2QXS7YVVQlarIGl4/knK+
6qRsGK3LZtDcwpqlptV0J5u1U5SxYckLTs6ZUTZgKiznsmk9O+cbYSVY9CLxnFX4
n55Zf3FDYgA=
=8CrE
-----END PGP SIGNATURE-----