[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

Michael Schnell s-tlk at s-tlk.org
Mon Apr 29 21:20:53 UTC 2013 

Okay,
found the correct link:
http://www.freebsd.org/security/patches/SA-13:05/nfsserver.patch
http://www.freebsd.org/security/patches/SA-13:05/nfsserver.patch.asc

Just a wrong SA number in the url. ;-)


Greetings
Michael


On Mon, 29 Apr 2013, FreeBSD Security Advisories wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-13:05.nfsserver                                  Security Advisory
>                                                          The FreeBSD Project
>
> Topic:          Insufficient input validation in the NFS server
>
> Category:       core
> Module:         nfsserver
> Announced:      2013-04-29
> Credits:        Adam Nowacki
> Affects:        All supported versions of FreeBSD.
> Corrected:      2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
>                2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
>                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
>                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
>                2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
>                2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
> CVE Name:       CVE-2013-3266
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I.   Background
>
> The Network File System (NFS) allows a host to export some or all of its
> file systems so that other hosts can access them over the network and mount
> them as if they were on local disks.  FreeBSD includes server and client
> implementations of NFS.
>
> FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
> NFSv2 and NFSv3 implementation and a new implementation which also
> supports NFSv4.
>
> FreeBSD 9.0 and onward uses the new NFS implementation by default.
>
> II.  Problem Description
>
> When processing READDIR requests, the NFS server does not check that
> it is in fact operating on a directory node.  An attacker can use a
> specially modified NFS client to submit a READDIR request on a file,
> causing the underlying filesystem to interpret that file as a
> directory.
>
> III. Impact
>
> The exact consequences of an attack depend on the amount of input
> validation in the underlying filesystem:
>
> - If the file resides on a UFS filesystem on a little-endian server,
>   an attacker can cause random heap corruption with completely
>   unpredictable consequences.
>
> - If the file resides on a ZFS filesystem, an attacker can write
>   arbitrary data on the stack.  It is believed, but has not been
>   confirmed, that this can be exploited to run arbitrary code in
>   kernel context.
>
> Other filesystems may also be vulnerable.
>
> IV.  Workaround
>
> Systems that do not provide NFS service are not vulnerable.  Neither
> are systems that do but use the old NFS implementation, which is the
> default in FreeBSD 8.x.
>
> To determine which implementation an NFS server is running, run the
> following command:
>
> # kldstat -v | grep -cw nfsd
>
> This will print 1 if the system is running the new NFS implementation,
> and 0 otherwise.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
> # gpg --verify nfsserver.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> 3) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch/path                                                      Revision
> - -------------------------------------------------------------------------
> stable/8/                                                         r250058
> releng/8.3/                                                       r250059
> releng/8.4/                                                       r250062
> stable/9/                                                         r250060
> releng/9.1/                                                       r250061
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
> -----BEGIN PGP SIGNATURE-----
>
> iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q
> 9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ
> =polM
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list