NetBSD Security Advisory 2020-001: Missing permissions checks for network ioctls

To: current-users%NetBSD.org@localhost
Subject: NetBSD Security Advisory 2020-001: Missing permissions checks for network ioctls
From: NetBSD Security-Officer <security-officer%netbsd.org@localhost>
Date: Tue, 21 Jan 2020 11:31:12 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2020-001
		=================================

Topic:		Missing permissions checks for network ioctls

Version:	NetBSD-current:		affected
		NetBSD 9.0_RC1:		affected
		NetBSD 8.1:		partially affected
		NetBSD 7.x:		partially affected

Severity:	Local users can crash the machine

Fixed:		NetBSD-current:		December 16, 2019
		NetBSD-9 branch:	December 17, 2019
		NetBSD-8 branch:	December 17, 2019
		NetBSD-7 branch:	December 17, 2019

Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Three network interface related ioctls that should have been only allowed
for privileged users were not adequately protected. An unprivileged user
can set network interface descriptions, get and set diagnostic data from
some atheros interfaces, and retrieve descriptor information from umb (usb
mobile network device).

Technical Details
=================

Specifically the following ioctls were missing permissions checks:

IOCTL		FUNCTION	IFACE	VERSION	HOW
- -------------------------------------------------------------------------------
SIOCGATHDIAG 	ath_ioctl	ath	*	get and set diagnostic info
SIOCSIFDESCR	ifioctl_common	*	9,CUR	set the interface description
SIOCGUMBINFO	umb_ioctl	umb	9,CUR	get descriptor info/potentially
						contains username/password
Solutions and Workarounds
=========================

Update the kernel to a fixed version and reboot.

To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz
from nyftp.netbsd.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz
cd /
tar xzpf /var/tmp/kern-GENERIC.tgz

with the following replacements:
REL   = the release version you are using
ARCH  = your system's architecture

The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version.

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
                                      
The fixed source may be obtained from the NetBSD CVS repository.        
The following instructions briefly summarise how to upgrade your        
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and                  
  KERNCONF with the name of your kernel configuration file.    

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P src/sys/dev/ic/ath.c
	# cvs update -d -P src/sys/dev/usb/if_umb.c
	# cvs update -d -P src/sys/net/if.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
	# shutdown -r now

For more information on how to do this, see:    

   http://www.NetBSD.org/docs/guide/en/chap-kernel.html

The patches can be obtained from NetBSD-current with the following
commands:

cvs rdiff -u -r1.128 -r1.129 src/sys/dev/ic/ath.c
cvs rdiff -u -r1.9 -r1.10 src/sys/dev/usb/if_umb.c
cvs rdiff -u -r1.465 -r1.466 src/sys/net/if.c

Thanks To
=========

Ilja Van Sprundel for reporting this vulnerability.

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2020-001.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2020, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2020-001.txt.asc,v 1.1 2020/01/21 16:08:16 christos Exp $
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJeJyHcAAoJEIkmHhf170n/uDMP+gIwylZuuX0DQFIBtPI7KFnu
/C7oJJ6mzk823iSlNxhew2WBoawyUEHeOm6hDUGQfokgCZX2DCTfhXMgdbFm9Nfk
2GQpwqVyZMUlA6UxYRm0fPtywksn5+z5JarwA2SqAk/jwZKb59baf9xDOPlzXHRJ
JdzGLGC9CdRMvghlb4a/P5v+0FAEKbf0roEtEMMtDwB3JbYI0F0KRc0xqvuRP2N9
UFfgEkIh0Dgz8Np0aZQdyh513L8r6y5sWDnjuT2RmA7PWUAz64FzOYBAYSP253wG
pBkUkQ9Z8wFVN3LDuOspjMxkj8pT2SvI9iq5DHYllDAqeHY8rA4E4/EVty0KDfm8
o3uHk3PJq/ngEJ6QW8dkDfsZNS3WlRkysYuVuEZ3fcIn25GgN228/CDmS0CbZ6eI
KUn7N8DEB2zQN2HGiso0gm+/EOUxGE6F5IBCmhxG5Vynh7gaUSHjZFYLpIvPur/s
tLZALUZ4bi0T/FVYgOdGp9Wn+Dnc5aa2xsEYBn+ytpcdu/GnS2cEoIhJ+I3Bi9s6
NTUlqqSZNzanCbpAWhxQWAedVbQ4dgwHmVF/EsDy29koFiBWEJStkUlsnv8+p0xj
ypbGclNtDWBZ/cmdYysbGcHx0s8mZabDuCJvWfudLICVzHaRjoVWySo1ePqK+AVQ
FSnD8YuPaX2TlVKBO+nO
=pMa2
-----END PGP SIGNATURE-----

Prev by Date: Re: graphical console: limit resolution?
Next by Date: Re: Devices without power management support: dm0 dm1 (LVM / Device Mapper prevents ACPI Sleep State 3)
Previous by Thread: overflow in libsa dosfs, feature for efiboot (patches provided)
Next by Thread: 9.99.40: panic: kernel diagnostic assertion "ci->ci_biglock_count == 0" failed
Indexes:

Home | Main Index | Thread Index | Old Index