NetBSD Security Advisory 2024-001: Inadequate validation of user-supplied hostname in utmp_update(8)

[NetBSD Security-Officer <security-officer%netbsd.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		 NetBSD Security Advisory 2024-001
		 =================================

Topic: Inadequate validation of user-supplied hostname in utmp_update(8)

Version:	NetBSD-current:		affected prior to 2023-09-30
		NetBSD 10.0_RC4:	affected
		NetBSD 9.3:		affected
		NetBSD 9.2:		affected
		NetBSD 9.1:		affected
		NetBSD 9.0:		affected
		NetBSD 8.2:		affected
		NetBSD 8.1:		affected
		NetBSD 8.0:		affected

Severity: Possibility of injecting arbitrary characters to the utmp logs
including terminal escape sequences.

Fixed:		NetBSD-current:		2023-09-30
		NetBSD-10 branch:	2024-02-17
		NetBSD-9 branch:	2024-02-17
		NetBSD-8 branch:	2024-02-17

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

utmp_update(8) is a helper program that allows users to update
theirs utmpx(5) entries. An identified vulnerability reveals
inadequate validation of user-supplied data, enabling malicious
entities to inject arbitrary information.

Technical Details
=================

The issue allows malicious users to inject arbitrary data into
utmpx(5) database due to the absence of proper filters for provided
hostnames. The behaviour can be exploited by the attackers to force
tools which display hostnames from utmpx(5) databases such us w(1)
or who(1), to unexpectedly inject escape sequences into terminal
of the user invoking the program. While this vulnerability does
not pose a direct threat to the system's core operations, it can
be leveraged indirectly to disrupt accurate system logging, compromise
terminal interfaces, and facilitate social engineering attacks by
displaying arbitrary content in the terminals of unsuspecting
victims

The utmp_update(8) utility was fixed by introducing a filter which
accepts only printable characters in the hostnames.

Solutions and Workarounds
=========================

It is suggested to install new version of the utmp_update(8) utility.

To apply a fixed version from a releng build, fetch a fitting base.tgz
from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/libexec/utmp_update

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. %DATE%* and later will fit
ARCH  = your system's architecture

The following instructions describe how to upgrade your utmp_update(8)
binaries by updating your source tree and rebuilding and
installing a new version of utmp_update(8).

* NetBSD-current:

	Systems running NetBSD-current dated from before 2023-09-30
	should be upgraded to NetBSD-current dated 2023-10-01 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/libexec/utmp_update/utmp_update.c

	To update from CVS, re-build, and re-install utmp_update(8):
		# cd src
		# cvs update -d -P src/libexec/utmp_update/
		# cd src/libexec/utmp_update/
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 9.*:

	Systems running NetBSD 9.* sources dated from before
	2024-02-17 should be upgraded from NetBSD 9.* sources dated
	2024-02-18 or later.

	The following files/directories need to be updated from the
	netbsd-9 branch:
		path/to/files

	To update from CVS, re-build, and re-install utmp_update(8):

		# cd src
		# cvs update -r netbsd-9 -d -P src/libexec/utmp_update/
		# cd src/libexec/utmp_update/
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 8.*:

	Systems running NetBSD 8.* sources dated from before
	2024-02-17 should be upgraded from NetBSD 8.* sources dated
	2024-02-18 or later.

	The following files/directories need to be updated from the
	netbsd-8 branch:
		path/to/files

	To update from CVS, re-build, and re-install utmp_update(8):

		# cd src
		# cvs update -r netbsd-8 -d -P src/libexec/utmp_update/
		# cd src/libexec/utmp_update/
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

Thanks To
=========

Adam Simuntis (https://twitter.com/adamsimuntis) for finding and reporting the
issue. Christos Zoulas (christos@) for fixing the issue.

Revision History
================

	2024-03-10	Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2024-001.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2024, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----

iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmXt9A4cHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/2I2D/0fUe8mMn37Yo47Qd0J
QzSHA/NWzoznBPmmvAjhDN43pcKZuXHj1YazdfchZn03ufn4P+PQU0pZDywmkfQ/
cvJiGELxrorFltuz9JQrPo/uUtwu9YrLZEPz8jMLhLn35VL2xIBzjN7Rab8aP8Rv
yB/LT+HjgcgCdWdsKcl3UU6uOiMM2DC0m9HX9fjdi0u9NmUL7aA0Ghqc9SFWQ8Vt
drhYRMLwRAiVWuk7w6mFsHcA7AUqtLbrfBL5pXm7Zo+8P/MYQXXlGnHOZfDMYxhA
TuVvFowJ8oQWANJRXp/onBYq54lkwpBxz3F09Ihim7iEUwiY8sBKDEK0to8LnbC6
nIREt6gViDL3nYeVaXredwaTx3DxFA9DwWfgDzIbC3lT7wbiSBRN/PwntJYbMuOv
pqlo2nm1XrVyXK0ZFHfWd3umwJULGZiRo/IIqxGVXQqltq/u+0M1XzPYFbF8RI2v
K2aZZSIK/eqhTNlTkngUBFDNeguENszKKP6Dt9sU6VJ6og84v6xvckSIAvlNUqFG
ZmPbNXSlDVn4q9rtvByiQThTn9Ro7TQqMd0eGfatZx0mGIlSEPI3ZgVtFD3O+1xd
qWrEuD52EfxuW9ow0NxBFe9WR/kx8KfaDG9rgZmD+pFI7a3dyw0TKfCB+DbKx8Hc
oNcwuD1um1IVX+8ugjJa79R5oQ==
=P9cs
-----END PGP SIGNATURE-----