From security-advisories at freebsd.org Tue Apr 7 20:54:06 2015
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Tue, 7 Apr 2015 20:54:05 GMT
Subject: [FreeBSD-Announce] FreeBSD Security Advisory
FreeBSD-SA-15:08.bsdinstall
Message-ID: <201504072054.t37Ks5qR015088@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:08.bsdinstall Security Advisory
The FreeBSD Project
Topic: Insecure default GELI keyfile permissions
Category: core
Module: bsdinstall
Announced: 2015-04-07
Credits: Pierre Kim
Affects: FreeBSD 10.1.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
CVE Name: CVE-2015-1415
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The GEOM ELI class, or geli(8) implements encryption on GEOM providers which
supports various cryptographic encryption and authentication methods as
well as hardware acceleration. Each geli(8) provider has two key slots,
and each slot holds a copy of its master key encrypted by a keyfile and/or
a passphrase chosen by the system administrator.
The bsdinstall(8) installer is the default system installer of FreeBSD since
FreeBSD 10.0-RELEASE.
II. Problem Description
The default permission set by bsdinstall(8) installer when configuring full
disk encrypted ZFS is too open.
III. Impact
A local attacker may be able to get a copy of the geli(8) provider's
keyfile which is located at a fixed location.
IV. Solution
Note well: due to the nature of this issue, there is no way to fix this
issue for already installed systems without human intervention. System
administrators are advised to assume that the keyfile have already been
leaked and a new keyfile is necessary.
The system administrator can create a new keyfile with the correct
permissions, and change the key slot that holds the master key encrypted
with the old keyfile.
For example, if the GELI provider is /dev/ada0, the system administrator
can do the following:
# umask 077
# dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1
# umask 022
# geli setkey -K /boot/encryption.key.new /dev/ada0p3
Enter new passphrase:
Reenter new passphrase:
(Repeat the geli setkey command if multiple providers are used)
# mv /boot/encryption.key.new /boot/encryption.key
# ls -l /boot/encryption.key
Make sure that the new /boot/encryption.key can only be read by root.
The FreeBSD stable and security branch (releng) and the changes are mainly
intended for system integrators who build their own installation image for
new installations.
V. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VI. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ
TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9
OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D
/B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/
ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ
KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH
XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a
CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj
PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v
fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc
b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1
COcciZEksTS0JwEpOGi5
=wg1b
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Tue Apr 7 20:54:05 2015
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Tue, 7 Apr 2015 20:54:05 GMT
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:04.igmp
[REVISED]
Message-ID: <201504072054.t37Ks5Zf015092@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:04.igmp Security Advisory
The FreeBSD Project
Topic: Integer overflow in IGMP protocol
Category: core
Module: igmp
Announced: 2015-02-25; Last revised on 2015-04-07
Credits: Mateusz Kocielski, Logicaltrust,
Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2015-1414
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
0. Revision history
v1.0 2015-02-25 Initial release.
v1.1 2015-04-07 Revised patch to address a potential overflow issue.
I. Background
IGMP is a control plane protocol used by IPv4 hosts and routers to propagate
multicast group membership information. IGMP version 3 is implemented on
FreeBSD.
II. Problem Description
An integer overflow in computing the size of IGMPv3 data buffer can result
in a buffer which is too small for the requested operation.
III. Impact
An attacker who can send specifically crafted IGMP packets could cause a
denial of service situation by causing the kernel to crash.
IV. Workaround
Block incoming IGMP packets by protecting your host/networks with a firewall.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc
# gpg --verify igmp.patch.asc
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch.asc
# gpg --verify igmp-errata.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD39AAoJEO1n7NZdz2rnewwQAN9xI01nzOO71Q7qP7xDq+wu
RW2C+2A4viIZIId1od6GiDY7Qpigy1CMwHsae6qJ62R+D5F2x9vANV4U6AS44oNy
2jDwbrByM7QQ3qeCh8NzCUvOwPuXyKsAGKV73t3QPk0leKdbqUyjTooWJtZAv0dN
VgQ4VCQh+2ZlxjMT0igUScmCVqOncRUm33xKBLeTif5LZHi/afkR6CToMlACOvl3
syJNhEeM+zYU9XLzb90hAjvqn1xLDkoS4qJNbrekj0/dI0jkgZdk18QAualwWgeZ
i39Da6IQ4wCn8Sx9o8pc8NdtzHn37rmOcdzBIodzxa1vALmNhDWuBpIIysffsZvf
ewVdI83pabRdZZxO1YAPjJi34CTXmvwf8Hit/hh0n1AO21lhr0NhwQzEn7gmLqSh
JZYg46k6tNGy6qUa1NU/ywja0kLCG0KdR1FO9IKaN6TCgB30bpndGq1Y0esX1Mo8
5xq/P/KoNPE9BzifyhbDBt77eEmfpiKIuQXQVP3B1n3KEDDUlSSeiz3x0h9ZOjfm
vLb1hinfp1RPC4S72a0Zts6r60aee9dMWd/DvC8RqWQqEE0PUamipL2ClzBmOpTK
F9b2y9776hfPV/mvGUwS7H63mAMJkMOTDGZn3WWIT3Dmr6Eru0/t1XXqCPB4cNUl
uf5sxNtEDjXadkeM20lu
=y2yR
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Tue Apr 7 20:54:06 2015
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Tue, 7 Apr 2015 20:54:05 GMT
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:07.ntp
Message-ID: <201504072054.t37Ks5L7015083@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:07.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2015-04-07
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2014-9297, CVE-2015-1798, CVE-2015-1799
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
The vallen packet value is not validated in several code paths in
ntp_crypto.c. [CVE-2014-9297]
When ntpd(8) is configured to use a symmetric key to authenticate a remote
NTP server/peer, it checks if the NTP message authentication code (MAC)
in received packets is valid, but not that there actually is any MAC
included, and packets without a MAC are accepted as if they had a valid
MAC. [CVE-2015-1798]
NTP state variables are updated prior to validating the received packets.
[CVE-2015-1799]
III. Impact
A remote attacker who can send specifically crafted packets may be able
to reveal memory contents of ntpd(8) or cause it to crash, when ntpd(8)
is configured to use autokey. [CVE-2014-9297]
A man-in-the-middle (MITM) attacker can send specially forged packets
that would be accepted by the client/peer without having to know the
symmetric key. [CVE-2015-1798]
An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can periodically send a specially crafted or
replayed packet which will break the synchronization between the two
peers due to transmit timestamp mismatch, preventing the two nodes from
synchronizing with each other, even when authentication is enabled.
[CVE-2015-1799]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn4doQAKwA67MgX6jiCS4dm1roREi+
G1moTCtqO8LXzH3nOOOk6R/MqFGOs6Jq8D+K/YmdD+4l3c/qCNR0qtv0YcVL0kE+
+xfaIYoGxTzlPjEfpWtceCM0wcAThaF8085hi0IAzG7ozhKPt+Inv33ISgos5c7h
zYcbTqBYgQqcJGWdftnYpZ1Nxvoa3wiOlxsOMa4qnNeUakeXcGLZ+1XB5pLjXMZF
dHfKhMS6KxcUdHoPgOj468D3bQE05puLk13Kjy+Ti38GhcgMROAsMZVOzgno3J7g
D7Hk4dR1dms+6xcSJ0BV4ej0ZfypGv0xiFmUiTk/p7AVbnqrChyjvGca+8reu+Gc
Ks/67oZjP5rc0glvRFgjJBmQV/xK2rUK805e4eAm8qBecRjDv6M3mUmPdw5BlgcA
7fcj4VdGkOzLB0Vj7uJFjf3p9cyT+x8yvMtknxehiYmrYnFDsM5d7lcv0+KnRzb2
3bt6maO40wqWIcLErFthcT/nLP+wi35aykNIbGh7PXvqL92gWX+h/xB6YY9Ouo4N
hb32W/F5O50MjL6BeY+k5J6usoFrk0EHWK+2Fxm2/AA/5K/JnryWN44F8PVPNzxE
f+Vb6CzxBvmflpa/29tF/wSD0oU78AhuShtVrnEVT5ZWJj+/PHBZtcLk2Z+s5hgd
hKFvV5Xqix0/U//+yGhj
=1fHm
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Tue Apr 7 20:54:05 2015
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Tue, 7 Apr 2015 20:54:05 GMT
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:09.ipv6
Message-ID: <201504072054.t37Ks5WQ015091@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:09.ipv6 Security Advisory
The FreeBSD Project
Topic: Denial of Service with IPv6 Router Advertisements
Category: core
Module: ipv6
Announced: 2015-04-07
Credits: Dennis Ljungmark
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2015-2923
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
address of other nodes, find routers, and maintain reachability information.
Routers advertise their presence together with various link and Internet
parameters either periodically, or in response to a Router Solicitation
message, using Router Advertisement (ICMPv6 type 134).
II. Problem Description
The Neighbor Discover Protocol allows a local router to advertise a
suggested Current Hop Limit value of a link, which will replace
Current Hop Limit on an interface connected to the link on the FreeBSD
system.
III. Impact
When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets
may get dropped before they reached their destinations.
By sending specifically crafted Router Advertisement packets, an attacker
on the local network can cause the FreeBSD system to lose the ability to
communicate with another IPv6 node on a different network.
IV. Workaround
Only systems that are manually configured to use "accept_rtadv"
ifconfig(8) flag on an interface are affected.
The system administrator may decide to disable acceptance of Router
Advertisements from untrusted network in a per-interface basis, by
removing accept_rtadv flag at run time using ifconfig(8):
ifconfig em0 inet6 -accept_rtadv
Note that an interface does not accept Router Advertisement messages
by default even if an IPv6 address is configured. One can know
whether an interface is accepting Router Advertisement message or not
from existence of ACCEPT_RTADV in "nd6 options" line in an output of
ifconfig(8):
nd6 options=23
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc
# gpg --verify ipv6.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn13cQANJCk2LXSX8GDHGzWnD+D5gN
rNC4Q8n9CnN80ZO/0Pk0Xx2VAtr3CKxflBTXBKISKuY+dWOzNvuUuUUkrB9SlyTj
MYpqAljnBT0JkosGGBKJwt39DjW34HWlaj9wEPr1SdIq5vQO0cXS2glVPI/CQuy3
NwnpaAmftAG4eMSYojOeodXniha/ZasFap5Zj+1dgofFHEP87zxefP2IamG1Cq72
d8YJSCD8yy51mZ7dVFM29R3FAFdMpponci31dXGb5p8pj0yzVfvI/HF1MRK+x8Nz
R0/jFOHY4TR26BfKsc4Nc6Ze7jdZHUP1qWoL2O6HiLVqws0nQp3jma7FkMrUMuui
H9kAQaIc27tJOkSK4Gdc/dwzHgb3xr2fNfOjvbUv3VNjzijTzbzKfRlVH77EAxAi
sQfUcql/toGdC/QaOlhC8+v5jHdwkLdpfRc4QdsV1rKDAA8mj068sJQS/yAig8E8
QUNmB3UK1QsX3tmy0JuDJk7tr/jjnhl2Jt9Skvm70xUiA7G05Z1qouErkIAjwikY
zQSPpSQebi3am9TtK/GViOjEVpWLYzLFYo6laR8wMw9eJsj0xlF8Qqz+0HudqfSt
lMOfpVfUmBSIxlFdiIzMBfbpLdD1gSo4oBLIYA/xw7UtDMiWi2Iji/mBY1Jg/i5V
ZCTwZmnmaVuPcsGOzv5W
=A2Am
-----END PGP SIGNATURE-----