Re: FreeBSD Security Advisory FreeBSD-SA-23:18.nfsclient

From: Andrey Blochintsev <bag_at_zurbagan.org>
Date: Tue, 12 Dec 2023 19:51:42 UTC
Меняется в том числе kernel
Мы nfs не используем, так что fetch install сделаю, а reboot-ить не буду


12.12.2023 21:46, FreeBSD Security Advisories пишет:
> =============================================================================
> FreeBSD-SA-23:18.nfsclient Security Advisory
>                                                           The FreeBSD 
> Project
>
> Topic:          NFS client data corruption and kernel memory disclosure
>
> Category:       core
> Module:         nfsclient
> Announced:      2023-12-12
> Credits:        Hostpoint AG
> Affects:        FreeBSD 13.2 and 14.0
> Corrected:      2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE)
>                 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3)
>                 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE)
>                 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8)
> CVE Name:       CVE-2023-6660
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> The Network File System (NFS) is a distributed file system that allows 
> remote
> systems to access files and directories over a network as if they were 
> local.
> FreeBSD includes both server and client implementations of NFS.
>
> II.  Problem Description
>
> In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the
> performance of IO_APPEND writes, that is, writes which add data to the 
> end of
> a file and so extend its size.  This uncovered an old bug in some routines
> which copy userspace data into the kernel.  The bug also affects the NFS
> client's implementation of direct I/O; however, this implementation is
> disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only
> used to handle synchronous writes.
>
> III. Impact
>
> When a program running on an affected system appends data to a file via an
> NFS client mount, the bug can cause the NFS client to fail to copy in the
> data to be written but proceed as though the copy operation had succeeded.
> This means that the data to be written is instead replaced with 
> whatever data
> had been in the packet buffer previously.  Thus, an unprivileged user with
> access to an affected system may abuse the bug to trigger disclosure of
> sensitive information.  In particular, the leak is limited to data 
> previously
> stored in mbufs, which are used for network transmission and 
> reception, and
> for certain types of inter-process communication.
>
> The bug can also be triggered unintentionally by system applications, in
> which case the data written by the application to an NFS mount may be
> corrupted.  Corrupted data is written over the network to the NFS 
> server, and
> thus also susceptible to being snooped by other hosts on the network.
>
> Note that the bug exists only in the NFS client; the version and
> implementation of the server has no effect on whether a given system is
> affected by the problem.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date
> and reboot.
>
> Perform one of the following:
>
> 1) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64 
> platforms,
> or the i386 platfrom on FreeBSD 13 and earlier, can be updated via
> the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch
> # fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc
> # gpg --verify nfsclient.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI.  Correction details
>
> This issue is corrected as of the corresponding Git commit hash or 
> Subversion
> revision number in the following stable and release branches:
>
> Branch/path                             Hash Revision
> -------------------------------------------------------------------------
> stable/14/                              8d42f85d9d7b stable/14-n265954
> releng/14.0/                            ab60666a00c9 releng/14.0-n265397
> stable/13/                              f1d1d50e1d08 stable/13-n256860
> releng/13.2/                            3f079b3f2f33 releng/13.2-n254649
> -------------------------------------------------------------------------
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> VII. References
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6660>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:18.nfsclient.asc>