FreeBSD Errata Notice FreeBSD-EN-15:04.freebsd-update

Allan Jude has issued us with a FreeBSD Errata Notice. Please check the article to take proper corrective measures.

Original post: https://bsdsec.net/articles/freebsd-announce-freebsd-errata-notice-freebsd-en-15-04-freebsd-update

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

=============================================================================
FreeBSD-EN-15:04.freebsd-update Errata Notice
The FreeBSD Project

Topic: freebsd-update(8) does not ensure the previous upgrade was
completed

Category: core
Module: freebsd-update
Announced: 2015-05-13
Credits: Allan Jude
Affects: All supported versions of FreeBSD.
Corrected: 2015-05-13 22:36:00 UTC (stable/10, 10.1-STABLE)
2015-05-13 22:52:35 UTC (releng/10.1, 10.1-RELEASE-p10)
2015-05-13 22:36:52 UTC (stable/9, 9.3-STABLE)
2015-05-13 22:52:51 UTC (releng/9.3, 9.3-RELEASE-p14)
2015-05-13 22:39:29 UTC (stable/8, 8.4-STABLE)
2015-05-13 22:52:51 UTC (releng/8.4, 8.4-RELEASE-p28)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit https://www.freebsd.org/security/

I. Background

The freebsd-update(8) utility is used to apply binary patches to FreeBSD
systems installed from official release images, as an alternative to
rebuilding from source. A freebsd-update(8) build server generates the
signed update packages, consisting of an index of files and directories
with checksums before the update, a set of binary patches, and an
index of files and directories with checksums after the update. The
client downloads the indexes, verifies the signatures and checksums,
then downloads and applies the required patches.
[Read more…]

Mumblehard Malware Infects Thousands of Linux and FreeBSD Servers

A recent vulnerability has been found, affecting thousands of Linux and FreeBSD servers around the world. Norse encourages FreeBSD sysadmins to take proper measures to remedy this exploit. Check the whitepaper for more details.

m4lware

Researchers have documented a newly discovered family of malware that infected thousands of Linux and FreeBSD servers, making them part of a massive spam distribution campaign.

The unusually sophisticated malware, dubbed Mumblehard, has two main components which are both written in Perl and leverage the same custom packer which is written in assembly language to produce ELF binaries that work to obfuscate the source code.

“Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer,” the researchers said.

“The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.”

The team discovered Mumblehard after a system administrator reported that a server had been blacklisted for sending spam, and they proceeded to dump the memory of a process that was connecting to different SMTP servers.

“The memory dump clearly showed it to be a Perl interpreter. We investigated and found the executable file in the /tmp directory. We started analyzing this ELF binary and discovered what we now call Mumblehard,” the researchers explained.

“We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Key findings in the analysis include:

  • Perl scripts were packed inside ELF binaries written in assembly language, showing a higher level of sophistication than average
  • A total of 8,867 unique IP addresses were seen in our sinkhole over a 7-month period
  • The highest number of unique IP addresses seen in a single day is as high as 3,292
  • Mumblehard has been active since at least 2009
  • Among the compromised machines, web servers are the most susceptible to being infected
  • There is a strong link between Mumblehard and Yellsoft, an online company selling software to send bulk e-mail messages

“Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes.” the researchers noted.

“The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”

A detailed white paper on Mumblehard is available here (PDF).

Original post: http://blog.norsecorp.com/2015/04/30/mumblehard-malware-infects-thousands-of-linux-and-freebsd-servers/

FreeBSD-SA-15:06.openssl – Multiple OpenSSL vulnerabilities

Original post: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:06.openssl.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:06.openssl Security Advisory
The FreeBSD Project

Topic: Multiple OpenSSL vulnerabilities

Category: contrib
Module: openssl
Announced: 2015-03-19; Last revised on 2015-03-20.
Affects: All supported versions of FreeBSD.
Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE)
2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8)
2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE)
2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12)
2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE)
2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26)
CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
CVE-2015-0289, CVE-2015-0293

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0. Revision history

v1.0 2015-03-19 Initial release.
v1.1 2015-03-20 Reverted a portion of change that should not belong to the
advisory and did not end up in the final OpenSSL release.
The patch is also revised to include fixes for
CVE-2015-0209 and CVE-2015-0288.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

Abstract Syntax Notation One (ASN.1) is a standard and notation that
describes rules and structures for representing, encoding, transmitting,
and decoding data in telecommunications and computer networking, which
enables representation of objects that are independent of machine-specific
encoding technique.

II. Problem Description
 [Read more...]

Researchers at Core Security Technologies issued an advisory on vulnerabilities affecting FreeBSD

Core Security Technologies, a network security company that specializes in attack intelligence and vulnerability management, has recently discovered several vulnerabilities in FreeBSD.

Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.

FreeBSD is a Unix-like operating system used to power servers, desktops and embedded platforms. According to the advisory from Core Security, several vulnerabilities were spotted in the FreeBSD kernel code that implements the vt console driver previously known as Newcons as well as the code the implements Stream Control Transmission Protocol [SCTP] sockets. These issues could enable a local, unprivileged attacker to crash the system, disclose kernel memory containing sensitive information and execute arbitrary code with super user privileges.

The FreeBSD Project issued fixes for the issues that are available to users who upgrade to FreeBSD 10.1-RELENG or one of the following reasons: stable/10, 10.1-STABLE releng/10.1, 10.1-RELEASE-p5 releng/10.0, 10.0-RELEASE-p17 stable/9, 9.3-STABLE releng/9.3, 9.3-RELEASE-p9 stable/8, 8.4-STABLE releng/8.4 and 8.4-RELEASE-p23.

Original announcement: http://www.securityweek.com/freebsd-patches-kernel-security-vulnerabilities

Buffer Overflow Vulnerability in FreeBSD Discovered by Norse

Norse_LNorse announced today that they discovered a buffer overflow vulnerability in FreeBSD which they privately disclosed to the FreeBSD security team, who subsequently issued a security advisory with some details on the flaw and options for remedy (FreeBSD-SA-14:27.stdio).

FreeBSD is an advanced computer operating system employed to power modern servers, desktops and embedded platforms, according to the project’s organizers, who have collaborated with a large community of developers for more than thirty years.

Read the full blog with instructions on how to patch: http://blog.norsecorp.com/2014/12/10/buffer-overflow-vulnerability-in-freebsd-discovered-by-norse/

FreeBSD security advisories

FreeBSD Security AdvisortyThe FreeBSD Security Team notifies the Community of a handful of vulnerabilities that have been discovered. Please check the advisories and take the appropriate actions.

These issues either don’t affect the upcoming FreeBSD 10.0 (building was kicked off on 15 Jan) or have already been fixed.

FreeBSD Security Advisory: OpenSSH

FreeBSD Security AdvisortyThe FreeBSD Security Team has identified a memory corruption vulnerability in OpenSSH and has issued the following security advisory: FreeBSD-SA-13:14.openssh  (19/11/2013).

I. Background

OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access.

AES-GCM (Galois/Counter Mode) is a mode of operation for AES block cipher that combines the counter mode of encryption with the Galois mode of authentication which can offer throughput rates for state of the art, high speed communication channels.

OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.

II. Problem Description

A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during key exchange.

III. Impact

If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account.

For a workaround and solution, check out the security advisory: FreeBSD-SA-13:14.openssh

FreeBSD Security Advisories (sctp, ip_multicast)

software-bug-signThe FreeBSD Security Team has identified an issue in sctp and ip_multicast  and has issued the following security advisories:

The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission.

Please read and take the recommended action(s).

FreeBSD Security Advisory: mmap

software-bug-signThe FreeBSD Security Team has identified an issue in mmap and has issued the following security advisory: FreeBSD-SA-13:06.mmap (18/06/2013).

The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls.

The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process).

Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process’s address space to which the traced process itself does not have write access.

This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation.

For a solution, check out the security advisory: FreeBSD-SA-13:06.mmap