From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 00:39:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4604D1065695; Thu, 2 Oct 2008 00:39:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 312958FC17; Thu, 2 Oct 2008 00:39:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m920dK94025618; Thu, 2 Oct 2008 00:39:20 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m920dK3F025616; Thu, 2 Oct 2008 00:39:20 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 2 Oct 2008 00:39:20 GMT Message-Id: <200810020039.m920dK3F025616@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 00:39:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:10.nd6 Security Advisory The FreeBSD Project Topic: IPv6 Neighbor Discovery Protocol routing vulnerability Category: core Module: sys_netinet6 Announced: 2008-10-01 Credits: David Miles Affects: All supported versions of FreeBSD. Corrected: 2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE) 2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5) 2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE) 2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5) CVE Name: CVE-2008-2476 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer address of other nodes, find routers, and maintain reachability information. The Neighbor Discovery protocol uses Neighbor Solicitation (ICMPv6 type 135) to query target nodes for their link-layer addresses. II. Problem Description IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node. III. Impact An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic. IV. Workaround Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully. Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface. IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications. V. Solution NOTE WELL: The solution described below causes IPv6 Neighbor Discovery Neighbor Solicitation messages from non-neighbors to be ignored. This can be re-enabled if required by setting the newly added net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc [FreeBSD 7.0] # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch # fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet6/in6.h 1.36.2.10 src/sys/netinet6/in6_proto.c 1.32.2.10 src/sys/netinet6/nd6.h 1.19.2.4 src/sys/netinet6/nd6_nbr.c 1.29.2.11 RELENG_6_3 src/UPDATING 1.416.2.37.2.10 src/sys/conf/newvers.sh 1.69.2.15.2.9 src/sys/netinet6/in6.h 1.36.2.8.2.1 src/sys/netinet6/in6_proto.c 1.32.2.8.2.1 src/sys/netinet6/nd6.h 1.19.2.2.6.1 src/sys/netinet6/nd6_nbr.c 1.29.2.9.2.1 RELENG_7 src/sys/netinet6/in6.h 1.51.2.2 src/sys/netinet6/in6_proto.c 1.46.2.3 src/sys/netinet6/nd6.h 1.21.2.2 src/sys/netinet6/nd6_nbr.c 1.47.2.3 RELENG_7_0 src/UPDATING 1.507.2.3.2.9 src/sys/conf/newvers.sh 1.72.2.5.2.9 src/sys/netinet6/in6.h 1.51.4.1 src/sys/netinet6/in6_proto.c 1.46.4.1 src/sys/netinet6/nd6.h 1.21.4.1 src/sys/netinet6/nd6_nbr.c 1.47.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476 http://www.kb.cert.org/vuls/id/472363 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:10.nd6.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkjkF2cACgkQFdaIBMps37KWWgCZAfug94zPIdkzW0tdIdSDzH/0 j18AnjypvJrRtzeQqhJkRU9wQWozgWvj =ieTi -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 06:47:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 015371065691 for ; Thu, 2 Oct 2008 06:47:26 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 61D678FC16 for ; Thu, 2 Oct 2008 06:47:25 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id m926XN9K015891 for ; Thu, 2 Oct 2008 16:33:23 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 2 Oct 2008 16:33:23 +1000 (EST) From: Ian Smith To: freebsd-security@freebsd.org In-Reply-To: <200810020039.m920dK3F025616@freefall.freebsd.org> Message-ID: <20081002161648.R49572@sola.nimnet.asn.au> References: <200810020039.m920dK3F025616@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 06:47:26 -0000 On Thu, 2 Oct 2008, FreeBSD Security Advisories wrote: [..] > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476 While this link works, the first link on that page, 'Learn more at National Vulnerability Database (NVD)' to http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2476 does not, saying it's not in the right format of CVE-XXX-XXXX ? > http://www.kb.cert.org/vuls/id/472363 This link doesn't work, and neither does searching for '472363' there? Or at least, not from here :) cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 12:19:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A33E91065686 for ; Thu, 2 Oct 2008 12:19:11 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7E2AF8FC13 for ; Thu, 2 Oct 2008 12:19:11 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id 18C0C46B03; Thu, 2 Oct 2008 08:19:11 -0400 (EDT) Date: Thu, 2 Oct 2008 13:19:11 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Attila Nagy In-Reply-To: <48DB7CA4.80609@fsn.hu> Message-ID: References: <48DB7CA4.80609@fsn.hu> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Missing /dev/auditpipe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 12:19:11 -0000 On Thu, 25 Sep 2008, Attila Nagy wrote: > Running RELENG_7 (and HEAD too), and I can't find the auditpipe device. Is > there anything which should be set in order to make it useable? > > auditd runs and logs to /var/audit, which I can read with praudit. (Following up to the list because Attila and I exchanged e-mail offline) The problem here was that /dev/auditpipe is cloning, so it doesn't exist until you try to open it. In FreeBSD 8.x, and possibly 7.2, we're moving to the new per-cdev private data so that /dev/auditpipe will always exist supporting multiple session, and there won't be a series of dynamicall created devices, but that's not ready to hit a release yet. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 17:51:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D95AB1065696 for ; Thu, 2 Oct 2008 17:51:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 92B748FC18 for ; Thu, 2 Oct 2008 17:51:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id DBCA341C62F; Thu, 2 Oct 2008 19:35:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id UxHAoOAbtTm5; Thu, 2 Oct 2008 19:35:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 8236841C613; Thu, 2 Oct 2008 19:35:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id E900244487F; Thu, 2 Oct 2008 17:34:41 +0000 (UTC) Date: Thu, 2 Oct 2008 17:34:41 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Ian Smith In-Reply-To: <20081002161648.R49572@sola.nimnet.asn.au> Message-ID: <20081002173325.M7528@maildrop.int.zabbadoz.net> References: <200810020039.m920dK3F025616@freefall.freebsd.org> <20081002161648.R49572@sola.nimnet.asn.au> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 17:51:08 -0000 On Thu, 2 Oct 2008, Ian Smith wrote: > > http://www.kb.cert.org/vuls/id/472363 > > This link doesn't work, and neither does searching for '472363' there? > > Or at least, not from here :) It's been working for a few hours now. Time difference in continents and coasts and all that... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 22:56:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DA3C106568D for ; Thu, 2 Oct 2008 22:56:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id A59388FC16 for ; Thu, 2 Oct 2008 22:55:59 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id m92MtuUa047405; Fri, 3 Oct 2008 08:55:57 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 3 Oct 2008 08:55:56 +1000 (EST) From: Ian Smith To: "Bjoern A. Zeeb" In-Reply-To: <20081002173325.M7528@maildrop.int.zabbadoz.net> Message-ID: <20081003084008.G49572@sola.nimnet.asn.au> References: <200810020039.m920dK3F025616@freefall.freebsd.org> <20081002161648.R49572@sola.nimnet.asn.au> <20081002173325.M7528@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 22:56:00 -0000 On Thu, 2 Oct 2008, Bjoern A. Zeeb wrote: > On Thu, 2 Oct 2008, Ian Smith wrote: > > > > http://www.kb.cert.org/vuls/id/472363 > > > > This link doesn't work, and neither does searching for '472363' there? > > > > Or at least, not from here :) > > It's been working for a few hours now. Time difference in continents > and coasts and all that... Thanks. Glad to see our SA was out ahead of the game .. Now to read this another 3 times to try making more sense of it: http://www.potaroo.net/ispcol/2008-08/ipv6addr.html cheers, Ian