FreeBSD-SA-15:06.openssl – Multiple OpenSSL vulnerabilities

Original post: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:06.openssl.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:06.openssl Security Advisory
The FreeBSD Project

Topic: Multiple OpenSSL vulnerabilities

Category: contrib
Module: openssl
Announced: 2015-03-19; Last revised on 2015-03-20.
Affects: All supported versions of FreeBSD.
Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE)
2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8)
2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE)
2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12)
2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE)
2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26)
CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
CVE-2015-0289, CVE-2015-0293

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0. Revision history

v1.0 2015-03-19 Initial release.
v1.1 2015-03-20 Reverted a portion of change that should not belong to the
advisory and did not end up in the final OpenSSL release.
The patch is also revised to include fixes for
CVE-2015-0209 and CVE-2015-0288.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

Abstract Syntax Notation One (ASN.1) is a standard and notation that
describes rules and structures for representing, encoding, transmitting,
and decoding data in telecommunications and computer networking, which
enables representation of objects that are independent of machine-specific
encoding technique.

II. Problem Description
 Continue reading 

Researchers at Core Security Technologies issued an advisory on vulnerabilities affecting FreeBSD

Core Security Technologies, a network security company that specializes in attack intelligence and vulnerability management, has recently discovered several vulnerabilities in FreeBSD.

Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.

FreeBSD is a Unix-like operating system used to power servers, desktops and embedded platforms. According to the advisory from Core Security, several vulnerabilities were spotted in the FreeBSD kernel code that implements the vt console driver previously known as Newcons as well as the code the implements Stream Control Transmission Protocol [SCTP] sockets. These issues could enable a local, unprivileged attacker to crash the system, disclose kernel memory containing sensitive information and execute arbitrary code with super user privileges.

The FreeBSD Project issued fixes for the issues that are available to users who upgrade to FreeBSD 10.1-RELENG or one of the following reasons: stable/10, 10.1-STABLE releng/10.1, 10.1-RELEASE-p5 releng/10.0, 10.0-RELEASE-p17 stable/9, 9.3-STABLE releng/9.3, 9.3-RELEASE-p9 stable/8, 8.4-STABLE releng/8.4 and 8.4-RELEASE-p23.

Original announcement: http://www.securityweek.com/freebsd-patches-kernel-security-vulnerabilities

Buffer Overflow Vulnerability in FreeBSD Discovered by Norse

Norse_LNorse announced today that they discovered a buffer overflow vulnerability in FreeBSD which they privately disclosed to the FreeBSD security team, who subsequently issued a security advisory with some details on the flaw and options for remedy (FreeBSD-SA-14:27.stdio).

FreeBSD is an advanced computer operating system employed to power modern servers, desktops and embedded platforms, according to the project’s organizers, who have collaborated with a large community of developers for more than thirty years.

Read the full blog with instructions on how to patch: http://blog.norsecorp.com/2014/12/10/buffer-overflow-vulnerability-in-freebsd-discovered-by-norse/

FreeBSD security advisories

FreeBSD Security AdvisortyThe FreeBSD Security Team notifies the Community of a handful of vulnerabilities that have been discovered. Please check the advisories and take the appropriate actions.

These issues either don’t affect the upcoming FreeBSD 10.0 (building was kicked off on 15 Jan) or have already been fixed.

FreeBSD Security Advisory: OpenSSH

FreeBSD Security AdvisortyThe FreeBSD Security Team has identified a memory corruption vulnerability in OpenSSH and has issued the following security advisory: FreeBSD-SA-13:14.openssh  (19/11/2013).

I. Background

OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access.

AES-GCM (Galois/Counter Mode) is a mode of operation for AES block cipher that combines the counter mode of encryption with the Galois mode of authentication which can offer throughput rates for state of the art, high speed communication channels.

OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.

II. Problem Description

A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during key exchange.

III. Impact

If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account.

For a workaround and solution, check out the security advisory: FreeBSD-SA-13:14.openssh

FreeBSD Security Advisories (sctp, ip_multicast)

software-bug-signThe FreeBSD Security Team has identified an issue in sctp and ip_multicast  and has issued the following security advisories:

The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission.

Please read and take the recommended action(s).

FreeBSD Security Advisory: mmap

software-bug-signThe FreeBSD Security Team has identified an issue in mmap and has issued the following security advisory: FreeBSD-SA-13:06.mmap (18/06/2013).

The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls.

The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process).

Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process’s address space to which the traced process itself does not have write access.

This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation.

For a solution, check out the security advisory: FreeBSD-SA-13:06.mmap

FreeBSD Security Advisory (Bind)

The FreeBSD Security Team has identified an issue in Bind and has issued the following security advisory: FreeBSD-SA-12:06.bind (22/11/2012).

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

The BIND daemon would crash when a query is made on a resource record with RDATA that exceeds 65535 bytes. The BIND daemon would lock up when a query is made on specific combinations of RDATA.

III. Impact

A remote attacker can query a resolving name server to retrieve a record whose RDATA is known to be larger than 65535 bytes, thereby causing the resolving server to crash via an assertion failure in named.

For a workaround and solution, check out the security advisory: FreeBSD-SA-12:06.bind

An attacker who is in a position to add a record with RDATA larger than 65535 bytes to an authoritative name server can cause that server to crash by later querying for that record.

The attacker can also cause the server to lock up with specific combinations of RDATA.