146 lines
5.8 KiB
Text
146 lines
5.8 KiB
Text
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||
|
Hash: SHA512
|
||
|
|
||
|
=============================================================================
|
||
|
FreeBSD-SA-20:13.libalias Security Advisory
|
||
|
The FreeBSD Project
|
||
|
|
||
|
Topic: Memory disclosure vulnerability in libalias
|
||
|
|
||
|
Category: core
|
||
|
Module: libalias
|
||
|
Announced: 2020-05-12
|
||
|
Credits: Vishnu Dev TJ working with Trend Micro Zero Day Initiative
|
||
|
Affects: All supported versions of FreeBSD
|
||
|
Corrected: 2020-05-12 16:52:08 UTC (stable/12, 12.1-STABLE)
|
||
|
2020-05-12 16:54:39 UTC (releng/12.1, 12.1-RELEASE-p5)
|
||
|
2020-05-12 16:52:08 UTC (stable/11, 11.4-STABLE)
|
||
|
2020-05-12 16:54:39 UTC (releng/11.4, 11.4-BETA1-p1)
|
||
|
2020-05-12 16:54:39 UTC (releng/11.3, 11.3-RELEASE-p9)
|
||
|
CVE Name: CVE-2020-7455
|
||
|
|
||
|
For general information regarding FreeBSD Security Advisories,
|
||
|
including descriptions of the fields above, security branches, and the
|
||
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||
|
|
||
|
I. Background
|
||
|
|
||
|
The ipfw(4) system facility allows IP packet filtering, redirecting, and
|
||
|
traffic accounting. The ipfw(4) packet filter also contains two different
|
||
|
methods of accomplishing network address translation (NAT): in-kernel and
|
||
|
userspace. Both implementations use the same functions provided by libalias.
|
||
|
|
||
|
The libalias(3) library is a collection of functions for aliasing and
|
||
|
dealiasing of IP packets, intended for masquerading and NAT. Additionally,
|
||
|
libalias(3) includes modules to support protocols that require additional
|
||
|
logic to support address translation.
|
||
|
|
||
|
Note: libalias(3) is not used by either the pf(4) or ipf(4) firewalls.
|
||
|
|
||
|
II. Problem Description
|
||
|
|
||
|
The FTP packet handler in libalias incorrectly calculates some packet
|
||
|
lengths. This may result in disclosing small amounts of memory from the
|
||
|
kernel (for the in-kernel NAT implementation) or from the process space for
|
||
|
natd (for the userspace implementation).
|
||
|
|
||
|
III. Impact
|
||
|
|
||
|
A malicious attacker could send specially constructed packets that exploit the
|
||
|
erroneous calculation allowing the attacker to disclose small amount of memory
|
||
|
either from the kernel (for the in-kernel NAT implementation) or from the
|
||
|
process space for natd (for the userspace implementation).
|
||
|
|
||
|
IV. Workaround
|
||
|
|
||
|
No workaround is available. Only systems using NAT and ipfw together are
|
||
|
affected. Systems using ipfw without NAT, or systems leveraging pf(4) or
|
||
|
ipf(4) are not affected.
|
||
|
|
||
|
V. Solution
|
||
|
|
||
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
||
|
release / security branch (releng) dated after the correction date,
|
||
|
and reboot.
|
||
|
|
||
|
Perform one of the following:
|
||
|
|
||
|
1) To update your vulnerable system via a binary patch:
|
||
|
|
||
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||
|
platforms can be updated via the freebsd-update(8) utility:
|
||
|
|
||
|
# freebsd-update fetch
|
||
|
# freebsd-update install
|
||
|
# shutdown -r +10min "Rebooting for a security update"
|
||
|
|
||
|
2) To update your vulnerable system via a source code patch:
|
||
|
|
||
|
The following patches have been verified to apply to the applicable
|
||
|
FreeBSD release branches.
|
||
|
|
||
|
a) Download the relevant patch from the location below, and verify the
|
||
|
detached PGP signature using your PGP utility.
|
||
|
|
||
|
# fetch https://security.FreeBSD.org/patches/SA-20:13/libalias.patch
|
||
|
# fetch https://security.FreeBSD.org/patches/SA-20:13/libalias.patch.asc
|
||
|
# gpg --verify libalias.patch.asc
|
||
|
|
||
|
b) Apply the patch. Execute the following commands as root:
|
||
|
|
||
|
# cd /usr/src
|
||
|
# patch < /path/to/patch
|
||
|
|
||
|
c) Recompile your kernel as described in
|
||
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||
|
system.
|
||
|
|
||
|
VI. Correction details
|
||
|
|
||
|
The following list contains the correction revision numbers for each
|
||
|
affected branch.
|
||
|
|
||
|
Branch/path Revision
|
||
|
- -------------------------------------------------------------------------
|
||
|
stable/12/ r360973
|
||
|
releng/12.1/ r360974
|
||
|
stable/11/ r360973
|
||
|
releng/11.4/ r360974
|
||
|
releng/11.3/ r360974
|
||
|
- -------------------------------------------------------------------------
|
||
|
|
||
|
To see which files were modified by a particular revision, run the
|
||
|
following command, replacing NNNNNN with the revision number, on a
|
||
|
machine with Subversion installed:
|
||
|
|
||
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||
|
|
||
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
||
|
|
||
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||
|
|
||
|
VII. References
|
||
|
|
||
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7455>
|
||
|
|
||
|
The latest revision of this advisory is available at
|
||
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:13.libalias.asc>
|
||
|
-----BEGIN PGP SIGNATURE-----
|
||
|
|
||
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl663tdfFIAAAAAALgAo
|
||
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
||
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
||
|
5cK3hhAAlkHMjDluGni1AaDicw5jZuyrdGLEMfgH2OdxcrTQvrBN6ZEkfLsiFvLV
|
||
|
KWgUS+rx3GJApz4rZ6DFwsb+DG+kMCwYGevbT5zH5IUwe1HklyMLmjw48z47DVhx
|
||
|
8tpjCKNb4ttqBzb6RMURoJgo+2NAUQOZLnFGLSGOkquqeW9AhA97ZIGv7TyOPC1p
|
||
|
rJD/ic1IxTUXniNu4soexsRqVoMqv1nA1DLrN4TTooFVCQTHaBUBxSTFlaAsBXyb
|
||
|
7L5GIEydZ2429spQACnFGW4RDveOGB/6Jbt2yHEuu+ASOrwl9sRSu79PYijcz28v
|
||
|
yXjI0zG4A+78qmeCMbGHIySrLjc8XaWgr13Kp4S+40MWQhoGHJ2ZZVdLX010WTvm
|
||
|
nbGs9NQ60sytxdJn1QRTleiBIKjJiVqNEADfS4DhXa/0HouN3L8dVR/+jPfLMFmT
|
||
|
/7GZjhdbn4u0a1ZlgUZ62oHoo8NLop49KY4LHtHd7VpJZ8OfK0qkCN0DL4Ep+Wrg
|
||
|
oZWJL5HGhFOEA4TDYuypJ58yIPsTDVa9MuLMx/SBF30jVZcS1LtbiMXXuZs6clig
|
||
|
oOk4ZE0hpSRdA69xgX459kcTjU6XVJRnTPWyepG3sNljktwk8jyfwKHXOUpJONos
|
||
|
0jWu0ngj60djS8qCrxdkMn3t26fk0IhbA4leBEM+wAKmWsARt/M=
|
||
|
=woOx
|
||
|
-----END PGP SIGNATURE-----
|