BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Core statement on recent freebsd-update and related vulnerabilities

Dear FreeBSD Community:

The FreeBSD Core team and FreeBSD Security team would like to update the
community on the reports of security vulnerabilities in freebsd-update,
portsnap, libarchive, and bspatch.

We understand the severity of this issue, and are actively working to resolve
the issues and improve the security of FreeBSD.

A recent post[1] to the freebsd-security@ list raised a number of questions[2]
and we would like to address those.

  1. Since there are known vulnerabilities in freebsd-update and
     portsnap, why has there been no notification to the community
     from secteam@?

  As a general rule, the FreeBSD Security Officer does not announce
  vulnerabilities for which there is no released patch. We are
  reviewing this policy for cases where a proof-of-concept or working
  exploit is already public.

  2. Why was there no mention of the fact that running freebsd-update
     to install the fix for the bspatch advisory [SA-16:25] may actually
     expose users to the vulnerability?

  To be exposed, a user would need to be under an active
  Man-In-The-Middle attack when fetching patches. The Security
  Advisory did not contain information on the theoretical implications
  of the vulnerability. A more explicit paragraph in the 'Impact'
  statement may have been warranted. As always, instructions on how to
  compile the patched bspatch manually rather than using
  freebsd-update were provided as part of the advisory.

  3. The patch included in SA-16:25 is incomplete, and may still
     permit heap corruption. The patch included in the document dump
     is more complete. Why only a partial fix?

  After discussion with the author of bspatch (Colin Percival, a
  former FreeBSD Security Officer himself), The FreeBSD Security Team
  found that the proposed patch added restrictions that may break
  (legitimate) functionality in bspatch, possibly preventing some
  valid patch files from being accepted. While a full fix is being
  developed, the shorter patch which resolves the main vulnerability
  was immediately released. This resolves the most critical issue in
  the report. This smaller patch is safe, in that it does not risk
  breaking bspatch while still resolving the attack vector of the
  provided exploit code. The larger patch is still under development
  and will be released once all of the issues have been
  addressed. Automated fuzz testing is underway to search for any
  additional memory corruption bugs.

Great care must be taken when updating the binary upgrade utility, as it
becomes much more difficult to fix after the fact, as the updater is then
broken. There are delicate interactions between the components that must be
thoroughly tested before the patch is released.

As of yet, patches for the libarchive vulnerabilities have not been released
upstream to be pulled into FreeBSD. In the meantime, HardenedBSD has created
patches for some of the libarchive vulnerabilities, the first[3] is being
considered for inclusion in FreeBSD, at least until a complete fix is
committed upstream, however the second[4] is considered too brute-force and
will not be committed as-is. Once the patches are in FreeBSD and updated
binaries are available, a Security Advisory will be issued.

The Security team is working on redesigning freebsd-update and portsnap to do
signature verification on all downloaded files before they are processed by
libarchive/tar, bspatch, or any other utilities. However, this change requires
modifying the metadata format used in the utilities, and care must be taken to
preserve compatibility with the existing clients, so the existing clients can
be used to install the future updates. Users will of course have the option to
build/apply the patches themselves if they do not feel comfortable using
freebsd-update to do so.

The security team is working diligently to resolve the issues and provide
timely, correct fixes for all known issues. Please subscribe to the
freebsd-security-notifications@ mailing-list to receive notifications of any
future Security Advisories.

[1]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009016.html
[2]https://lists.freebsd.org/pipermail/freebsd-security/2016-July/009019.html
[3]https://github.com/HardenedBSD/hardenedBSD/commit/acc5eaecbe4970cfb96d9549fe7dc8ceb4676557
[4]https://github.com/HardenedBSD/hardenedBSD/commit/6a6ac73ae630927b2dd996df3cd85c8c612c459c