copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1112 - [FreeBSD] kmem: Access confidential data - Existing account

Date: 09 July 2014
References: ESB-2014.2095  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1112
    Kernel memory disclosure in control messages and SCTP notifications
                                9 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kmem
Publisher:         FreeBSD
Operating System:  FreeBSD
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3953 CVE-2014-3952 

Original Bulletin: 
   ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-14:17.kmem.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-14:17.kmem                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Kernel memory disclosure in control messages and SCTP
		notifications

Category:       core
Module:         kern, sctp
Announced:      2014-07-08
Credits:        Michael Tuexen
Affects:        All supported versions of FreeBSD.
Corrected:      2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE)
                2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7)
                2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2)
                2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10)
                2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17)
                2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE)
                2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
CVE Name:       CVE-2014-3952, CVE-2014-3953

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The control message API is used to construct ancillary data objects for
use in control messages sent and received across sockets and passed via
the recvmsg(2) and sendmsg(2) system calls.

II.  Problem Description

Buffer between control message header and data may not be completely
initialized before being copied to userland. [CVE-2014-3952]

Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit
padding that may not be completely initialized before being copied to
userland.  In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE,
SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the
returning data structure that may not be completely initialized before
being copied to userland.  [CVE-2014-3953]

III. Impact

An unprivileged local process may be able to retrieve portion of kernel
memory.

For the generic control message, the process may be able to retrieve a
maximum of 4 bytes of kernel memory.

For SCTP, the process may be able to retrieve 2 bytes of kernel memory
for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
bytes for SCTP_EXTRCV.  If the local process is permitted to receive
SCTP notification, a maximum of 112 bytes of kernel memory may be
returned to userland.

This information might be directly useful, or it might be leveraged to
obtain elevated privileges in some way.  For example, a terminal buffer
might include a user-entered password.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.0]
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc
# gpg --verify kmem.patch.asc

[FreeBSD 8.4, 9.2 and 9.3-RC]
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc
# gpg --verify kmem.patch.asc

[FreeBSD 9.1]
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch
# fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc
# gpg --verify kmem.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
stable/8/                                                         r268432
releng/8.4/                                                       r268435
stable/9/                                                         r268432
releng/9.1/                                                       r268434
releng/9.2/                                                       r268434
releng/9.3/                                                       r268433
stable/10/                                                        r268432
releng/10.0/                                                      r268434
- - -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3952>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3953>

The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJTvHEtAAoJEO1n7NZdz2rnbRcP+gJ9CIH2kch1kXgs94McM1L+
uSnUQsv30OQFe/J//q65HUINVwCMwyRZRFZ238sVsJ6jpft6UTaDxDSdJAqR2opi
hew/KEYYQhrrFXCHAgyaXh7Ph1B9URBJ5/MOkDWIBYOei3bxPZRP4ordrtclq/bA
qFRvov9gXUah6imbnRMvmC68tzt9v7I/vE2VwsC9fE/yL25IvP5ZunEATegOm4IQ
w+fk2VB/6GNFbTsWW1aR6FM60mWXVj2uJfHenEG1K381AXXQb4lSzo8E2SsdkI3B
x+MJkxBhNrpSm6tV/zndtYRoDtFseuTHBjKxe7liTyJcFuztkZqmdHaNzbeBSVON
P/fIqMHt2f143028ZZZEFqHzuqiEWrWB3WcgQnfsp3HrhMPnhnwkfo8TuC5NiKYx
6CsdnWLdPb1ix9RqX4MqnbFBHDKCoK28nuCKcxJB/OXanikGzcIBazpLsqFmTcm6
9bZ79zuMWU7wiU8p5qdGURmjTJQx9eF5UHcyfIPX6wZLyx8WVltbF5zVJa0nw0LC
OEf5KmmgEbPhfdkJ5R2UyHffwQDCNs+vixNLRSJS9/D/6lczT8qPxpDEkjQCsSKw
YxmLubDOjnqR57yrh4kKEj2V5ZJcRu2G1q1EKdLfD98VJOrot8p4qa4sCL+o9sbw
nII906M+PVUAnsa9synp
=nTZs
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU7yaKRLndAQH1ShLAQLemg//QrciAlkkeWNg7bcj+wBjF2wIaDm1znyk
h5uyMbmbtkR/nEKY1Bc+w9pNJcIGWLIMWHWCpNz7tELt4ZIQBcuRmEbkYp/A74h6
xqwTwA+7KUd6AM/IpiZnfcSimboUWWdHYfjVKzeMQJc/+2faHUNF/p7gDq9D/GXc
9v9yDOOsNH/4wa4JNiYITe5HKIdBLHhQUR1WTvRmr5XNHIBEodgJ7ETYSwoSzAAA
4ldREfAu0gqBdlSuoEw2TXdu79tHBGbHzHwuSAtiLbeRhm35STAHeARLFAEZlD0W
mlwORrH9xnEQrFNmxnybjl+/jMybPVnCTbkps8BebqH04dc9iCXBT+eUxR+QxSdZ
o845beWqQS7a2aT3TQjO8U3tTW3oL77BSZS94tdBRpfwz11QWQnufReZWNfAr0vF
DwKAlD0XqJjEPhOxnLCcPObyu2Ifjq+yOfzSLHVhvA5t85idSJHaQ0d2lIndYdHN
n410XJiJzftdI5FgPZN4faF75qWL6a4wHp21GxAyZAP9tSB/Ep6YKjKTFL1Geoyz
ZkWCIpvOBOoH8n83wn//3KMj8qiBDowNe7eqUlPxGFizmxblO3AsAtiOMm5dWUAO
rfh2GUEJzlvTDhaxGTDm9psLG1JHNZDiCTJu4rWYAw0KdLjfK1967nZ8N5cKE+5d
9kkuLBL/mss=
=1KVh
-----END PGP SIGNATURE-----