From security-advisories at freebsd.org Thu Mar 19 17:37:37 2020
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu, 19 Mar 2020 17:37:34 +0000 (UTC)
Subject: FreeBSD Security Advisory FreeBSD-SA-20:04.tcp
Message-ID: <20200319173734.DE9AB14D61@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:04.tcp Security Advisory
The FreeBSD Project
Topic: TCP IPv6 SYN cache kernel information disclosure
Category: core
Module: tcp
Announced: 2020-03-19
Credits: Michael Tuexen (Netflix, contractor)
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-08 14:48:21 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:46:01 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-08 14:48:32 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:46:01 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2020-7451
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The Internet Protocol version 6 (IPv6) header contains a one byte field
called Traffic Class. Two bits of this field are used for Explicit
Congestion Notification (ECN), the other six bits are used as Differentiated
Services Field Codepoints (DSCP).
The Transmission Control Protocol (TCP) is a connection oriented transport
protocol, which can be used as an upper layer of IPv6. A TCP endpoint is
either acting as a client (sending initially a SYN segment) or as a server
(initially waiting to receive a SYN segment and then responding with a
SYN-ACK segment).
To mitigate the impact of some attacks against TCP servers (like
SYN-flooding), FreeBSD uses specific code to handle the TCP connection setup
for servers. This includes the transmission and retransmission of SYN-ACK
segments or responding with a challenge ACK segment to a received RST
segment.
II. Problem Description
When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6,
the Traffic Class field is not initialized. This also applies to challenge ACK
segments, which are sent in response to received RST segments during the TCP
connection setup phase.
III. Impact
For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte
of kernel memory is transmitted over the network.
IV. Workaround
No workaround is available. Systems not using IPv6 are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r358739
releng/12.1/ r359138
stable/11/ r358740
releng/11.3/ r359138
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLuzQ/9HvuKX5w2/CDerZPseNDKqumxjoap6MjfExvpVN4Auy31wcE7248JpZ/d
I+Be927dmghiey97opVcR56g5OJ9QAinQRTWX1rLKaQ2xldGFE5924iLyQ/hjMXG
LDkYrBpJ2Wkdq9XFZKAuu2dpV/RUMlGnKANG/QfAAd5V4VC7Sg5X6ty7ISlVMrM7
aQdBP4e5XyssfeqZeZ/A57dF3Yi7F1TEEjXeM+dulTET4nm0+w74n+QaNoH6hcMI
n3Bb/SsF9HfbZtXz235vkzbgvvSX4f+D/d3vrcAA9KMVjKBH6QbiwJKuHSdb0GY8
ENMb7vO7Rx71u8GnCYg659qFrWb/kaTW2BCbgAJyp2747nAw8I7DwZiN2RKWA7qh
JbcZb1rJN9gEccnGyNouuy4DzUlUc4VQnp4ajqV4S1YGbwdfsBqi2c0dYwqEcW96
RKxxTrH9JB8d52wMMshB7hMfwbeLeOJJ4phFL8knXuv19SWCP/tz6XDopoBN6wTW
yn5g+n7oVCOsSwlPLHl/5WWUTvKjyCB6eZIblFhlbiNTuQiUaegDXx66On+vgVKD
oYA9cDQUcvIKLne/KgCqTQ5MAuwE/7hPyUlGmuiZ3/Qx6CW568+v1kTc19eUQb0a
+e5HDRFhtiQyRMpTC9Yt14sv8oFLynhyt/IbQWTeqppZhBugbJ8=
=CFKz
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Thu Mar 19 17:37:45 2020
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu, 19 Mar 2020 17:37:44 +0000 (UTC)
Subject: FreeBSD Security Advisory FreeBSD-SA-20:05.if_oce_ioctl
Message-ID: <20200319173744.1C99A15408@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:05.if_oce_ioctl Security Advisory
The FreeBSD Project
Topic: Insufficient oce(4) ioctl(2) privilege checking
Category: core
Module: oce(4)
Announced: 2020-03-19
Credits: Ilja Van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2019-12-26 16:56:42 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:48:29 UTC (releng/12.1, 12.1-RELEASE-p3)
2019-12-26 16:58:11 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:48:29 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2019-15876
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The primary interface used for network driver configuration is ioctl(2).
Several ioctl(2) commands are reserved for driver-specific purposes. For
instance, a driver may use one of these ioctls to implement an interface for
updating device firmware.
II. Problem Description
The driver-specific ioctl(2) command handlers in oce(4) failed to check
whether the caller has sufficient privileges to perform the corresponding
operation.
III. Impact
The oce(4) handler permits unprivileged users to send passthrough commands to
device firmware.
IV. Workaround
No workaround is available. Systems that do not contain devices driven by
oce(4) are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:05/if_oce_ioctl.patch.asc
# gpg --verify if_oce_ioctl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r356089
releng/12.1/ r359139
stable/11/ r356090
releng/11.3/ r359139
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJAuBAAnsnjdm2aTLo14rOiNHTNh0NqJPQTJ5F6MwE1P/nUlP5xM21GzDkyki7H
4AytZiCma6MCPzbc8aO6wGnc5zfSA1G/5TLetIgIQeyDQ8wRd0uhIoeO3NB3EXhz
KJkNqtyosmzKUSmq7V/WqYN7VOVceegvbvLXCMTYFkUmvJxYbB67s0upqydFBAD4
j1ecKkNOIehV6cGColM3Dv7sJtVgdvaKg2ehW+AWR7UBOntIr/X3mVpkUE5Y2oLX
tpjuEbdraOpIw/ohKfvpZNPXnEFmhgxrRV4WRw8yFeMsEtLI2HyyUV4ysZrgMKB+
LKxdhfd7HhIiGdoRZO4P60traRiRD+VfqU9Jt3xd9fO1t0MZYTS0R0Lqt9n3UPhR
26YcyrJgElaHIz8Viiw1U7Pdxila7b7gL+V4QVNSG00OqCKkdepgURRepzaz8Zhd
lrfLf+9vysPIL6RsJwDb77qYbu9kK/afGmadBVot6QGg6ovWVLUGd0pQFJuLihZl
YRocdxDO0lgF+w6llmp6ZidEjaScL7XG3yKG1DuoSa0tS+0eQU2U2hByJDzzzkTn
x7t7WU8o5gSRYDe68yuJHXiHWswA4IK+tkYf+h8fDhENDbt7PCo86Vq0Dixg3hoG
ak/KfomAAsnh6MfWNRlCWDXbe0p/yxYLPRHugDdrZ2IpX+uJWHs=
=pADZ
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Thu Mar 19 17:37:52 2020
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu, 19 Mar 2020 17:37:52 +0000 (UTC)
Subject: FreeBSD Security Advisory FreeBSD-SA-20:06.if_ixl_ioctl
Message-ID: <20200319173752.0E0CE1560F@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:06.if_ixl_ioctl Security Advisory
The FreeBSD Project
Topic: Insufficient ixl(4) ioctl(2) privilege checking
Category: core
Module: ixl(4)
Announced: 2020-03-19
Credits: Ilja Van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2020-01-10 18:31:59 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:49:32 UTC (releng/12.1, 12.1-RELEASE-p3)
CVE Name: CVE-2019-15877
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The primary interface used for network driver configuration is ioctl(2).
Several ioctl(2) commands are reserved for driver-specific purposes. For
instance, a driver may use one of these ioctls to implement an interface for
updating device firmware.
II. Problem Description
The driver-specific ioctl(2) command handlers in ixl(4) failed to check
whether the caller has sufficient privileges to perform the corresponding
operation.
III. Impact
The ixl(4) handler permits unprivileged users to trigger updates to the
device's non-volatile memory (NVM).
IV. Workaround
No workaround is available. Systems that do not contain devices driven by
ixl(4) are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch.asc
# gpg --verify if_ixl_ioctl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r356606
releng/12.1/ r359140
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIyvg/+Myq/m3iP2V8tluOVxVmXOEn9qULYfSEM8thr7N+EZpepK45KMkVeBMp5
gGvd8XEbZyS1RSu+Knr3+yU+jQTFeVg/52QJ8fcTbH5r+5fcO0eJw9I0hwoJBAM+
Fp7mTtON6PUCIlaXcwmFQfQ4l1iPee2qCsn7ia02dBFZXvHq6fT6tplSagtJj8Fd
xOBvnlf8obrvC+TswIKydCREaGAIRKTa0yMzh0Ml435gmCYMrGTe2NtjNKM9sgw8
N0Y5QHuV59kiM3mYc5I7uLux1wUIlO6rdZ2lOsbuWNcW40q9IE1Gve9kjhmha8Ls
h7BW3VPLM8gxwrgJNygxSRtremDYfQZNoeONqRKd0C2H5EVT4vZfPRI4VxziNGU7
US0VJwm7x/bET/zbVS5YIsGwqyn9kVjBRpv+eRN4CNmEoZugB/ZJn7lRhZ9cdsTG
fDM/ULk7UMPrap8ltr0hcYvLYzOmsR1K+oxqmWLzO2+FpnoUrAmWaInptbBuOaSj
tbmRc97wpR7LJcrmAo3rHvHdbwzY9jsQk1X1Y4LAKAr114S36m3HqwX5mhv91/ZR
oXOiDYCvFlf8BBQo5BMFDlSfft1Nd8iwAEumHmo+hFFs/yVwJlwwyt2tVwpT3V3Z
py6szSTnDzjslb/JGYI8ujpHNuJrfdWRmJUrXzqreKbiYA5pWGo=
=MmYl
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Thu Mar 19 17:37:58 2020
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu, 19 Mar 2020 17:37:57 +0000 (UTC)
Subject: FreeBSD Security Advisory FreeBSD-SA-20:07.epair
Message-ID: <20200319173757.E38D015828@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:07.epair Security Advisory
The FreeBSD Project
Topic: Incorrect user-controlled pointer use in epair
Category: core
Module: kernel
Announced: 2020-03-19
Credits: Ilja van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2020-02-04 04:29:54 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:50:36 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-02-04 04:29:53 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:50:36 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2020-7452
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The epair(4) interface provides a pair of virtual back-to-back connected
Ethernet interfaces.
II. Problem Description
Incorrect use of a potentially user-controlled pointer in the kernel allowed
vnet jailed users to panic the system and potentially execute aribitrary code
in the kernel.
III. Impact
Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic
the system, or potentially escape the jail or execute arbitrary code with
kernel priviliges.
IV. Workaround
No workaround is available. Systems not using epair(4) are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.12.patch.asc
# gpg --verify epair.12.patch.asc
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:07/epair.11.patch.asc
# gpg --verify epair.11.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/12/ r357490
releng/12.1/ r359141
stable/11/ r357489
releng/11.3/ r359141
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJIrhAAjdJsKCoBkjLmwIG/yU2W5jUkqahriXx6hAQwOqwAl7pyguAghPBUFRF6
SjU2yr/4yQk0TB3wxRMGJNVlKuBZm8I62BQLdh7al6zO3S55s4FedeM3FOBZ1jT+
GrHU08DPEoDT3pgz4w5/T5PQFxBwqsQDEE204kAOBBOsoZEhgxz+6pADyDpt1ciY
3x+b47PTMk0D4Oi2eXX+ErMApB5xA6sEQfVa6j7HoaQ3HRnvRbuF2vQt2/KTdrWB
pOnad52smH0+5ervZS9Ooidg7L9Sfu+ARdWSFxOIsFPOSgJr7dVIKw6vcliw93Py
GwRVaOxKWUmVxuQUNBSawsIbhLCQYMp74hUL9iZ/vLo398H32u/sd/xLfHYXyZfb
GoyTQ6WxjjqzXlc1ISj3gv8+25X9vnPZ/zQC45cDLqTBYkB7V3rdDAcqrxzR/PF/
hA+skUOnJ9N00MM/WB9+fMlAj4ZqZR2btpQcxPbRkTHbm0NZfGAFU2IlLgQ38sPD
ZN/zXEho+7rCFocEJ8AxFWMsTB0eAsVfvFyN2sdQXMQcGeHb2HfAX7d3MUInb+aH
BQm6tMi+cNTDUdPnMefRy0G/gQGEUPha0Nv5uePMhXum8J1Gaubs5a9SEezCBRby
6k1Oj0PSkR89XW4X9nkTnKo4F7fu/wB+IQy7Ts7rTa36LcgtV+U=
=yXWc
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Thu Mar 19 17:38:03 2020
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu, 19 Mar 2020 17:38:01 +0000 (UTC)
Subject: FreeBSD Security Advisory FreeBSD-SA-20:08.jail
Message-ID: <20200319173801.F1351157BE@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:08.jail Security Advisory
The FreeBSD Project
Topic: Kernel memory disclosure with nested jails
Category: core
Module: kern
Announced: 2020-03-19
Credits: Hans Christian Woithe
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-16 21:12:46 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:51:33 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-16 21:12:32 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:51:33 UTC (releng/11.3, 11.3-RELEASE-p7)
CVE Name: CVE-2020-7453
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The jail_set(2) system call allows a system administrator to lock up a
process and all its descendants inside a closed environment with very
limited ability to affect the system outside that environment, even
for processes with superuser privileges.
The jail_get(2) system call allows a system administrator to read the
configuration of running jails.
II. Problem Description
A missing NUL-termination check for the jail_set(2) configration option
"osrelease" may return more bytes when reading the jail configuration
back with jail_get(2) than were originally set.
III. Impact
For jails with a non-default setting of children.max > 0 ("nested jails")
a superuser inside a jail can create a jail and may be able to read and
take advantage of exposed kernel memory.
IV. Workaround
No workaround is available. Systems not altering the default settings of
the jail configuration option children.max=0 are not affected as a root on
the base system has access to kernel memory by other means and a super
user inside a jail cannot create further jails.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch
# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch.asc
# gpg --verify kern_jail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r359021
releng/12.1/ r359142
stable/11/ r359020
releng/11.3/ r359142
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKWdw//ZFfaoCenbVtvB6a4JW9HOT0yMoDXup+OdpjbhUTsJSyvDB9eZUSiZJ7u
4rQZpYQZotND2I/U8BSUjcJlDVzhTn6WN1yZFpWI9oFrSJhKxkwGMuetocUw7MgE
++WaaVueodMBjG7+v7mUmr5pXomdpxCO4XZxTW0BCm3Pvydera1kZVHzQ2pAw0On
cnOiSN+v04latfkjjdjPv+oC8GUsI3Q+4jF745MN9dND+4KV/4CW5BJg6sUiJakx
WB6cXayxp+Q/WPoB4OS/w3loe1FGIqESjXMxdHAV0n9eVofv8+h0rQt5kQ9oFpCm
Ql2NUG7xKqoidGlhzff5w0j5+VNXA/exv+sH/lQTZO5xJa/5Ti1wlUxsrp/8jO9Z
vRDd3CwjOIG+dFBSAXWcAaSedJ+Ax97RVbfKmYiy5B7ujJp/X6rJXU2G3zOhObCS
8/E+KHlj9YT4hN73zDeGiw5zKVjbfVQp661mKgP1lO+4Mv9357F8epux+CV3fdb6
BBttCm8l8ubhfr12fmBAfXUXDx7stNTpvcgphGUB0v6Sfxbv0OHoGzfAGrQ3i3LP
Os7OoFRJ+2SJ/G8xpjVjriOsAoLeUX43JIlPTOEvU2mhol/M717Rwn94ndqXfNJh
XCF2AaOVXxBpdx2Vik3FBTGZvAfTCxMQOZwGn7zVzpbxlCbasKM=
=13XM
-----END PGP SIGNATURE-----
From security-advisories at freebsd.org Thu Mar 19 17:38:08 2020
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu, 19 Mar 2020 17:38:07 +0000 (UTC)
Subject: FreeBSD Security Advisory FreeBSD-SA-20:09.ntp
Message-ID: <20200319173807.3B992157F6@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:09.ntp Security Advisory
The FreeBSD Project
Topic: Multiple denial of service in ntpd
Category: contrib
Module: ntp
Announced: 2020-03-19
Credits: Philippe Antoine and Miroslav Lichvar
Affects: All supported versions of FreeBSD.
Corrected: 2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE)
2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3)
2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE)
2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.
II. Problem Description
Three NTP vulnerabilities are addressed by this security advisory.
NTP Bug 3610: Process_control() should exit earlier on short packets.
On systems that override the default and enable ntpdc (mode 7), fuzz testing
detected a short packet will cause ntpd to read uninitialized data.
NTP Bug 3596: Due to highly predictable transmit timestamps, an
unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim
ntpd configured to receive time from an unauthenticated time source is
vulnerable to an off-path attacker with permission to query the victim. The
attacker must send from a spoofed IPv4 address of an upstream NTP server and
the victim must process a large number of packets with that spoofed IPv4
address. After eight or more successful attacks in a row, the attacker can
either modify the victim's clock by a small amount or cause ntpd to
terminate. The attack is especially effective when unusually short poll
intervals have been configured.
NTP Bug 3592: The fix for https://bugs.ntp.org/3445 introduced a bug such
that an ntpd can be prevented from initiating a time volley to its peer
resulting in a DoS.
III. Impact
All three NTP bugs may result in DoS or terimation of the ntp daemon.
IV. Workaround
Systems not using ntpd(8) are not vulnerable.
Systems running ntpd should make the following changes:
- - Disable mode 7
- - Use many trustworthy sources of time
- - Use NTP packet authentication
- - Monitor ntpd for error messages indicating attack
- - If only unauthenticated time over IPv4 is available, use the restrict
configuration directive
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc
# gpg --verify ntp.12.patch.asc
[FreeBSD 12.1-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc
# gpg --verify ntp.12.1.patch.asc
[FreeBSD 11.3-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc
# gpg --verify ntp.11.patch.asc
[FreeBSD 11.3-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc
# gpg --verify ntp.11.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r358659
releng/12.1/ r359144
stable/11/ r358660
releng/11.3/ r359144
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA
jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo
KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp
pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB
2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF
nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl
DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m
ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV
ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY
XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu
Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I=
=Q4Yq
-----END PGP SIGNATURE-----