Date: Mon, 29 Apr 2013 20:53:58 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r41519 - in head/share: security/advisories security/patches/SA-13:05 xml Message-ID: <201304292053.r3TKrwJQ081502@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Mon Apr 29 20:53:58 2013 New Revision: 41519 URL: http://svnweb.freebsd.org/changeset/doc/41519 Log: Fix a bug that allows NFS clients to issue READDIR on files. PR: kern/178016 Security: CVE-2013-3266 Security: FreeBSD-SA-13:05.nfsserver Approved by: so Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc (contents, props changed) head/share/security/patches/SA-13:05/ head/share/security/patches/SA-13:05/nfsserver.patch (contents, props changed) head/share/security/patches/SA-13:05/nfsserver.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc Mon Apr 29 20:53:58 2013 (r41519) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:05.nfsserver Security Advisory + The FreeBSD Project + +Topic: Insufficient input validation in the NFS server + +Category: core +Module: nfsserver +Announced: 2013-04-29 +Credits: Adam Nowacki +Affects: All supported versions of FreeBSD. +Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE) + 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8) + 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1) + 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1) + 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE) + 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3) +CVE Name: CVE-2013-3266 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The Network File System (NFS) allows a host to export some or all of its +file systems so that other hosts can access them over the network and mount +them as if they were on local disks. FreeBSD includes server and client +implementations of NFS. + +FreeBSD 8.0 and onward has two NFS implementations: the original CSRG +NFSv2 and NFSv3 implementation and a new implementation which also +supports NFSv4. + +FreeBSD 9.0 and onward uses the new NFS implementation by default. + +II. Problem Description + +When processing READDIR requests, the NFS server does not check that +it is in fact operating on a directory node. An attacker can use a +specially modified NFS client to submit a READDIR request on a file, +causing the underlying filesystem to interpret that file as a +directory. + +III. Impact + +The exact consequences of an attack depend on the amount of input +validation in the underlying filesystem: + + - If the file resides on a UFS filesystem on a little-endian server, + an attacker can cause random heap corruption with completely + unpredictable consequences. + + - If the file resides on a ZFS filesystem, an attacker can write + arbitrary data on the stack. It is believed, but has not been + confirmed, that this can be exploited to run arbitrary code in + kernel context. + +Other filesystems may also be vulnerable. + +IV. Workaround + +Systems that do not provide NFS service are not vulnerable. Neither +are systems that do but use the old NFS implementation, which is the +default in FreeBSD 8.x. + +To determine which implementation an NFS server is running, run the +following command: + +# kldstat -v | grep -cw nfsd + +This will print 1 if the system is running the new NFS implementation, +and 0 otherwise. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch +# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc +# gpg --verify nfsserver.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r250058 +releng/8.3/ r250059 +releng/8.4/ r250062 +stable/9/ r250060 +releng/9.1/ r250061 +- ------------------------------------------------------------------------- + +VII. References + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc +-----BEGIN PGP SIGNATURE----- + +iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q +9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ +=polM +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:05/nfsserver.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:05/nfsserver.patch Mon Apr 29 20:53:58 2013 (r41519) @@ -0,0 +1,13 @@ +Index: sys/fs/nfsserver/nfs_nfsdport.c +=================================================================== +--- sys/fs/nfsserver/nfs_nfsdport.c (revision 249651) ++++ sys/fs/nfsserver/nfs_nfsdport.c (working copy) +@@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd, int isdg + nd->nd_repstat = NFSERR_BAD_COOKIE; + #endif + } ++ if (!nd->nd_repstat && vp->v_type != VDIR) ++ nd->nd_repstat = NFSERR_NOTDIR; + if (nd->nd_repstat == 0 && cnt == 0) { + if (nd->nd_flag & ND_NFSV2) + /* NFSv2 does not have NFSERR_TOOSMALL */ Added: head/share/security/patches/SA-13:05/nfsserver.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:05/nfsserver.patch.asc Mon Apr 29 20:53:58 2013 (r41519) @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iEYEABECAAYFAlF+1+sACgkQFdaIBMps37J22ACeM6TTZjh94AhbnwqTaCfcMjnO +F74AnAiX1rUC1Zvo3XU42efklaBo6F1g +=yQwz +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Mon Apr 29 16:02:00 2013 (r41518) +++ head/share/xml/advisories.xml Mon Apr 29 20:53:58 2013 (r41519) @@ -14,6 +14,14 @@ <name>2</name> <advisory> + <name>FreeBSD-SA-13:05.bind</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-13:04.bind</name> + </advisory> + + <advisory> <name>FreeBSD-SA-13:04.bind</name> </advisory>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304292053.r3TKrwJQ081502>