FreeBSD Security Advisories Archives

FreeBSD Security Advisory: OpenSSH vulnerabilities 1/11/2017

January 13, 2017 By Cao Leave a Comment

A FreeBSD Security Advisory concerning an OpenSSH vulnerability has recently been issued. You can view the full description of the vulnerability and solution on the mailing list page. User Vivek Gite also provides a solution for the problem below.

I.   Background

OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.

OpenSSH supports accessing keys provided by a PKCS#11 token.

II.  Problem Description

The ssh-agent(1) agent supports loading a PKCS#11 module from outside a
trusted whitelist.  An attacker can request loading of a PKCS#11 module
across forwarded agent-socket. [CVE-2016-10009]

When privilege separation is disabled, forwarded Unix domain sockets
would be created by sshd(8) with the privileges of 'root' instead of
the authenticated user. [CVE-2016-10010]

Original announcement: https://lists.freebsd.org/pipermail/freebsd-security-notifications/2017-January/000305.html

OpenSSH is critical for both sysadmin and programmers. It is an implementation of the SSH protocol suite, from OpenBSD project. It provides an encrypted session to your server.

OpenSSH multiple vulnerabilities

OpenSSH has multiple vulnerabilities as of 11th January 2017 running on FreeBSD operating system. From the advisory:

The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009]

When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of ‘root’ instead of the authenticated user. [CVE-2016-10010]

Patch your FreeBSD server: https://www.nixcraft.com/patch-your-freebsd-server-for-openssh-vulnerabilities-11jan2017/168/

[Blog] Analysis of SETFKEY FreeBSD kernel, compatibility layers, vulnerabilities by CTurt

June 3, 2016 By Cao Leave a Comment

FreeBSD security researcher CTurt, known for his recent work in the PS4 kernel exploit, outlines a recent FreeBSD kernel vulnerability found in iotcl handlers. In addition, check out his article on vulnerabilities in FreeBSD compatibility layers.

Every FreeBSD keyboard driver exposes its own ioctl interface to allow it to be configured from userland (through the kbdcontrol utility for example). Typically, these ioctl handlers will implement any specific commands for the hardware, such as enabling or disabling LEDs, and will delegate the rest of the commands to a common handler, called genkbd_commonioctl.

I discovered a vulnerability in this common handler, which has been present since the driver’s introduction in 1999.

Due to a poor default sysctl variable, this bug can be triggered by an unprivileged user, so long as at least one keyboard driver is running (by default the atkbd driver is used), making its impact critical.

I decided to report this bug to the FreeBSD Security Team on April 22, 2016, the day after I had discovered it, and was able to exploit it about a week later. It has been assigned CVE-2016-1886 and Security Advisory 16:18.

In this article I will provide an explanation of the bug, and some of the methods which I considered for exploitation, including the one I had success with: using the corrupted len member of a keytab to trigger a powerful two way heap and stack overflow.

Original post: http://cturt.github.io/SETFKEY.html

Analysis of stack disclosure vulnerabilities in FreeBSD compatibility layers

Arguably one of FreeBSD’s most renowned features is its compatibility layers. In particular, FreeBSD provides compatibility layers for 32-bit Linux binaries and for legacy 4.3BSD software. These are usually enabled by building a custom kernel with the COMPAT_LINUX32 and COMPAT_43 configuration options, however the Linux compatibility layer is also implemented as a separate kernel module, which can be loaded at runtime instead (kldload linux).

Original post: http://cturt.github.io/compat-info-leaks.html

FreeBSD Patches Kernel Panic Vulnerability

January 27, 2016 By Cao Leave a Comment

The FreeBSD Team has recently patched a security vulnerability that would enable DoS attacks and compromise user privileges and data. Read the full reported by Theatpost and PTsecurity below.

SCTP ICMPv6 error processing vulnerability (CVE-2016-1879)

SCTP (stream control transmission protocol) is a transport-layer protocol designed to transfer signaling messages in an IP environment. As a rule, mobile operators use this protocol in technological networks.

This vulnerability threatens FreeBSD systems (versions 9.3, 10.1, and 10.2) if they support SCTP and IPv6 (default configuration). To exploit this flaw, a malefactor needs to send a specially crafted ICMPv6 message. And if he succeeds, he can conduct a DoS attack.

See a video demo of the attack:

Links: https://threatpost.com/freebsd-patches-kernel-panic-vulnerability/116001/
http://blog.ptsecurity.com/2016/01/severe-vulnerabilities-detected-in.html

FreeBSD Errata Notice FreeBSD-EN-15:13.vidcontrol

August 22, 2015 By Cao Leave a Comment

FreeBSD has issued an errata notice regarding vidcontrol(1) for syscons(4). Please see below to implement the proper measures.

Original: http://bsdsec.net/articles/freebsd-announce-freebsd-errata-notice-freebsd-en-15-13-vidcontrol

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-15:13.vidcontrol                                     Errata Notice
                                                          The FreeBSD Project

Topic:          Allow size argument to vidcontrol(1) for syscons(4)

Category:       core
Module:         vidcontrol
Announced:      2015-08-18
Credits:        Ed Maste
Affects:        FreeBSD 10.2-RELEASE
Corrected:      2015-08-04 15:15:06 UTC (stable/10, 10.2-STABLE)
                2015-08-18 19:30:17 UTC (releng/10.2, 10.2-RC3-p1)
                2015-08-18 19:30:17 UTC (releng/10.2, 10.2-RELEASE-p1)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.

I.   Background

The vidcontrol(1) utility is used to set various options for the syscons(4) or
vt(4) console driver, such as video mode, colors, cursor shape, screen output
map, font, and screen saver timeout.

The vidcontrol(1) utility allows specifying a font size and font file as
arguments to the '-f' flag.  When no size or file are specified, vidcontrol(1)
the default font will be used.

II.  Problem Description

The vidcontrol(1) does not properly allow specifying the font size when
invoked from the command line.

[Read more…]

shell injection vulnerability in patch(1)

August 12, 2015 By Cao Leave a Comment

FreeBSD has issued a Security Advisory concerning a shell injection vulnerability in patch(1). Please see below on how to apply the patches.

Original: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:18.bsdpatch                                   Security Advisory
                                                          The FreeBSD Project

Topic:          shell injection vulnerability in patch(1)

Category:       contrib
Module:         patch
Announced:      2015-08-05
Credits:        Martin Natano
Affects:        FreeBSD 10.x.
Corrected:      2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
                2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
                2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
CVE Name:       CVE-2015-1418

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The patch(1) utility takes a patch file produced by the diff(1) program and
apply the differences to an original file, producing a patched version.

The patch(1) utility supports patches that uses ed(1) script format, as
required by the POSIX.1-2008 standard.

ed(1) is a line-oriented text editor.

II.  Problem Description

[Read more…]

FreeBSD Security Advisory: routed(8) remote denial of service vulnerability

August 12, 2015 By Cao Leave a Comment

FreeBSD has issued a Security Advisory concerning a remote denial of service vulnerability. Please see below on how to apply the patches.

Original: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:19.routed.asc

Topic:          routed(8) remote denial of service vulnerability

Category:       core
Module:         routed
Announced:      2015-08-05
Credits:        Hiroki Sato
Affects:        All supported versions of FreeBSD.
Corrected:      2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
                2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
                2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
                2015-08-05 22:05:07 UTC (stable/9, 9.3-STABLE)
                2015-08-05 22:05:24 UTC (releng/9.3, 9.3-RELEASE-p22)
CVE Name:       CVE-2015-5674

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The routing information protocol (RIP) is an older routing protocol
which, while not as capable as more recent protocols such as OSPF and
BGP, is sometimes preferred for its simplicity and therefore still
used as an interior gateway protocol on smaller networks.

Routers in a RIP network periodically broadcast their routing table on
all enabled interfaces.  Neighboring routers and hosts receive these
broadcasts and update their routing tables accordingly.

The routed(8) daemon is a RIP implementation for FreeBSD.  The
rtquery(8) utility can be used to send a RIP query to a router and
display the result without updating the routing table.

II.  Problem Description

[Read more…]

FreeBSD Errata Notice FreeBSD-EN-15:04.freebsd-update

May 20, 2015 By Cao Leave a Comment

Allan Jude has issued us with a FreeBSD Errata Notice. Please check the article to take proper corrective measures.

Original post: https://bsdsec.net/articles/freebsd-announce-freebsd-errata-notice-freebsd-en-15-04-freebsd-update

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

=============================================================================
FreeBSD-EN-15:04.freebsd-update Errata Notice
The FreeBSD Project

Topic: freebsd-update(8) does not ensure the previous upgrade was
completed

Category: core
Module: freebsd-update
Announced: 2015-05-13
Credits: Allan Jude
Affects: All supported versions of FreeBSD.
Corrected: 2015-05-13 22:36:00 UTC (stable/10, 10.1-STABLE)
2015-05-13 22:52:35 UTC (releng/10.1, 10.1-RELEASE-p10)
2015-05-13 22:36:52 UTC (stable/9, 9.3-STABLE)
2015-05-13 22:52:51 UTC (releng/9.3, 9.3-RELEASE-p14)
2015-05-13 22:39:29 UTC (stable/8, 8.4-STABLE)
2015-05-13 22:52:51 UTC (releng/8.4, 8.4-RELEASE-p28)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit https://www.freebsd.org/security/

I. Background

The freebsd-update(8) utility is used to apply binary patches to FreeBSD
systems installed from official release images, as an alternative to
rebuilding from source. A freebsd-update(8) build server generates the
signed update packages, consisting of an index of files and directories
with checksums before the update, a set of binary patches, and an
index of files and directories with checksums after the update. The
client downloads the indexes, verifies the signatures and checksums,
then downloads and applies the required patches.
[Read more…]

Mumblehard Malware Infects Thousands of Linux and FreeBSD Servers

May 2, 2015 By Cao Leave a Comment

A recent vulnerability has been found, affecting thousands of Linux and FreeBSD servers around the world. Norse encourages FreeBSD sysadmins to take proper measures to remedy this exploit. Check the whitepaper for more details.

m4lware

Researchers have documented a newly discovered family of malware that infected thousands of Linux and FreeBSD servers, making them part of a massive spam distribution campaign.

The unusually sophisticated malware, dubbed Mumblehard, has two main components which are both written in Perl and leverage the same custom packer which is written in assembly language to produce ELF binaries that work to obfuscate the source code.

“Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer,” the researchers said.

“The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.”

The team discovered Mumblehard after a system administrator reported that a server had been blacklisted for sending spam, and they proceeded to dump the memory of a process that was connecting to different SMTP servers.

“The memory dump clearly showed it to be a Perl interpreter. We investigated and found the executable file in the /tmp directory. We started analyzing this ELF binary and discovered what we now call Mumblehard,” the researchers explained.

“We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Key findings in the analysis include:

Perl scripts were packed inside ELF binaries written in assembly language, showing a higher level of sophistication than average

A total of 8,867 unique IP addresses were seen in our sinkhole over a 7-month period

The highest number of unique IP addresses seen in a single day is as high as 3,292

Mumblehard has been active since at least 2009

Among the compromised machines, web servers are the most susceptible to being infected

There is a strong link between Mumblehard and Yellsoft, an online company selling software to send bulk e-mail messages

“Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes.” the researchers noted.

“The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”

A detailed white paper on Mumblehard is available here (PDF).

Original post: http://blog.norsecorp.com/2015/04/30/mumblehard-malware-infects-thousands-of-linux-and-freebsd-servers/

FreeBSD-SA-15:06.openssl – Multiple OpenSSL vulnerabilities

March 26, 2015 By Cao Leave a Comment

Original post: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:06.openssl.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:06.openssl Security Advisory
The FreeBSD Project

Topic: Multiple OpenSSL vulnerabilities

Category: contrib
Module: openssl
Announced: 2015-03-19; Last revised on 2015-03-20.
Affects: All supported versions of FreeBSD.
Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE)
2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8)
2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE)
2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12)
2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE)
2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26)
CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
CVE-2015-0289, CVE-2015-0293

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0. Revision history

v1.0 2015-03-19 Initial release.
v1.1 2015-03-20 Reverted a portion of change that should not belong to the
advisory and did not end up in the final OpenSSL release.
The patch is also revised to include fixes for
CVE-2015-0209 and CVE-2015-0288.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

Abstract Syntax Notation One (ASN.1) is a standard and notation that
describes rules and structures for representing, encoding, transmitting,
and decoding data in telecommunications and computer networking, which
enables representation of objects that are independent of machine-specific
encoding technique.

II. Problem Description
 [Read more...]

Researchers at Core Security Technologies issued an advisory on vulnerabilities affecting FreeBSD

January 31, 2015 By Cao Leave a Comment

Core Security Technologies, a network security company that specializes in attack intelligence and vulnerability management, has recently discovered several vulnerabilities in FreeBSD.

Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.

FreeBSD is a Unix-like operating system used to power servers, desktops and embedded platforms. According to the advisory from Core Security, several vulnerabilities were spotted in the FreeBSD kernel code that implements the vt console driver previously known as Newcons as well as the code the implements Stream Control Transmission Protocol [SCTP] sockets. These issues could enable a local, unprivileged attacker to crash the system, disclose kernel memory containing sensitive information and execute arbitrary code with super user privileges.

The FreeBSD Project issued fixes for the issues that are available to users who upgrade to FreeBSD 10.1-RELENG or one of the following reasons: stable/10, 10.1-STABLE releng/10.1, 10.1-RELEASE-p5 releng/10.0, 10.0-RELEASE-p17 stable/9, 9.3-STABLE releng/9.3, 9.3-RELEASE-p9 stable/8, 8.4-STABLE releng/8.4 and 8.4-RELEASE-p23.

Original announcement: http://www.securityweek.com/freebsd-patches-kernel-security-vulnerabilities