From owner-freebsd-security-notifications@freebsd.org Tue Aug 25 21:27:49 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BBBFF9C24DB for ; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id B1C547E7; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id ADE9216BE; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:21.amd64 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150825212749.ADE9216BE@freefall.freebsd.org> Date: Tue, 25 Aug 2015 21:27:49 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 21:27:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:21.amd64 Security Advisory The FreeBSD Project Topic: Local privilege escalation in IRET handler Category: core Module: sys_amd64 Announced: 2015-08-25 Credits: Konstantin Belousov, Andrew Lutomirski Affects: FreeBSD 9.3 and FreeBSD 10.1 Corrected: 2015-03-31 00:59:30 UTC (stable/10, 10.1-STABLE) 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) 2015-03-31 01:08:51 UTC (stable/9, 9.3-STABLE) 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) CVE Name: CVE-2015-5675 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel CPU's. The GS segment CPU register is used by both user processes and the kernel to conveniently access state data: 32-bit user processes use the register to manage per-thread data, while the kernel uses it to access per-processor data. The return from interrupt (IRET) instruction returns program control from an interrupt handler to the interrupted context. II. Problem Description If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler. III. Impact By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch # fetch https://security.FreeBSD.org/patches/SA-15:21/amd64.patch.asc # gpg --verify amd64.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r280877 releng/9.3/ r287147 stable/10/ r280875 releng/10.1/ r287146 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.7 (FreeBSD) iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rn5ncQANs2pS8xCowX+BM9LmKTUb2Y eqGCvDetXV51/ljAOS10ubc4U0Zn2D5ACyz/DfiLIXVK8vkvlnJXFh3jSK6KIqPH ionXa8zMedBoytZL8xIEFSpk9+cYGkGupIYEGu6CCHVZGJ5fVgTlnnazuXd4evbt U1/7KNWt2H1R1j0YiYZ0MvhrIF35KqFmLOGf2JmZulqruwq91tYeMlv+7IY6vtPD L8n5kTM7pudB3qznXd1PBMj1Y6YVG1O3WL4Stfyj93qDuMbJ+wfnao1ZKMBG0az8 IJITHrnTI+Xd4i/bbEoSmSN9V80S8uo/6J6JaXjtbrJfEqAMKhLrrcoMA7MHpKJQ L4dv2HGL1n7xfOIfj5Qo2io/LUSye5lO54LtEKZfjhzqsTtNQl57BDAYZgbQp2/A RsngIq3VrNcIJQK8F1Ba7SNL2+NVd091Wb+Z52837R5/D47jD2BhDia5eH6R5Opv 6kfzTJujbLi6b9RSn0OT+wAQbQ80qSmD+IwMXwAAg0mukthjTiJpqabpMWvMmfGO mhfZBGqmf1Hx4lTczSRMLlRCmjOBc+BKioHT2ciE8QMX0WrHhkRuSBqY3euVTCMB 9+iU7eJ23tARTbG5wMmBNRsWJzhOKieM0UEsXxso+z8tMMX1Vh/e9ls2qm+ks876 WYT9/yPSsyU1z/AkHJU7 =nHGY -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Tue Aug 25 21:27:50 2015 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE3EB9C24E1 for ; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id C1E427EB; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id C154016C9; Tue, 25 Aug 2015 21:27:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:22.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150825212749.C154016C9@freefall.freebsd.org> Date: Tue, 25 Aug 2015 21:27:49 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 21:27:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:22.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: openssh Announced: 2015-08-25 Affects: All supported versions of FreeBSD. Corrected: 2015-08-25 20:48:44 UTC (stable/10, 10.2-STABLE) 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RC3-p2) 2015-08-25 20:48:51 UTC (releng/10.2, 10.2-RELEASE-p2) 2015-08-25 20:48:58 UTC (releng/10.1, 10.1-RELEASE-p19) 2015-08-25 20:48:44 UTC (stable/9, 9.3-STABLE) 2015-08-25 20:49:05 UTC (releng/9.3, 9.3-RELEASE-p24) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. The default FreeBSD OpenSSH configuration has PAM interactive authentication enabled. Privilege separation is a technique in which a program is divided into multiple cooperating processes, each with a different task, where each process is limited to the specific privileges required to perform that specific task, while the privileged parent process acts as an arbiter. II. Problem Description A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of he sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection. III. Impact The first bug may allow a remote attacker who a) has already succeeded by other means in compromising the unprivileged pre-authentication child process and b) has valid credentials to one user on the target system to impersonate a different user. The second bug may allow a remote attacker who has already succeeded by other means in compromising the unprivileged pre-authentication child process to bypass PAM authentication entirely. The third bug is not exploitable, but can cause premature termination of a multiplexed ssh connection. IV. Workaround No workaround is available, but systems where ssh(1) and sshd(8) are not used are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The sshd(8) service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-15:22/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the sshd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r287144 releng/9.3/ r287147 stable/10/ r287144 releng/10.1/ r287146 releng/10.2/ r287145 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.7 (FreeBSD) iQIcBAEBCgAGBQJV3Ne8AAoJEO1n7NZdz2rnxq8P/jW05a6zT9n78wxBuHwRJ9gx 7+CN9AsezavW4HmZF4GmWt6SjnJqpLDMwnhceo7po6ZMIxjyWwxBWWfvUwVqezwa kT+DS7oHKmeZAwCSFMj9K25NN+x7KAwXXiiANcj4U4iU+q0YrcEGVIBKVqCAn3ly pJAkMxdTbwlWR7MaPaTMbMenVOs87b6Xx/4gfSBWolFWz9bKfdTYCxK/AnULVIZq Q7lShezEvgyCb8b6QLvnrY4AwHtVduiYxnvNKv8ysbaatZCarkRS8nh68zGcdTBg IyzG5OEtUFokVkroJaLWFXL1mUp7tgn9+UNd0/53wFN2DTZKw9oTAkKn8xrbbOSa xQqYFhsmqsnKlBJMEMaoK9JgGZZ6xOGo3JZ6yrFfYxiZ9xFaR843rOUe0UVrxh+L +2DmALTyLWSkeqlcg66oKqYKMQuvUyd6VpPL0yHpB0AqBTjKjUmG9RgG8AT5MpqW P3weyD0n7rOCBfagofx8MIy15REwjcQSUptarWrMwhJPua95RJ/IAVIIThGrMzZ5 PxyWDFU7B/56FRlmX5+6mfi/NC60yIyR6lg0trBtuiiEfNV+HWz6QXOIUMYQvvo9 w8fXSy6MJ12jTFqm0+CXbx2wWEVxAZS/wtLDsa3nf2oGkO3upzFl0/fvsR1dZ/hl plo/3SMPpFFbfvIhy2V/ =2w70 -----END PGP SIGNATURE-----