152 lines
5.6 KiB
Text
152 lines
5.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-18:05.mem Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple small kernel memory disclosures
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-05-08
|
|
Credits: Ilja van Sprundel, IOActive
|
|
Vlad Tsyrklevich
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2018-04-08 20:50:16 UTC (stable/11, 11.1-STABLE)
|
|
2018-05-08 17:14:54 UTC (releng/11.1, 11.1-RELEASE-p10)
|
|
2018-04-09 12:55:09 UTC (stable/10, 10.4-STABLE)
|
|
2018-05-08 17:14:54 UTC (releng/10.4, 10.4-RELEASE-p9)
|
|
CVE Name: CVE-2018-6920, CVE-2018-6921
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
FreeBSD includes drivers for Atheros wireless interfaces, a TCP network
|
|
stack, and the ability to execute Linux binaries.
|
|
|
|
II. Problem Description
|
|
|
|
Due to insufficient initialization of memory copied to userland in the
|
|
components described above small amounts of kernel memory may be disclosed
|
|
to userland processes.
|
|
|
|
The disclosure in the Atheros wireless driver and Linux subsystem applies to
|
|
both FreeBSD 10.x and 11.x (CVE-2018-6920).
|
|
|
|
The disclosure in the TCP network stack was introduced in 11.0. As such,
|
|
only FreeBSD 11.x is affected by this issue (CVE-2018-6921).
|
|
|
|
III. Impact
|
|
|
|
A user who can access these drivers, use TCP sockets, or execute Linux
|
|
binaries may be able to read the contents of small portions of kernel memory.
|
|
|
|
Such memory might contain sensitive information, such as portions of the file
|
|
cache or terminal buffers. This information might be directly useful, or it
|
|
might be leveraged to obtain elevated privileges in some way; for example,
|
|
a terminal buffer might include a user-entered password.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.1]
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.11.1.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.11.1.patch.asc
|
|
# gpg --verify mem.11.1.patch.asc
|
|
|
|
[FreeBSD 10.4]
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.10.4.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:05/mem.10.4.patch.asc
|
|
# gpg --verify mem.10.4.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r332321
|
|
releng/10.4/ r333372
|
|
stable/11/ r332303
|
|
releng/11.1/ r333372
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6920>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6921>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:05.mem.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3F5fFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cLEJw/+O78dItjByrV33QHG6FG99Sk2tMvYJaD5jmM7qUiV2TiumFz4n8a3IjDe
|
|
kEmH68jkHxkSvWHvpOKMYx/CzzGG1UkMQvrFseGO6d/azZMqY4V3WqXeKcD6lwLI
|
|
qggFdIBDr2ltGQ19jLuD8ucfuyC8DurdhiEzn1s7e2YjpPaCgNSc9kHf/+Ez/MBu
|
|
v9ozlq/uS9+tLWHCoY6r4WFXWBrT96LFs9O+5TMVXZ+1ZuIvj4/2y+7HtgJalt85
|
|
5+bce0+qFdmk/gpcw7SQOZ1ngeXPWi9fDOv7LR+YkDaHcpJP9sXp9Ej2Tro97CMK
|
|
oQ0QGiJ+h1iGuYIw76chchZ5mK+UEVSbdxK70fpPC1zi+g8l0smVSpOs8oNFGX0m
|
|
F0pHhIz3LwMMDyZgJsEMUIkBF7nbKS8Mc+noq9DOaOjZjb0yyBFbc8s82LIdbOhO
|
|
IIJftNF1NSlH4tKJtFdet/TrxHX/UZ0xp52SHev+U3c3gXaoP4EUHQ71R/lnlyJc
|
|
R+H6G/xZjcsNrklKgJJMV+5znKbjDaqavaaAxo17eRqLG/M4ZIac3xzqJUyeuUPY
|
|
RnErPTRQzGL4C9CldxjIfI+iY3f2uTsNclzonV98kcLxbRdMsNIybUV6mNBYVmlx
|
|
4A6IN3zP1+bsbjOdZMhpAUIjsflj/KzdF/f4/BjoCgBv3O030ec=
|
|
=jxlW
|
|
-----END PGP SIGNATURE-----
|