BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2018-006: Several vulnerabilities in the network stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		NetBSD Security Advisory 2018-006
		=================================

Topic:		Several vulnerabilities in the network stack

Version:	NetBSD-current:		source prior to Fri, Feb 9th 2018
		NetBSD 7.1.2:		not affected
		NetBSD 7.1 - 7.1.1:	affected
		NetBSD 7.0 - 7.0.2:	affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected

Severity:	Remote DoS, Remote Memory Corruption

Fixed:		NetBSD-current:		Fri, Feb 9th 2018
		NetBSD-7-1 branch:	Sat, Feb 24th 2018
		NetBSD-7-0 branch:	Sat, Feb 24th 2018
		NetBSD-7 branch:	Sat, Feb 24th 2018
		NetBSD-6-1 branch:	Tue, Mar 13th 2018
		NetBSD-6-0 branch:	Tue, Mar 13th 2018
		NetBSD-6 branch:	Tue, Mar 13th 2018

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 6.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Several vulnerabilities were discovered in the network stack:

 1) Several bugs in MPLS.
 2) Memory leak in IPv6-NBR.
 3) Double free in Pim6.
 4) IPv4 source-routed packets allowed by default.
 5) Signedness bug in PF.


Technical Details
=================

 1) Several possible use-after-frees existed in the MPLS code. This could
    cause the system to panic.

 2) A memory leak existed in the IPv6-NBR entry point. An attacker could
    cause the kernel to run out of memory.

 3) A double-free bug existed in the Pim6 (IPv6 multicast) entry point. This
    could cause the kernel to panic.

 4) Two sysctls wrongfully allowed IPv4 source-routed packets to be accepted
    by the kernel. Source-routed packets are known to have several security
    implications.

 5) A signedness bug existed in NetBSD's implementation of the PF firewall.
    A length check was unintentionally made unsigned, while it was expected
    to be signed. This could cause a read overflow (leading to a page fault)
    if a specially-crafted TCP-SYN packet was received while PF had a
    configuration of the type "pass in [...] tcp [...] modulate state".


Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarize how to upgrade your
kernel. In these instructions, replace:

  ARCH     with your architecture (from uname -m),
  KERNCONF with the name of your kernel configuration file and
  VERSION  with the file version below

File versions containing the fixes:

 FILE     HEAD     netbsd-7     netbsd-7-0     netbsd-7-1
 ----     ----     --------     ----------     ----------
 src/sys/net/if_mpls.c
          1.33     1.16.2.1     1.16.6.1       1.16.10.1
 src/sys/netmpls/mpls_ttl.c
          1.9      1.4.4.1      1.4.8.1        1.4.12.1
 src/sys/netinet6/nd6_nbr.c
          1.145    1.100.2.3    1.100.2.2.2.1  1.100.2.2.6.1
 src/sys/netinet6/ip6_mroute.c
          1.120    1.107.2.1    1.107.6.1      1.107.10.1
 src/sys/netinet/ip_input.c
          1.366    1.319.2.1    1.319.6.1      1.319.10.1
 src/sys/dist/pf/net/pf.c
          1.78     1.72.2.1     1.72.6.1       1.72.10.1


 FILE              netbsd-6     netbsd-6-0     netbsd-6-1
 ----              --------     ----------     ----------
 src/sys/net/if_mpls.c
                   1.8.8.2      1.8.14.2       1.8.22.2
 src/sys/netmpls/mpls_ttl.c
                   1.3.18.1     1.3.24.1       1.3.32.1
 src/sys/netinet6/nd6_nbr.c
                   1.95.2.1     1.95.6.1       1.95.8.1
 src/sys/netinet6/ip6_mroute.c
                   1.103.2.1    1.103.8.1      1.103.16.1
 src/sys/netinet/ip_input.c
                   1.298.2.1    1.298.6.1      1.298.8.1
 src/sys/dist/pf/net/pf.c
                   1.68.2.1     1.68.6.1       1.68.8.1


To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P -r VERSION sys/net/if_mpls.c
	# cvs update -d -P -r VERSION sys/netmpls/mpls_ttl.c
	# cvs update -d -P -r VERSION sys/netinet6/nd6_nbr.c
	# cvs update -d -P -r VERSION sys/netinet6/ip6_mroute.c
	# cvs update -d -P -r VERSION sys/netinet/ip_input.c
	# cvs update -d -P -r VERSION sys/dist/pf/net/pf.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Maxime Villard for finding and fixing issues 1) 2) 3) 4), Lucio Albornoz
for reporting a problem that was discovered to be 5).


Revision History
================

	2018-04-09	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJay9YUAAoJEAZJc6xMSnBu/cwQAM8lQOVwwMopocNAtLsMzdKi
Ytzc++SxwDDJEdpwSvmkxfLOUJx7BbxgWYSLoaBnEvh1BPYHsVr7NxxsYlCzXQrI
VcWH3Z5EqZvEKDeWmaTLLmlpSjy6+uy5mrTXKaCNwKyYiXtlxkylbW/U6rJ71vZu
UGK+psQkbGGuqFH23yT70LVZ9ZHXwCTbElprpGq5Wx89ZHIgwSe6RPZb12gBQ63Y
WoW0y5zLQaBzZgxSq9bqNipDpd4lwXmfpXmhWKK0eSNU+EvkV24P79rqFXfwP00Z
+KJxc7U39EoS81EFu9zHYs6+eO1164NuWnB9mYCJgB+tgz3ZnDivhWWH7hKFJo44
MuhODNvoby+9eStB49lX5WjwnCMeqvX1eMmv7IgDPruGh0vQCeN+jUYHYqaVwmKb
bJpvH7wX/iFizjASVTC+CtpTBrYgJJ5PkLIdGRFITo+EnSFx2PAEjiHkTuYLvKO5
j0EQHxA8OaeX6LU+or3ccNtl+EVv+62tu0dI2JZBk7MxyljlRN2/ayH5I/nVBwQS
Bvqdv3Fk8tHkFZlRhaCaftGjUcO3rI0yhLttse1hzkfSWulaslEdBxfg4oa+TxvA
L8VlGbhVpYFPB8CeYZKsXmKFV5YwkHPe/ZvQj2hQbhAgXBoQz83ql9s08XqtOiY9
ext9mwIu67I/Z9TioyAc
=C1y0
-----END PGP SIGNATURE-----