Security-Announce archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2020-001: Missing permissions checks for network ioctls
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2020-001
=================================
Topic: Missing permissions checks for network ioctls
Version: NetBSD-current: affected
NetBSD 9.0_RC1: affected
NetBSD 8.1: partially affected
NetBSD 7.x: partially affected
Severity: Local users can crash the machine
Fixed: NetBSD-current: December 16, 2019
NetBSD-9 branch: December 17, 2019
NetBSD-8 branch: December 17, 2019
NetBSD-7 branch: December 17, 2019
Please note that NetBSD releases prior to 7.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Three network interface related ioctls that should have been only allowed
for privileged users were not adequately protected. An unprivileged user
can set network interface descriptions, get and set diagnostic data from
some atheros interfaces, and retrieve descriptor information from umb (usb
mobile network device).
Technical Details
=================
Specifically the following ioctls were missing permissions checks:
IOCTL FUNCTION IFACE VERSION HOW
- -------------------------------------------------------------------------------
SIOCGATHDIAG ath_ioctl ath * get and set diagnostic info
SIOCSIFDESCR ifioctl_common * 9,CUR set the interface description
SIOCGUMBINFO umb_ioctl umb 9,CUR get descriptor info/potentially
contains username/password
Solutions and Workarounds
=========================
Update the kernel to a fixed version and reboot.
To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz
from nyftp.netbsd.org and extract the fixed binaries:
cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/latest/ARCH/binary/sets/kern-GENERIC.tgz
cd /
tar xzpf /var/tmp/kern-GENERIC.tgz
with the following replacements:
REL = the release version you are using
ARCH = your system's architecture
The following instructions describe how to upgrade your kernel by
updating your source tree and rebuilding and installing a new version.
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P src/sys/dev/ic/ath.c
# cvs update -d -P src/sys/dev/usb/if_umb.c
# cvs update -d -P src/sys/net/if.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/docs/guide/en/chap-kernel.html
The patches can be obtained from NetBSD-current with the following
commands:
cvs rdiff -u -r1.128 -r1.129 src/sys/dev/ic/ath.c
cvs rdiff -u -r1.9 -r1.10 src/sys/dev/usb/if_umb.c
cvs rdiff -u -r1.465 -r1.466 src/sys/net/if.c
Thanks To
=========
Ilja Van Sprundel for reporting this vulnerability.
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2020-001.txt.asc
Information about NetBSD and NetBSD security can be found at
https://www.NetBSD.org/
https://www.NetBSD.org/Security/
Copyright 2020, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2020-001.txt.asc,v 1.1 2020/01/21 16:08:16 christos Exp $
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJeJyHcAAoJEIkmHhf170n/uDMP+gIwylZuuX0DQFIBtPI7KFnu
/C7oJJ6mzk823iSlNxhew2WBoawyUEHeOm6hDUGQfokgCZX2DCTfhXMgdbFm9Nfk
2GQpwqVyZMUlA6UxYRm0fPtywksn5+z5JarwA2SqAk/jwZKb59baf9xDOPlzXHRJ
JdzGLGC9CdRMvghlb4a/P5v+0FAEKbf0roEtEMMtDwB3JbYI0F0KRc0xqvuRP2N9
UFfgEkIh0Dgz8Np0aZQdyh513L8r6y5sWDnjuT2RmA7PWUAz64FzOYBAYSP253wG
pBkUkQ9Z8wFVN3LDuOspjMxkj8pT2SvI9iq5DHYllDAqeHY8rA4E4/EVty0KDfm8
o3uHk3PJq/ngEJ6QW8dkDfsZNS3WlRkysYuVuEZ3fcIn25GgN228/CDmS0CbZ6eI
KUn7N8DEB2zQN2HGiso0gm+/EOUxGE6F5IBCmhxG5Vynh7gaUSHjZFYLpIvPur/s
tLZALUZ4bi0T/FVYgOdGp9Wn+Dnc5aa2xsEYBn+ytpcdu/GnS2cEoIhJ+I3Bi9s6
NTUlqqSZNzanCbpAWhxQWAedVbQ4dgwHmVF/EsDy29koFiBWEJStkUlsnv8+p0xj
ypbGclNtDWBZ/cmdYysbGcHx0s8mZabDuCJvWfudLICVzHaRjoVWySo1ePqK+AVQ
FSnD8YuPaX2TlVKBO+nO
=pMa2
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index