FreeBSD Security Advisory FreeBSD-SA-20:13.libalias

Mark Johnston markj at freebsd.org
Tue May 12 20:36:41 UTC 2020 

On Tue, May 12, 2020 at 07:44:31PM +0000, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> =============================================================================
> FreeBSD-SA-20:13.libalias                                   Security Advisory
>                                                           The FreeBSD Project
> 
> Topic:          Memory disclosure vulnerability in libalias
> 
> Category:       core
> Module:         libalias
> Announced:      2020-05-12
> Credits:        Vishnu Dev TJ working with Trend Micro Zero Day Initiative
> Affects:        All supported versions of FreeBSD
> Corrected:      2020-05-12 16:52:08 UTC (stable/12, 12.1-STABLE)
>                 2020-05-12 16:54:39 UTC (releng/12.1, 12.1-RELEASE-p5)
>                 2020-05-12 16:52:08 UTC (stable/11, 11.4-STABLE)
>                 2020-05-12 16:54:39 UTC (releng/11.4, 11.4-BETA1-p1)
>                 2020-05-12 16:54:39 UTC (releng/11.3, 11.3-RELEASE-p9)
> CVE Name:       CVE-2020-7455
> 
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
> 
> I.   Background
> 
> The ipfw(4) system facility allows IP packet filtering, redirecting, and
> traffic accounting.  The ipfw(4) packet filter also contains two different
> methods of accomplishing network address translation (NAT): in-kernel and
> userspace.  Both implementations use the same functions provided by libalias.
> 
> The libalias(3) library is a collection of functions for aliasing and
> dealiasing of IP packets, intended for masquerading and NAT.  Additionally,
> libalias(3) includes modules to support protocols that require additional
> logic to support address translation.
> 
> Note: libalias(3) is not used by either the pf(4) or ipf(4) firewalls.
> 
> II.  Problem Description
> 
> The FTP packet handler in libalias incorrectly calculates some packet
> lengths.  This may result in disclosing small amounts of memory from the
> kernel (for the in-kernel NAT implementation) or from the process space for
> natd (for the userspace implementation).
> 
> III. Impact
> 
> A malicious attacker could send specially constructed packets that exploit the
> erroneous calculation allowing the attacker to disclose small amount of memory
> either from the kernel (for the in-kernel NAT implementation) or from the
> process space for natd (for the userspace implementation).
> 
> IV.  Workaround
> 
> No workaround is available.  Only systems using NAT and ipfw together are
> affected.  Systems using ipfw without NAT, or systems leveraging pf(4) or
> ipf(4) are not affected.

This is not correct.  For kernel NAT to be affected, alias_ftp.ko has to
be loaded.  natd is vulnerable because libalias_ftp.so is loaded by the
default /etc/libalias.conf.  The workaround in both cases is to make
sure that the alias_ftp module is not used.

More information about the freebsd-security mailing list