[NetBSD] Schwachstelle im NetBSD Kernel Modul fuer IPSEC – NetBSD-SA2011-004

[NetBSD] Schwachstelle im NetBSD Kernel Modul fuer IPSEC - NetBSD-SA2011-004

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des NetBSD Security Officers.
Wir geben diese Informationen unveraendert an Sie weiter.

Voraussetzung ist, dass eine der Optionen “IPSEC” oder “FAST_IPSEC” im
NetBSD Kernel aktiviert wurde, was bei der Standardkonfiguration vom
Kernel nicht der Fall ist.

CVE-2011-1547 – Schwachstelle in NetBSD Kernel IPSEC Stack

Der IPSEC Stack verarbeitet rekursiv empfangene Paketheader mit der
Erwartung eine ESP/AH/IPCOMP-gekapselte Payload zu erhalten. Eine
Verschachtelung vieler “IP Payload Compression Protocol”-Header (IPComp)
kann aufgrund der Rekursionstiefe zu einem Ueberlauf des entsprechenden
Kernel Stacks fuehren. Ein entfernter Angreifer kann mittels
praeparierten IPSEC-Paketen eine Kernel Panic ausloesen (Denial of
Service) und schlimmstenfalls Code im Kontext des Kernels ausfuehren.

Betroffen sind die folgenden Software Pakete und Plattformen:

NetBSD-current: Version vor 1. April 2011
NetBSD-5-0 branch: vor Version 5.0.3 (3. April 2011)
NetBSD-5-1 branch: vor Version 5.1.1 (3. April 2011)
NetBSD-5 branch: Version vor 3. April 2011
NetBSD-4-0 branch: Version vor 3. April 2011
NetBSD-4 branch: Version vor 3. April 2011

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Matthias Braeck

– —
Matthias Braeck (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen: https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

NetBSD Security Advisory 2011-004
=================================

Topic: Kernel stack overflow via nested IPCOMP packet

Version: NetBSD-current: source prior to April 1st, 2011
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 5.1: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected

Severity: remote DOS, possible memory corruption

Fixed: NetBSD-current: April 1st, 2011
NetBSD-5-0 branch: April 3rd, 2011
(5.0.3 will include the fix)
NetBSD-5-1 branch: April 3rd, 2011
(5.1.1 will include the fix)
NetBSD-5 branch: April 3rd, 2011
NetBSD-4-0 branch: April 3rd, 2011
NetBSD-4 branch: April 3rd, 2011

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A malicious packet containing nested RFC 3173 – IP Payload Compression
Protocol (IPComp) headers can cause a panic due to kernel stack exhaustion
in a kernel with option IPSEC enabled. Under certain conditions, kernel
memory may get overwritten. In kernels with option FAST_IPSEC a sufficient
quantity of such packets may cause a denial of service.

This vulnerability has been assigned CVE-2011-1547.

Technical Details
=================

The option IPSEC stack recurses through packet headers, expecting them to be
ESP/AH-IPCOMP-payload. Due to compression, an IPCOMP-IPCOMP-… packet may
contain a lot of headers, so attempting to recurse over all of them may
exhaust kernel stack, triggering a panic.
The kernel stack may overflow into other memory, causing memory corruption;
on amd64 and i386 (and some other architectures) option DIAGNOSTIC in the
kernel will prevent this corruption, causing a faster panic instead.

The IPv4 FAST_IPSEC stack merely iterates through the packet headers so
there is no ressource exhaustion by one packet, but a quine packet may
essentially iterate eternally, and thus bind ressources. With FAST_IPSEC,
there needs to be a SA configured for ipcomp to be admitted at all.

Neither IPSEC nor FAST_IPSEC are enabled in NetBSD kernels by default.

Solutions and Workarounds
=========================

Workaround: If you do not expect plain ipcomp packets, filter out
incoming proto ipcomp packets (using either ipfilter, pf or npf).
This is not sufficient if you need to allow IPSEC and cannot trust
your IPSEC peers.

Fix: Patch, recompile, and reinstall the kernel, then reboot.

IPSEC

CVS branch file revision
————- —————- ——–
HEAD src/sys/netinet6/ipcomp_input.c 1.37
netbsd-5-0 src/sys/netinet6/ipcomp_input.c 1.36.16.1
netbsd-5-1 src/sys/netinet6/ipcomp_input.c 1.36.24.1
netbsd-5 src/sys/netinet6/ipcomp_input.c 1.36.10.1
netbsd-4-0 src/sys/netinet6/ipcomp_input.c 1.30.12.1
netbsd-4 src/sys/netinet6/ipcomp_input.c 1.30.2.1

FAST_IPSEC

CVS branch file revision
————- —————- ——–
HEAD src/sys/netipsec/xform_ipcomp.c 1.26
netbsd-5-0 src/sys/netipsec/xform_ipcomp.c 1.18.18.1
netbsd-5-1 src/sys/netipsec/xform_ipcomp.c 1.18.22.1
netbsd-5 src/sys/netipsec/xform_ipcomp.c 1.18.12.1
netbsd-4-0 src/sys/netipsec/xform_ipcomp.c 1.8.2.1.4.1
netbsd-4 src/sys/netipsec/xform_ipcomp.c 1.8.2.2

The following instructions briefly summarize how to update and
recompile the kernel. In these instructions, replace:

VERSION with the fixed version from the appropriate CVS branch
(from the above table)
FILE with the name of the file from the above table
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -r VERSION FILE
# ./build.sh kernel=KERNCONF
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd.new
# mv /netbsd /netbsd.old && mv /netbsd.new /netbsd

then reboot:

# shutdown -r now

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html

Thanks To
=========

Thanks to Tavis Ormandy, Google Security Team, for finding the issue.

Revision History
================

2011-04-07 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-004.txt,v 1.1 2011/04/06 22:06:57 tonnerre Exp $

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJNnORpAAoJEAZJc6xMSnBuYpkP/1QWKycKZdfQRBUVTDBvR9tM
+592ibJlojZjmlUYvaw911aJnKpujg7rl6Ui5T0vfhu6ThfyTbrJODLeQdM9FFWH
LIFvEU7iZE5r9HFLFSGhkZ9mdwSCQQGdCnOrPnBLTXBq7ew/4iy8uAVNnOG2ZZso
Y0ZVZgU8E2KFW8UZSuT5z8MHmmsuu2qMQfQBkPpM+OuuKov3j0iohTJ9ybgQ235j
0YLGsWOsAYYMCWX7w97p1mCaMxWTeXhGiS7nlOAEcRrR3sQfCanUIDqtdH1qppH0
PzG3zH6ETAtlXMj/61JCAHlg4ihpzhUQe+BykDn/eDLH6WlTHgmhKAGouPSc5ejm
6X6f+m1DjItyBEnm6GLTk/9ErWZyelH1YVxL/bslCmayTDlYCfetYsK9MIPg/59c
ZdqCyX7ZXF0tx7if+h7UJHxuHGZ/tdoGsSP2oUtKupSx8WhS3B2yGQsdcJNgdiZz
3YKV04CIA8DRtbmk0OfR1PrzVM7bc3dLXHepsDSaXEQcd9ZIA6mqNW/GAkzJ5c/5
q9sq+Ak56gTHrmqReyWRoV9Yn4tTnMPEOihcv2/W0lkci9utPTiBiy2kcqdeDlQl
vceuW1gb1EZAbgnCzk2KkdZ78NlStFSE7sSfBjSpy0LX0cNWeuM+/+2Fxcobil6y
5hkc1l9hur8Ea0/HsP4v
=ITT6
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEcBAEBAgAGBQJNnvJRAAoJEJtyb8U7iGZBv+UH/iFhFWVHtpQTbyLeO3k87mSa
FPNr8FBUmI8jhcNmJJnPAkUhUHGubBQHwY5PJuD7SmOuC4JluyHn8SXiORXH8dlP
QzdWh4ypp1Yd/yHmatgYDAnUtIcYiD1gh6R+eAAtwuUsD9/GlKicPEqvlJmMm16e
PYVFYnIGtuAQD5rdo6DgXOHvGjMR2FkSEYBiyEfdrgCM8ZdhVcs6V+3JG2xkzhoT
WvrLYSK6hyxq45h93eeyXKJot7+Ln4ZwnDxv7BC75JWNV1jyZh4VvBvwmtI2HGDn
3gds4XCRpD+AsQOeLNNXrceumCBu9erTe8k0wZAV5ED38825jQd2K8RTLR8z4P4=
=VX8G
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben