From security-advisories at freebsd.org Wed Sep 3 20:13:05 2008
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Wed Sep 3 20:13:25 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:07.amd64
Message-ID: <200809032013.m83KD537043774@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:07.amd64 Security Advisory
The FreeBSD Project
Topic: amd64 swapgs local privilege escalation
Category: core
Module: sys_amd64_amd64
Announced: 2008-09-03
Credits: Nate Eldredge
Affects: All supported FreeBSD/amd64 versions.
Corrected: 2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name: CVE-2008-3890
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
CPU's. For Intel CPU's this architecture is known as EM64T or Intel
64.
The gs segment CPU register is used by both user processes and the
kernel to convieniently access state data. User processes use it to
manage per-thread data, and the kernel uses it to manage per-processor
data. As the processor enters and leaves the kernel it uses the
'swapgs' instruction to toggle between the kernel and user values for
the gs register.
The kernel stores critical information in its per-processor data
block. This includes the currently executing process and its
credentials.
As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system. If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF). In that case, the processor aborts the return to the
user level process and re-enters the kernel. The FreeBSD kernel
allows the user process to be notified of such an event by a signal
(SIGSEGV or SIGBUS).
II. Problem Description
If a General Protection Fault happens on a FreeBSD/amd64 system while
it is returning from an interrupt, trap or system call, the swapgs CPU
instruction may be called one extra time when it should not resulting
in userland and kernel state being mixed.
III. Impact
A local attacker can by causing a General Protection Fault while the
kernel is returning from an interrupt, trap or system call while
manipulating stack frames and, run arbitrary code with kernel
privileges.
The vulnerability can be used to gain kernel / supervisor privilege.
This can for example be used by normal users to gain root privileges,
to break out of jails, or bypass Mandatory Access Control (MAC)
restrictions.
IV. Workaround
No workaround is available, but only systems running the 64 bit
FreeSD/amd64 kernels are vulnerable.
Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386
kernel are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch
# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/amd64/amd64/exception.S 1.125.2.3
RELENG_6_3
src/UPDATING 1.416.2.37.2.9
src/sys/conf/newvers.sh 1.69.2.15.2.8
src/sys/amd64/amd64/exception.S 1.125.2.2.2.1
RELENG_7
src/sys/amd64/amd64/exception.S 1.129.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/amd64/amd64/exception.S 1.129.2.1.2.1
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs
0JZMykjScj7GbrsOlOW3uQg=
=bs1z
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Wed Sep 3 20:13:13 2008
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Wed Sep 3 20:13:43 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount
Message-ID: <200809032013.m83KDDqP043961@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:08.nmount Security Advisory
The FreeBSD Project
Topic: nmount(2) local arbitrary code execution
Category: core
Module: sys_kern
Announced: 2008-09-03
Credits: James Gritton
Affects: FreeBSD 7.0-RELEASE, FreeBSD 7.0-STABLE
Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
CVE Name: CVE-2008-3531
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The mount(2) and nmount(2) system calls are used by various utilities
in the base system to graft a file system object on to the file system
tree to a given mount point. It is possible to allow unprivileged
users to utililize these system calls by setting the vfs.usermount
sysctl(8) variable.
II. Problem Description
Various user defined input such as mount points, devices, and mount
options are prepared and passed as arguments to nmount(2) into the
kernel. Under certain error conditions, user defined data will be
copied into a stack allocated buffer stored in the kernel without
sufficient bounds checking.
III. Impact
If the system is configured to allow unprivileged users to mount file
systems, it is possible for a local adversary to exploit this
vulnerability and execute code in the context of the kernel.
IV. Workaround
It is possible to work around this issue by allowing only privileged
users to mount file systems by running the following sysctl(8)
command:
# sysctl vfs.usermount=0
V. Solution
NOTE WELL: Even with this fix allowing users to mount arbitrary media
should not be considered safe. Most of the file systems in FreeBSD
was not built to protect safeguard against malicious devices. While
such bugs in file systems are fixed when found, a complete audit has
not been perfomed on the file system code.
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0
security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch
# fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/kern/vfs_mount.c 1.265.2.10
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/kern/vfs_mount.c 1.265.2.1.2.2
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX
yvNI1gVmhAQ7MXOUvPoLcLk=
=EsCn
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Wed Sep 3 20:13:21 2008
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Wed Sep 3 20:14:05 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:09.icmp6
Message-ID: <200809032013.m83KDKpa044572@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:09.icmp6 Security Advisory
The FreeBSD Project
Topic: Remote kernel panics on IPv6 connections
Category: core
Module: sys_netinet6
Announced: 2008-09-03
Credits: Tom Parker, Bjoern A. Zeeb
Affects: All supported versions of FreeBSD.
Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name: CVE-2008-3530
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
IPv6 nodes use ICMPv6 amongst other things to report errors encountered
while processing packets. The 'Packet Too Big Message' is sent in
case a node cannot forward a packet because the size of the packet is
larger than the MTU of next-hop link.
II. Problem Description
In case of an incoming ICMPv6 'Packet Too Big Message', there is an
insufficient check on the proposed new MTU for a path to the destination.
III. Impact
When the kernel is configured to process IPv6 packets and has active
IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big
Message' could cause the TCP stack of the kernel to panic,
IV. Workaround
Systems without INET6 / IPv6 support are not vulnerable and neither
are systems which do not listen on any IPv6 TCP sockets and have no
active IPv6 connections.
Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this
will at the same time break PMTU support for IPv6 connections.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
RELENG_6_3 or RELENG_7_0 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3 and
FreeBSD 7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/netinet6/icmp6.c 1.62.2.11
RELENG_6_3
src/UPDATING 1.416.2.37.2.9
src/sys/conf/newvers.sh 1.69.2.15.2.8
src/sys/netinet6/icmp6.c 1.62.2.9.2.1
RELENG_7
src/sys/netinet6/icmp6.c 1.80.2.7
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/netinet6/icmp6.c 1.80.4.1
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3530
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:09.icmp6.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFIvu2hFdaIBMps37IRAjxxAJwIIXP+ALAZkvG5m687PC+92BtXTwCfUZdS
AvvrO0r+UAa6bn1H9mFf9So=
=MBB1
-----END PGP SIGNATURE-----