-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2018-007 ================================= Topic: Several vulnerabilities in IPsec Version: NetBSD-current: source prior to Tue, May 1st 2018 NetBSD 7.1 - 7.1.2: affected NetBSD 7.0 - 7.0.2: affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected Severity: Remote DoS, Remote Memory Corruption Fixed: NetBSD-current: Tue, May 1st 2018 NetBSD-7-1 branch: Thu, May 3rd 2018 NetBSD-7-0 branch: Thu, May 3rd 2018 NetBSD-7 branch: Thu, May 3rd 2018 NetBSD-6-1 branch: Thu, May 3rd 2018 NetBSD-6-0 branch: Thu, May 3rd 2018 NetBSD-6 branch: Thu, May 3rd 2018 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 6.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract and Technical Details ============================== Several bugs and vulnerabilities were discovered in the IPsec code. They can be triggered before, or after, authentication or decryption. Before authentication/decryption: 1) In the AH entry point, a length check was missing, and it was possible for a remote attacker to crash the system by sending a very small AH packet. Also, a use-after-free was present in this same entry point. 2) An inverted logic in the common IPsec entry point allowed an attacker to remotely crash the system when both IPsec and forwarding were enabled. 3) A miscomputation in an IPsec function in charge of handling mbufs resulted in the wrong length being stored in the mbuf header. This allowed an attacker to panic the system when at least ESP was active. 4) A sanity check in the IPsec output path was not strong enough and allowed an attacker to remotely panic the system when both IPsec and IPv6 forwarding were enabled. After authentication/decryption: 5) A use-after-free existed in the common Tunnel code. Also, a mistake in pointer initialization allowed an IPv6 packet to bypass the "local address spoofing" check. 6) A missing length check in the common IPsec entry point could allow an attacker to crash the system. 7) A memory leak and a use-after-free bug could allow an attacker to crash the system when both IPv6 and forwarding were enabled. Solutions and Workarounds ========================= For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarize how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1 ---- ---- -------- ---------- ---------- src/sys/netipsec/xform_ah.c 1.80 1.42.4.2 1.42.8.2 1.42.12.2 src/sys/netipsec/ipsec.c 1.130 1.63.2.1 1.63.4.1 1.63.8.1 src/sys/netipsec/ipsec_mbuf.c 1.24 1.12.30.1 1.12.34.1 1.12.42.1 src/sys/netipsec/ipsec_output.c 1.75 1.40.4.1 1.40.8.1 1.40.12.1 src/sys/netipsec/xform_ipip.c 1.56 1.31.2.2 1.31.6.2 1.31.10.2 src/sys/netipsec/ipsec_input.c 1.58 1.32.4.1 1.32.8.1 1.32.12.1 src/sys/netinet6/ip6_forward.c 1.91 1.73.2.3 1.73.2.1.2.2 1.73.2.1.6.2 FILE netbsd-6 netbsd-6-0 netbsd-6-1 ---- -------- ---------- ---------- src/sys/netipsec/xform_ah.c 1.37.2.2 1.37.6.2 1.37.8.2 src/sys/netipsec/ipsec.c 1.55.8.1 1.55.12.1 1.55.14.1 src/sys/netipsec/ipsec_mbuf.c 1.12.10.1 1.12.16.1 1.12.24.1 src/sys/netipsec/ipsec_output.c 1.38.2.1 1.38.8.1 1.38.16.1 src/sys/netipsec/xform_ipip.c 1.28.8.2 1.28.14.2 1.28.22.2 src/sys/netipsec/ipsec_input.c 1.29.2.1 1.29.8.1 1.29.16.1 src/sys/netinet6/ip6_forward.c 1.69.2.2 1.69.6.2 1.69.8.2 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/netipsec/xform_ah.c # cvs update -d -P -r VERSION sys/netipsec/ipsec.c # cvs update -d -P -r VERSION sys/netipsec/ipsec_mbuf.c # cvs update -d -P -r VERSION sys/netipsec/ipsec_output.c # cvs update -d -P -r VERSION sys/netipsec/xform_ipip.c # cvs update -d -P -r VERSION sys/netipsec/ipsec_input.c # cvs update -d -P -r VERSION sys/netinet6/ip6_forward.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Maxime Villard for finding and fixing these issues. Revision History ================ 2018-05-07 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-007.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2018, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJa8GKzAAoJEAZJc6xMSnBuHEMP/jkbNaVYUnC9ALUXctbeFm8S 6V4Jgda2Vv48P6HOLLc+m/IWJC/1IIlUJ/a1fb1oZW4MDg8ELudXAqP5GfwD0fKT gF6qKdhGp4ISLPZVnOAZVaQe3pTRhJQnhXaoupxUcsl1jjgRWU5/UxJA4mByo+F0 tyfAxR0+JWgreBOUlekEIxs2ZGRWsDAmj0B7Me8OO6Jpb7SmHuqokgRb9Q1ExpB/ oGW3b3VX/9EWtVfaDGhUAHCj8ZARmyrK9ultD8+Ql8eacjeVgdr5CNvp4gy/OcSk 8DzG0v5E7pdpJc7WI4YA4qC3NuWjAuS/1gZ6fu1nTAK2Mp0PEvrEFvIi4cQePpne 28yK5oCc4dV3Y4amFKcqqPvWakJhTmNldv6nxRdhthdb9Uf6v2sCEgSark4UwLjv gDbpZF9MOvzQjXSMdmhjmfj5Yi+lytmyDXyT/WFxhE8xS6+l4l8DTutsvFh26D5m OZ1hWTa4Z90zxPrS5GX3hizn44Tq72HVSne9zE0JLgBgHb+YbF7aZO5rwAMh47gB UFpiEbPFBNLMGPr57vxIhOwrsvIH8XLUKP/g4x7NeVPdSvJ5LoJCSk+iueOt06vd HGjF29nivsnJ9uGTWIQiGo9EYOyR/IQH3EevafUvAz+10Hj62JnHmWvoxK0XGGVe bTGEsDCmMFjmd7YoeKB+ =hIq7 -----END PGP SIGNATURE-----