[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver
Johann Kois
jkois at FreeBSD.org
Wed May 1 15:23:20 UTC 2013
You are using an old version of the Security Advisory. The path
mentioned was fixed and the Security Advisory was re-released, also via
email:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=30985+0+current/freebsd-security
Or use the link on the FreeBSD homepage to get directly to fixed version.
jkois
--
Johann Kois
jkois(at)FreeBSD.org
FreeBSD Documentation Project
FreeBSD German Documentation Project - https://doc.bsdgroup.de
On 05/01/2013 12:06, Per olof Ljungmark wrote:
> Path to patch seems wrong?
>
> On 2013-04-29 22:55, FreeBSD Security Advisories wrote:
>> =============================================================================
>> FreeBSD-SA-13:05.nfsserver Security Advisory
>> The FreeBSD Project
>>
>> Topic: Insufficient input validation in the NFS server
>>
>> Category: core
>> Module: nfsserver
>> Announced: 2013-04-29
>> Credits: Adam Nowacki
>> Affects: All supported versions of FreeBSD.
>> Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
>> 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
>> 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
>> 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
>> 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
>> 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
>> CVE Name: CVE-2013-3266
>>
>> For general information regarding FreeBSD Security Advisories,
>> including descriptions of the fields above, security branches, and the
>> following sections, please visit <URL:http://security.FreeBSD.org/>.
>>
>> I. Background
>>
>> The Network File System (NFS) allows a host to export some or all of its
>> file systems so that other hosts can access them over the network and mount
>> them as if they were on local disks. FreeBSD includes server and client
>> implementations of NFS.
>>
>> FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
>> NFSv2 and NFSv3 implementation and a new implementation which also
>> supports NFSv4.
>>
>> FreeBSD 9.0 and onward uses the new NFS implementation by default.
>>
>> II. Problem Description
>>
>> When processing READDIR requests, the NFS server does not check that
>> it is in fact operating on a directory node. An attacker can use a
>> specially modified NFS client to submit a READDIR request on a file,
>> causing the underlying filesystem to interpret that file as a
>> directory.
>>
>> III. Impact
>>
>> The exact consequences of an attack depend on the amount of input
>> validation in the underlying filesystem:
>>
>> - If the file resides on a UFS filesystem on a little-endian server,
>> an attacker can cause random heap corruption with completely
>> unpredictable consequences.
>>
>> - If the file resides on a ZFS filesystem, an attacker can write
>> arbitrary data on the stack. It is believed, but has not been
>> confirmed, that this can be exploited to run arbitrary code in
>> kernel context.
>>
>> Other filesystems may also be vulnerable.
>>
>> IV. Workaround
>>
>> Systems that do not provide NFS service are not vulnerable. Neither
>> are systems that do but use the old NFS implementation, which is the
>> default in FreeBSD 8.x.
>>
>> To determine which implementation an NFS server is running, run the
>> following command:
>>
>> # kldstat -v | grep -cw nfsd
>>
>> This will print 1 if the system is running the new NFS implementation,
>> and 0 otherwise.
>>
>> V. Solution
>>
>> Perform one of the following:
>>
>> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
>> release / security branch (releng) dated after the correction date.
>>
>> 2) To update your vulnerable system via a source code patch:
>>
>> The following patches have been verified to apply to the applicable
>> FreeBSD release branches.
>>
>> a) Download the relevant patch from the location below, and verify the
>> detached PGP signature using your PGP utility.
>>
>> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
>> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
>> # gpg --verify nfsserver.patch.asc
>>
>> b) Apply the patch.
>>
>> # cd /usr/src
>> # patch < /path/to/patch
>>
>> c) Recompile your kernel as described in
>> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
>> system.
>>
>> 3) To update your vulnerable system via a binary patch:
>>
>> Systems running a RELEASE version of FreeBSD on the i386 or amd64
>> platforms can be updated via the freebsd-update(8) utility:
>>
>> # freebsd-update fetch
>> # freebsd-update install
>>
>> VI. Correction details
>>
>> The following list contains the revision numbers of each file that was
>> corrected in FreeBSD.
>>
>> Branch/path Revision
>> -------------------------------------------------------------------------
>> stable/8/ r250058
>> releng/8.3/ r250059
>> releng/8.4/ r250062
>> stable/9/ r250060
>> releng/9.1/ r250061
>> -------------------------------------------------------------------------
>>
>> VII. References
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
>>
>> The latest revision of this advisory is available at
>> http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
>> _______________________________________________
>> freebsd-announce at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
>> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
>>
>
More information about the freebsd-security
mailing list