-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2018-006 ================================= Topic: Several vulnerabilities in the network stack Version: NetBSD-current: source prior to Fri, Feb 9th 2018 NetBSD 7.1.2: not affected NetBSD 7.1 - 7.1.1: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Fri, Feb 9th 2018 NetBSD-7-1 branch: Sat, Feb 24th 2018 NetBSD-7-0 branch: Sat, Feb 24th 2018 NetBSD-7 branch: Sat, Feb 24th 2018 NetBSD-6-1 branch: Tue, Mar 13th 2018 NetBSD-6-0 branch: Tue, Mar 13th 2018 NetBSD-6 branch: Tue, Mar 13th 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Several vulnerabilities were discovered in the network stack: 1) Several bugs in MPLS. 2) Memory leak in IPv6-NBR. 3) Double free in Pim6. 4) IPv4 source-routed packets allowed by default. 5) Signedness bug in PF. Technical Details ================= 1) Several possible use-after-frees existed in the MPLS code. This could cause the system to panic. 2) A memory leak existed in the IPv6-NBR entry point. An attacker could cause the kernel to run out of memory. 3) A double-free bug existed in the Pim6 (IPv6 multicast) entry point. This could cause the kernel to panic. 4) Two sysctls wrongfully allowed IPv4 source-routed packets to be accepted by the kernel. Source-routed packets are known to have several security implications. 5) A signedness bug existed in NetBSD's implementation of the PF firewall. A length check was unintentionally made unsigned, while it was expected to be signed. This could cause a read overflow (leading to a page fault) if a specially-crafted TCP-SYN packet was received while PF had a configuration of the type "pass in [...] tcp [...] modulate state". Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 ---- ---- -------- ---------- ---------- src/sys/net/if_mpls.c 1.33 1.16.2.1 1.16.6.1 1.16.10.1 src/sys/netmpls/mpls_ttl.c 1.9 1.4.4.1 1.4.8.1 1.4.12.1 src/sys/netinet6/nd6_nbr.c 1.145 1.100.2.3 1.100.2.2.2.1 1.100.2.2.6.1 src/sys/netinet6/ip6_mroute.c 1.120 1.107.2.1 1.107.6.1 1.107.10.1 src/sys/netinet/ip_input.c 1.366 1.319.2.1 1.319.6.1 1.319.10.1 src/sys/dist/pf/net/pf.c 1.78 1.72.2.1 1.72.6.1 1.72.10.1 FILE netbsd-6 netbsd-6-0 netbsd-6-1 ---- -------- ---------- ---------- src/sys/net/if_mpls.c 1.8.8.2 1.8.14.2 1.8.22.2 src/sys/netmpls/mpls_ttl.c 1.3.18.1 1.3.24.1 1.3.32.1 src/sys/netinet6/nd6_nbr.c 1.95.2.1 1.95.6.1 1.95.8.1 src/sys/netinet6/ip6_mroute.c 1.103.2.1 1.103.8.1 1.103.16.1 src/sys/netinet/ip_input.c 1.298.2.1 1.298.6.1 1.298.8.1 src/sys/dist/pf/net/pf.c 1.68.2.1 1.68.6.1 1.68.8.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/net/if_mpls.c # cvs update -d -P -r VERSION sys/netmpls/mpls_ttl.c # cvs update -d -P -r VERSION sys/netinet6/nd6_nbr.c # cvs update -d -P -r VERSION sys/netinet6/ip6_mroute.c # cvs update -d -P -r VERSION sys/netinet/ip_input.c # cvs update -d -P -r VERSION sys/dist/pf/net/pf.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Maxime Villard for finding and fixing issues 1) 2) 3) 4), Lucio Albornoz for reporting a problem that was discovered to be 5). Revision History ================ 2018-04-09 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJay9YUAAoJEAZJc6xMSnBu/cwQAM8lQOVwwMopocNAtLsMzdKi Ytzc++SxwDDJEdpwSvmkxfLOUJx7BbxgWYSLoaBnEvh1BPYHsVr7NxxsYlCzXQrI VcWH3Z5EqZvEKDeWmaTLLmlpSjy6+uy5mrTXKaCNwKyYiXtlxkylbW/U6rJ71vZu UGK+psQkbGGuqFH23yT70LVZ9ZHXwCTbElprpGq5Wx89ZHIgwSe6RPZb12gBQ63Y WoW0y5zLQaBzZgxSq9bqNipDpd4lwXmfpXmhWKK0eSNU+EvkV24P79rqFXfwP00Z +KJxc7U39EoS81EFu9zHYs6+eO1164NuWnB9mYCJgB+tgz3ZnDivhWWH7hKFJo44 MuhODNvoby+9eStB49lX5WjwnCMeqvX1eMmv7IgDPruGh0vQCeN+jUYHYqaVwmKb bJpvH7wX/iFizjASVTC+CtpTBrYgJJ5PkLIdGRFITo+EnSFx2PAEjiHkTuYLvKO5 j0EQHxA8OaeX6LU+or3ccNtl+EVv+62tu0dI2JZBk7MxyljlRN2/ayH5I/nVBwQS Bvqdv3Fk8tHkFZlRhaCaftGjUcO3rI0yhLttse1hzkfSWulaslEdBxfg4oa+TxvA L8VlGbhVpYFPB8CeYZKsXmKFV5YwkHPe/ZvQj2hQbhAgXBoQz83ql9s08XqtOiY9 ext9mwIu67I/Z9TioyAc =C1y0 -----END PGP SIGNATURE-----