[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2018-007: Several vulnerabilities in IPsec
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2018-007
Topic: Several vulnerabilities in IPsec
Version: NetBSD-current: source prior to Tue, May 1st 2018
NetBSD 7.1 - 7.1.2: affected
NetBSD 7.0 - 7.0.2: affected
NetBSD 6.1 - 6.1.5: affected
NetBSD 6.0 - 6.0.6: affected
Severity: Remote DoS, Remote Memory Corruption
Fixed: NetBSD-current: Tue, May 1st 2018
NetBSD-7-1 branch: Thu, May 3rd 2018
NetBSD-7-0 branch: Thu, May 3rd 2018
NetBSD-7 branch: Thu, May 3rd 2018
NetBSD-6-1 branch: Thu, May 3rd 2018
NetBSD-6-0 branch: Thu, May 3rd 2018
NetBSD-6 branch: Thu, May 3rd 2018
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract and Technical Details
Several bugs and vulnerabilities were discovered in the IPsec code. They
can be triggered before, or after, authentication or decryption.
1) In the AH entry point, a length check was missing, and it was possible
for a remote attacker to crash the system by sending a very small AH
packet. Also, a use-after-free was present in this same entry point.
2) An inverted logic in the common IPsec entry point allowed an attacker to
remotely crash the system when both IPsec and forwarding were enabled.
3) A miscomputation in an IPsec function in charge of handling mbufs
resulted in the wrong length being stored in the mbuf header. This
allowed an attacker to panic the system when at least ESP was active.
4) A sanity check in the IPsec output path was not strong enough and
allowed an attacker to remotely panic the system when both IPsec and
IPv6 forwarding were enabled.
5) A use-after-free existed in the common Tunnel code. Also, a mistake in
pointer initialization allowed an IPv6 packet to bypass the "local
address spoofing" check.
6) A missing length check in the common IPsec entry point could allow an
attacker to crash the system.
7) A memory leak and a use-after-free bug could allow an attacker to
crash the system when both IPv6 and forwarding were enabled.
Solutions and Workarounds
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1
---- ---- -------- ---------- ----------
1.80 220.127.116.11 18.104.22.168 22.214.171.124
1.130 126.96.36.199 188.8.131.52 184.108.40.206
1.24 220.127.116.11 18.104.22.168 22.214.171.124
1.75 126.96.36.199 188.8.131.52 184.108.40.206
1.56 220.127.116.11 18.104.22.168 22.214.171.124
1.58 126.96.36.199 188.8.131.52 184.108.40.206
1.91 220.127.116.11 18.104.22.168.2.2 22.214.171.124.6.2
FILE netbsd-6 netbsd-6-0 netbsd-6-1
---- -------- ---------- ----------
126.96.36.199 188.8.131.52 184.108.40.206
220.127.116.11 18.104.22.168 22.214.171.124
126.96.36.199 188.8.131.52 184.108.40.206
220.127.116.11 18.104.22.168 22.214.171.124
126.96.36.199 188.8.131.52 184.108.40.206
220.127.116.11 18.104.22.168 22.214.171.124
126.96.36.199 188.8.131.52 184.108.40.206
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/netipsec/xform_ah.c
# cvs update -d -P -r VERSION sys/netipsec/ipsec.c
# cvs update -d -P -r VERSION sys/netipsec/ipsec_mbuf.c
# cvs update -d -P -r VERSION sys/netipsec/ipsec_output.c
# cvs update -d -P -r VERSION sys/netipsec/xform_ipip.c
# cvs update -d -P -r VERSION sys/netipsec/ipsec_input.c
# cvs update -d -P -r VERSION sys/netinet6/ip6_forward.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
Maxime Villard for finding and fixing these issues.
2018-05-07 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Main Index |
Thread Index |