138 lines
5.1 KiB
Text
138 lines
5.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:14.sctp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Improper checking in SCTP-AUTH shared key update
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2020-05-12
|
|
Credits: da_cheng_shao@yeah.net
|
|
Affects: FreeBSD 11.3
|
|
Corrected: 2019-09-19 10:01:19 UTC (stable/12, 12.1-STABLE)
|
|
2019-09-19 10:06:18 UTC (stable/11, 11.3-STABLE)
|
|
2020-05-12 16:55:32 UTC (releng/11.3, 11.3-RELEASE-p9)
|
|
CVE Name: CVE-2019-15878
|
|
|
|
Note: The upcoming release of FreeBSD 11.4 was branched after the original
|
|
commit to the stable branch and already includes the fix for this advisory.
|
|
Similarly, the 12.1 branch was created shortly after the original commit to
|
|
the stable branch and already includes the fix.
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The Stream Control Transmission Protocol (SCTP) is a transport protocol
|
|
supporting the socket API. An SCTP packet consists of an SCTP common header
|
|
and a number of SCTP chunks.
|
|
|
|
The SCTP extension SCTP-AUTH can be used to authenticate SCTP chunks. It
|
|
uses shared keys which can be managed via the socket API by the application
|
|
using an SCTP association.
|
|
|
|
II. Problem Description
|
|
|
|
The SCTP layer does improper checking when an application tries to update
|
|
a shared key. Therefore an unprivileged local user can trigger a use-after-
|
|
free situation, for example by specific sequences of updating shared keys and
|
|
closing the SCTP association.
|
|
|
|
III. Impact
|
|
|
|
Triggering the use-after-free situation may result in unintended kernel
|
|
behaviour including a kernel panic.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:14/sctp.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:14/sctp.patch.asc
|
|
# gpg --verify sctp.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r352509
|
|
stable/11/ r352509
|
|
releng/11.3/ r360975
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15878>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:14.sctp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl666WdfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cL7Gg/9GUkrcdpj9hxsSNTdjc4hnnyeMYAtkonQiak6BwrQQ5VgYMTbFDL3iw6b
|
|
4v4W8p/pANfeh8nk7h5Agfe39vUe3TuxFEuRn5aCOO/XuYfPYybhq74HrKTz61Iy
|
|
LLmeExi+6nsWSIIJZVf1S2cyEc0qOV0fW1rE7Q9KQRSmbQF3i0HhUhPT0b8l/qJ9
|
|
tfVtkG3VYjWYF5HeV5WE1PyC0Y8pbrUNmZjbe7FxMilqMJ857eXcQqugrdqflri1
|
|
pJ5n8vHWy6OwNg8GVefb3Ht77dFBPlj2Kt02bjrA/ctLThBWPbtYgR+7S263TOnY
|
|
tjeil+VkgOeeFcZLynbvGThE8/e/sl/G72JD7VtsEooVg+tfkIh83rJNCVaWxiEO
|
|
u0+y+CmBpeD4ZZidOlqXr40WzpAtWTtnYCOn9eDJk3mn795B/GHpSPcH7RR57jr9
|
|
yU5lt0vCjktJY4in5VgTbikqD1369t0qZfLRPT84f1tC4AMTvpjG+AcGhwJfmFZL
|
|
xQht9oXMWiW28J/Vt/AH5yFFGqEyJMNPl6zvqXSfgsKiMKka+5/FzeP1nFzlYEwG
|
|
6ygMm333Ur28l+eQ24nL1XpD8ydWXLnfF6N+onyIdH4c9rQ73omnvINmMBTJqEHC
|
|
NOEJpmOdUFlX2ugzEqPxrVbGlH9s1I/+veuz+uYnGc3Q1Rtvl4c=
|
|
=h/Gp
|
|
-----END PGP SIGNATURE-----
|