139 lines
5.1 KiB
Text
139 lines
5.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-18:13.nfs Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple vulnerabilities in NFS server code
|
|
|
|
Category: core
|
|
Module: nfs
|
|
Announced: 2018-11-27
|
|
Credits: Jakub Jirasek, Secunia Research at Flexera
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE)
|
|
2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5)
|
|
CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The Network File System (NFS) allows a host to export some or all of its file
|
|
systems so that other hosts can access them over the network and mount them
|
|
as if they were local. FreeBSD includes both server and client
|
|
implementations of NFS.
|
|
|
|
II. Problem Description
|
|
|
|
Insufficient and improper checking in the NFS server code could cause a
|
|
denial of service or possibly remote code execution via a specially crafted
|
|
network packet.
|
|
|
|
III. Impact
|
|
|
|
A remote attacker could cause the NFS server to crash, resulting in a denial
|
|
of service, or possibly execute arbitrary code on the server.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems that do not provide NFS services are
|
|
not vulnerable.
|
|
|
|
Additionally, it is highly recommended the NFS service port (default port
|
|
number 2049) is protected via a host or network based firewall to prevent
|
|
arbitrary, untrusted clients from being able to connect.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.2]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc
|
|
# gpg --verify nfs.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r340854
|
|
releng/11.2/ r341088
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA
|
|
5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm
|
|
xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n
|
|
Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6
|
|
vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw
|
|
D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb
|
|
Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM
|
|
DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1JwktzThKrUzjL8bntmjoqtr1Xcp2txJ
|
|
hgALulqz9nzkHaHcEolgk5xFTvx4gCzhjII7XEU3/rLNPPlJK3Pfo0UvPLAUkdLj
|
|
McnKqOyQ6uSl8/lNuVsd3JCZ3dlsES7VmdEu0YJ4goc/6/AB8KXnSqzheT7Cjn1p
|
|
lGzbFYmXosUj9NEQl/SOg6O8LnRrJIw4Tbm9vfkDss1G+sjUdaA=
|
|
=m/Lh
|
|
-----END PGP SIGNATURE-----
|