From owner-freebsd-security-notifications@freebsd.org Wed May 15 00:01:11 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9FE1159D2FD for ; Wed, 15 May 2019 00:01:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2E6A78B442; Wed, 15 May 2019 00:01:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id F08A91AA5B; Wed, 15 May 2019 00:01:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:03.wpa Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000109.F08A91AA5B@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:09 +0000 (UTC) X-Rspamd-Queue-Id: 2E6A78B442 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:03.wpa Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in hostapd and wpa_supplicant Category: contrib Module: wpa Announced: 2019-05-14 Affects: All supported versions of FreeBSD. Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE) 2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE) 2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, CVE-2019-11555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations. For more details, please see the reference URLs in the References section below. III. Impact Security of the wireless network may be compromised. For more details, please see the reference URLS in the References section below. IV. Workaround No workaround is available, but systems not using hostapd(8) or wpa_supplicant(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, restart hostapd(8) or wpa_supplicant(8). 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart hostapd(8) or wpa_supplicant(8). 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc # gpg --verify wpa-12.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r346980 releng/12.0/ r347587 stable/11/ r346981 releng/11.2/ r347588 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLsaA/9EB577JYdYdwFCOQ6TiOVhyluLJzgrhG3aiXeBntj8ytkRjcXKnP0aega 3G2R1do7pixVYUF52OWJwaNO3Hm+LHMngiOqujcLI+49ISI3T/APaU/D2dqmXVb8 nN/Pd+0HDGj3R3MwyyHT8/3fX0pJ395vcQhYb61M6PUSrwr8uiBbILT57iCadZoL F4KOCvRv7I4EFWXvqngGfeohZbbeHPBga2DwuebWR/E/1uWrMKEOF2pvh4b6ZSN2 pdr7ZHMiL1cZt+p+2gwWoqDWyD93u2lTC7Gmo3Vom+meH7eaQ79obXEN541aiQ04 CYhjkwuW5uNGUWCO/Xsfn5gqICeB1G5A/aBHQlAyVgUGia8jukL1jn3ga4AQgKrN h9aTmvrQs17PjMVtq81ZS0xm0ztW0Y6t2A9fRgGcnOOw+uy5tHMbJaKSMy8x97NT gUyXtoyu47tjjMrzsQcma2t6/+iCEDuW1P1LybSmv/v59gro9uveCdl0busgM9GS M5bpWK/qYQS1HYmYeTKMRynmD8ntRbflYoUP/SpijHsz+56rgyeJO12WyltyT32f j5fgnKaznW/UPtgmK0wnPIG9XEj3Nzs4C4cypO5t8OiuLEli4wRdb6MYlvEjq4la R3lnCzmTd9sg+K6cod2qWWSYdsdEwizcpQDp7M9lRqomiANLqJ4= =MXma -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed May 15 00:01:33 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED0B4159D367 for ; Wed, 15 May 2019 00:01:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 41E688B4C7; Wed, 15 May 2019 00:01:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 0AED11AA86; Wed, 15 May 2019 00:01:32 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:04.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000132.0AED11AA86@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:32 +0000 (UTC) X-Rspamd-Queue-Id: 41E688B4C7 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:04.ntp Security Advisory The FreeBSD Project Topic: Authenticated denial of service in ntpd Category: contrib Module: ntp Announced: 2019-05-14 Credits: Magnus Stubman Affects: All supported versions of FreeBSD Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-8936 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The ntpd(8) daemon uses a protocol called mode 6 to both get status information from the running ntpd(8) daemon and configure it on the fly. This protocol is typically used by the ntpq(8) program, among others. II. Problem Description A crafted malicious authenticated mode 6 packet from a permitted network address can trigger a NULL pointer dereference. Note for this attack to work, the sending system must be on an address from which the target ntpd(8) accepts mode 6 packets, and must use a private key that is specifically listed as being used for mode 6 authorization. III. Impact The ntpd daemon can crash due to the NULL pointer dereference, causing a denial of service. IV. Workaround Use 'restrict noquery' in the ntpd configuration to limit addresses that can send mode 6 queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart the ntpd service: # service ntpd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc # gpg --verify ntp.patch.asc [FreeBSD 11.2-RELEASE/11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc # gpg --verify ntp-11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the ntpd service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r344884 releng/12.0/ r347589 stable/11/ r344884 releng/11.2/ r347590 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunfK2Uw5tJk9b4GwWWjCSE0C hSWg4a9xv3pks2ppfEJzRuy0eoYmiU0MYblnAnCwCmE2d3WYlExO7hZJa1iK3uPO WvHre5q80kF8TJhS9rbph+6oyLaPun8f9PDIo4Oc2knTppNfrfzbB/HEuzP27KMp gCXD/Nk/5tHbXjkIGamWCf9wgYuw/typYRV3W6sWDuPhug2sAvWk1TMo0cMJ4BHL wL7Qh00rZ+nHWdk5GKFslga9gNjVPqD2DzRKCQO2bj4o+7ly2d+yk4jUpMKBq2r4 eQcQQnk9xj60NQ5cHGprOv6xwulBYycugF57iouNAP241cvVf+XZd4b/GthJODgz fhP0aquusmtkawida3ZWWIVCjkM5NmHQsY5VTQLvTudtemb3kdmRMy3dFDN7oyXZ PqP6JJUqamxNHilxRVytNCZLiSuy1P2MnJamyLZIqcDiT6yvMVBqwuGdQrSTSKyu g/sR+vUohuJrP2i3pCCEfGtH5Nfq6GpY6Swxec81wUoqReGVCGmSFSEaas21TFYf ZzAEAhywveGegkhqvsGP9A1zrTs6ZTCRzun32MhSo4xH/YZaArMvRa6JiSWTA1fG ctwXEwIBj0XNEWBsCPgVvaF9bglmQZ2Iqn4iOiHlRGT7KxgjT7w= =o9t5 -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed May 15 00:01:40 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B1C47159D3AD for ; Wed, 15 May 2019 00:01:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 598568B4F1; Wed, 15 May 2019 00:01:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 4AC511AA97; Wed, 15 May 2019 00:01:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:05.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000140.4AC511AA97@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:40 +0000 (UTC) X-Rspamd-Queue-Id: 598568B4F1 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:05.pf Security Advisory The FreeBSD Project Topic: IPv6 fragment reassembly panic in pf(4) Category: contrib Module: pf Announced: 2019-05-14 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5597 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. III. Impact Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. IV. Workaround Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r344706 releng/12.0/ r347591 stable/11/ r344707 releng/11.2/ r347591 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b 6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9 Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7 Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/ dYefeBMKBukyLUKtLYHjVAhUlL3hF3j/aBu498F6LRCzFcaoIOQ= =0alQ -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed May 15 00:01:44 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05631159D3E4 for ; Wed, 15 May 2019 00:01:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B9368B505; Wed, 15 May 2019 00:01:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 17DDE1AAA2; Wed, 15 May 2019 00:01:43 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:06.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000143.17DDE1AAA2@freefall.freebsd.org> Date: Wed, 15 May 2019 00:01:43 +0000 (UTC) X-Rspamd-Queue-Id: 4B9368B505 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:01:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:06.pf Security Advisory The FreeBSD Project Topic: ICMP/ICMP6 packet filter bypass in pf Category: contrib Module: pf Announced: 2019-05-14 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5598 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. III. Impact A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r345377 releng/12.0/ r347593 stable/11/ r345378 releng/11.2/ r347593 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0 iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+ N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+ Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI= =m3as -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed May 15 00:03:03 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BBDBB159D6BF for ; Wed, 15 May 2019 00:03:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 634B08B727; Wed, 15 May 2019 00:03:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 522D31AB7D; Wed, 15 May 2019 00:03:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:07.mds Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515000302.522D31AB7D@freefall.freebsd.org> Date: Wed, 15 May 2019 00:03:02 +0000 (UTC) X-Rspamd-Queue-Id: 634B08B727 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.93 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; NEURAL_HAM_SHORT(-0.94)[-0.940,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 00:03:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:07.mds Security Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits: Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects: All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. If using the package or port the microcode update can be applied at boot time by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" Microcode updates can also be applied while the system is running. See cpucontrol(8) for details. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not. To enable automatic mode at boot: # echo hw.mds_disable=3 >> /etc/sysctl.conf Reboot the system: # shutdown -r +10min "Security update" Check the mitigation status: # sysctl hw.mds_disable_state hw.mds_disable_state: software Silvermont VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347567 releng/12.0/ r346594 stable/11/ r347568 releng/11.2/ r347595 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTspfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKcyA//ZlJa5eoNt0L2pcWAjukf1X+/iTjHv/t3wWclEfuPv2S9lO5SDlwxUV5x woGkxcIj7Tp51HJZRBjn62x/cwd6CjbpxsYPUvRs1Nkruj82/p6Yj5nSYrDCqqj1 k84hyCj0Y6V2NwbBEPTNXqqPbOmid0R3GrQJk1JXZ1zTf8VHGxrquXp1xP7PIPSX GWYup0k4edMCY2mbBb8QQQmQSg6S2k6eZnvF9AZUga5pM7FGYLo0rPHNVHx+te83 THvmnrJXnCR5AEjqmsubxwF/p+HneJke7HJxj1GjokzFgzTz3C9X3vUWHedwlVoD BzeqSgWD0icgJMYl8xGabeRzXj49tIzrC+twdXMtTLiDIKGxaRxqGVTMHYHgh44h GilgZ60X4m8e4Nuzf8xcQ1X2/QLvfWwZR+zUzQwOiKVoNp7nPJ5m8nr1s9anqDdl n1fJw3tqw+8ant58k71IKD5lCV0KhJXgD/Kd3TZWu9a4mnMlvuJWYbEKEvxSlvTh ghORCSg+OBEgN//t9a/3UaAOzqKijkN6Iau1JpMrFNtBOXgOO17B1jQGz1R2VKKb mu5gotDQqkdQocN+94sB8T3fouSa6ub2cUox34+DngqxuFeMv6Ffg1o/Z4C0mRUu bVdzPrsUai/Z7O/kBpUF6ddsBGsDXWElfo9flfbJonLcYndWyWc= =QUYl -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed May 15 18:16:23 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DB8F159B8DA for ; Wed, 15 May 2019 18:16:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D53E269EFB; Wed, 15 May 2019 18:16:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id C7ACDA0AB; Wed, 15 May 2019 18:16:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515181622.C7ACDA0AB@freefall.freebsd.org> Date: Wed, 15 May 2019 18:16:22 +0000 (UTC) X-Rspamd-Queue-Id: D53E269EFB X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; NEURAL_HAM_SHORT(-0.97)[-0.965,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 18:16:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:07.mds Security Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits: Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects: All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not. To enable automatic mode at boot: # echo hw.mds_disable=3 >> /etc/sysctl.conf Reboot the system: # shutdown -r +10min "Security update" Check the mitigation status: # sysctl hw.mds_disable_state hw.mds_disable_state: software Silvermont VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347567 releng/12.0/ r346594 stable/11/ r347568 releng/11.2/ r347595 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzcU9dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKG7Q//XEf1kFc8JABZtSQT5XEP+J/CKMF+W+CqVmV6vLNimOeWVaw5BBWbtbhI 7BENuQRw2NcUbwrhwR+KYKWUN0rF0VQOk+m8JMYQxTu1WQfI9J8HDTXjmp1mfrx4 CbEjHuHCvGjezdURR0GIfAfkMjfDUEPEq05svPrEFIh2s4QagF7V2gunwNgprXJV ZzlA2IEUCx2KFbgbPjIJDY7ED0/VXrNeZU9G4R4t9+QSD2r21cF4kax8DLi5Rtz4 ducXhT5dG+reZXye6c+eryJvjBPEwI9zHth0xLMGHDJUeLAOUkZpNsciuEeNu96O 1EkGqYBKpJGcvsYBnYM0mD2Z23khqxEHWArIluJeVkdezlvREB42nLHQ9oin3opH ojdh57lkppQqVZ9GTHqQLRVbawiC7oNNWzoYq+ANSReqiIkpPCC3z3NsGDo1oYLK suMOAtxwPe6qq2Q9voN5lgHNR5w/x2uKxdYx8G8C40ynoFb1W1dQNdGVtmfRpvO5 lvZGWNsmxWBrlYlm8onpulw1WsPgOp9TmhIAO1IZHVhgsaoF9i1hu/BumOTjiQo0 Md4IiGAdPkU7nC3MjDm9jsD+bC6GaXwXkyryi1bpNE2feXVg4lvznyah2wQR2VVq +R3H0+iTHCOS9fEvWWpRIZWL2AfU78O+c/go9ZqqQvGAxVR/UwM= =pDA1 -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed May 15 23:37:28 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25A9F15A5371 for ; Wed, 15 May 2019 23:37:28 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 931D876077; Wed, 15 May 2019 23:37:27 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 6B5FBE2AF; Wed, 15 May 2019 23:37:27 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:07.mds Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190515233727.6B5FBE2AF@freefall.freebsd.org> Date: Wed, 15 May 2019 23:37:27 +0000 (UTC) X-Rspamd-Queue-Id: 931D876077 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.95)[-0.948,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2019 23:37:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:07.mds Security Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits: Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects: All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. v1.3 2019-05-15 Minor quoting nit for the HT disable loader config. v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***] Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new set of patches is being released. If your 12.0-RELEASE sources are not yet patched using the initially published patch, then you need to apply the mds.12.0.patch. If your sources are already updated, or patched with the patch from the initial advisory, then you need to apply the incremental patch, named mds.12.0.p4p5.patch [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 12.0-RELEASE, patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.p4p5.patch.asc # gpg --verify mds.12.0.p4p5.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in . Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not. To enable automatic mode at boot: # echo hw.mds_disable=3 >> /etc/sysctl.conf Reboot the system: # shutdown -r +10min "Security update" Check the mitigation status: # sysctl hw.mds_disable_state hw.mds_disable_state: software Silvermont VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347567 releng/12.0/ r347632 stable/11/ r347568 releng/11.2/ r347595 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzciUJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKc2w//UxEu2JWDEJnpGuYv/Hh+PAEsWjzG2mCuFmriF7//deJTbwWybJk0DXhU n6HCdw47nG/uVaeVOw921BRpJMK9bqpqr80VXKturOacS6kaQmMCXS+ZyPytZT0K XJIgM3QrHsUUd6FnCHZ6Z6PBRLWl72RvNm8b2ZUE32puALlEeDCcd9PP3pyPITgj iU3gP05GafKzG/7liqQuWPffRqAq4oQyQYCjkRfBdPNlacACvbtAXNnDPnwkfIqg Si2Svj2TDS0eTxC5fspQtdWkKru50ZHTFFsoNhT33uX9L1Yr8ui+ajRG0Zxd81fj 0YGGat9QhzF6R2dywU75wXRveM/VMXj2wy5/CWBVI9kY84SeqcDDdkksG3iMC63Q ebkZF38kbZ85Xwpi3z2yHxw16yKg0pLNryW/GBp0xyJz5ivFhgpeFWEHfmjmiX+u Ka0E5RgCHh/eNAihbU8XN9MLnHToaX3mlEM+He+YsAXCMutaiSKaFpUhEs7uVmqu r8YIYLbxJcIfqrRyIJtn9RpWisxJfo/RVLyE3QDg7Pg5x6QeVysyuYkbeOdIk75e KW5B0b3eKh8Xu0mZqexdL9Hb1kEii5RxbSU5qLYoKfkMSo4/dLKgJwYZH61EC5cP dEj/KaIAdMA0VMi8XQfAsPIR4FKhKcd5tUazjBaW97WJjha0dog= =StiT -----END PGP SIGNATURE-----