135 lines
4.7 KiB
Text
135 lines
4.7 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-18:13.icmp Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: ICMP buffer underwrite
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-11-27
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2018-11-08 21:58:51 UTC (stable/11, 11.2-STABLE)
|
|
2018-11-27 19:43:16 UTC (releng/11.2, 11.2-RELEASE-p5)
|
|
CVE Name: CVE-2018-17156
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
ICMP messages are control messages used to send error messages and
|
|
operational information.
|
|
|
|
II. Problem Description
|
|
|
|
The icmp_error routine allocates either an mbuf or a cluster depending on the
|
|
size of the data to be quoted in the ICMP reply, but the calculation failed
|
|
to account for additional padding on 64-bit platforms when using a
|
|
non-default sysctl value for net.inet.icmp.quotelen.
|
|
|
|
III. Impact
|
|
|
|
For systems that set net.inet.icmp.quotelen to a non-default value, a buffer
|
|
underwrite condition occurs.
|
|
|
|
IV. Workaround
|
|
|
|
Reset net.inet.icmp.quotelen to default value of 8 using sysctl(8):
|
|
|
|
# sysctl net.inet.icmp.quotelen=8
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date.
|
|
|
|
Afterwards, reboot the system.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterwards, reboot the system.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.2]
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch.asc
|
|
# gpg --verify icmp.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r340268
|
|
releng/11.2/ r341089
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<other info on the problem>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17156>
|
|
|
|
<URL:https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:13.icmp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+FfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKLuRAAqkua0loRn3k5N5OjGl1MFMiCX3Yg7pu7oQ0N/ZifqDOt8B8slp4+qjSO
|
|
VyH07EFrk5FTz2WKXShqWcdZAL8+dBUHQaMATBI++ORiPBE+lBjYCZ1/+wrw7ie4
|
|
bOjJ4F0d/4ijs+qkt/T0hFBPGMVbF8Xafbm29P6H0mjYPNSID64g+TQacVVUQfhN
|
|
aLXCfkXFXusbOzFT0DRY8vy+SdsV2anqo3979W4G//+ytGvvwxqy6g+8N8CphUSM
|
|
3vxCSvNxkd5o0C5EY53QbwueZ3A4nCnQQwGB2AFQnN9fDT1genIPzGjo0fQ8iY36
|
|
lQiSeEg9VVSMLRiey8ix7JlLShVCUADt3dNamSMJiNz4Vo4dAjD4tKNPDGFfKhoQ
|
|
edUEDTSBbqtN8BbW2e/hiHZSu6vQmXwgI6tKtuEcKPHZbnW/wr+XzyrwcwYBXsNA
|
|
xK1aGokHr7W0T2FTOZ9b9i4mfZLL8gfr70FBi7/INEbmQYPDylT2VCsoQO7Wox8o
|
|
uhbXRxtlwZ1ix3POlhzTotjJSou8ny2PZnBVzu/64fGbIFWS4bCk35HmRIlN4lt6
|
|
ViAGBFJprJpcitFhOX51SBEgh689LKOuVUmucO2rpXAg53XzUR1xCvC3O2uY78AU
|
|
fHp/0Gro0HeA45NY8zqQgv0VjbjTXw9mBOi2WCI9EKo+G3cYjOg=
|
|
=kqz6
|
|
-----END PGP SIGNATURE-----
|