[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:22.mbuf
mike tancsa
mike at sentex.net
Tue Aug 20 21:54:15 UTC 2019
Anyone know if this impacts strictly endpoints and firewalls that would
do re-assembly ? I am guessing not just forwarding ipv6, can it trigger
the DoS?
Also, when it says, "On systems with IPv6 active, IPv6 fragmentation may
be disabled"... How does one disable / check if IPv6 is enabled /
disabled ? Is this via
sysctl net.inet6.ip6.maxfrags=0
?
---Mike
On 8/20/2019 4:12 PM, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-19:22.mbuf Security Advisory
> The FreeBSD Project
>
> Topic: IPv6 remote Denial-of-Service
>
> Category: kernel
> Module: net
> Announced: 2019-08-20
> Credits: Clement Lecigne
> Affects: All supported versions of FreeBSD.
> Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE)
> 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10)
> 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE)
> 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3)
> 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14)
> CVE Name: CVE-2019-5611
>
> For general information regarding FreeBSD Security Advisories, including
> descriptions of the fields above, security branches, and the following
> sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I. Background
>
> mbufs are a unit of memory management mostly used in the kernel for network
> packets and socket buffers. m_pulldown(9) is a function to arrange the data
> in a chain of mbufs.
>
> II. Problem Description
>
> Due do a missing check in the code of m_pulldown(9) data returned may not be
> contiguous as requested by the caller.
>
> III. Impact
>
> Extra checks in the IPv6 code catch the error condition and trigger a kernel
> panic leading to a remote DoS (denial-of-service) attack with certain
> Ethernet interfaces. At this point it is unknown if any other than the IPv6
> code paths can trigger a similar condition.
>
> IV. Workaround
>
> For the currently known attack vector systems with IPv6 not enabled are not
> vulnerable.
>
> On systems with IPv6 active, IPv6 fragmentation may be disabled, or
> a firewall can be used to filter out packets with certain or excessive
> amounts of extension headers in a first fragment. These rules may be
> dependent on the operational needs of each site.
>
> V. Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date,
> and reboot.
>
> 1) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for security update"
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch
> # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc
> # gpg --verify mbuf.patch.asc
>
> b) Apply the patch. Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the correction revision numbers for each
> affected branch.
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/12/ r350828
> releng/12.0/ r351259
> stable/11/ r350829
> releng/11.3/ r351259
> releng/11.2/ r351259
> - -------------------------------------------------------------------------
>
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238787>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5611>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:22.mbuf.asc>
> -----BEGIN PGP SIGNATURE-----
>
> iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAAAAAALgAo
> aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
> MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
> 5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o
> VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U
> Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr
> 6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB
> jPbG7u23C3a2KcRImCWM2vJ5dZFoa0Mz5+vHzaSMwPT49KRRRRkcd7+azqUfbGg0
> k9Py6KuwGhclNmehpUth0NlvR89JV58Fbkh7TaCWHV51hAWoH/1EQdJNY9yb0eAZ
> AgsvAiotWU1VNDcF2xWaf5m3VE87jl0/Bz9BgpVFI0kHuof4OwiG9PkdFI1q0Yl2
> TdkksZj1iRETN8/Qt5HGzY1pGQFRc7b+nE9GIfIUcEH1B7d7Gb58DVElZ95Og+EF
> bGwR6/e7r39mBsqs0qloYgk/2c6B4vuFyt8b9Yhuw4ns0SpO4cP9XYXawUff7+p3
> oLo7dqPKn8fMRLhT0/QZfPRyluUshVvJW1Yg9HWdYMYm7wFAilemnMWMxJKIUOmt
> pkQx3e6Tvk3VNkls4yv7GbApO5iMNXaBvC2JYMP0GUiQ1FOkB9M=
> =ip7/
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list