1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:10.ip

    From FreeBSD Security Advisories@21:1/5 to All on Wed Aug 15 06:00:00 2018
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-18:10.ip Security Advisory
    The FreeBSD Project

    Topic: Resource exhaustion in IP fragment reassembly

    Category: core
    Module: inet
    Announced: 2018-08-14
    Credits: Juha-Matti Tilli <juha-matti.tilli@iki.fi> from
    Aalto University, Department of Communications and Networking
    and Nokia Bell Labs
    Affects: All supported versions of FreeBSD.
    Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
    2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
    2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
    CVE Name: CVE-2018-6923

    Special note: Due to source code differences in FreeBSD 10-stable a patch
    is not yet available for FreeBSD 10.4. This will follow at
    a later date.

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
    packets which are too big to traverse all the links between two end
    stations. Any router along the path between two end hosts may fragment
    packets which are larger than a link's maximum transmission unit
    (MTU). FreeBSD's implementation of some IPv4 protocols (such as the Transmission Control Protocol [TCP]) perform path MTU discovery to
    avoid the need for fragmentation.

    IP version 6 (IPv6) retains the concept of packet fragmentation. It
    changed the fragmentation operation to require that the originating
    end-system perform path MTU discovery and fragment packets which are
    too large for any MTU along the path between two end systems.

    While all hosts attached to the Internet are required to support
    fragmentation and reassembly, many hosts will encounter very few
    legitimate fragmented packets due to the operation of path MTU discovery.

    II. Problem Description

    A researcher has notified us of a DoS attack applicable to another
    operating system. While FreeBSD may not be vulnerable to that exact
    attack, we have identified several places where inadequate DoS protection
    could allow an attacker to consume system resources.

    It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both
    IPv4 and IPv6 fragment reassembly.

    III. Impact

    In the worst case, an attacker could send a stream of crafted
    fragments with a low packet rate which would consume a substantial
    amount of CPU.

    Other attack vectors allow an attacker to send a stream of crafted
    fragments which could consume a large amount of CPU or all available
    mbuf clusters on the system.

    These attacks could temporarily render a system unreachable through
    network interfaces or temporarily render a system unresponsive. The
    effects of the attack should clear within 60 seconds after the attack stops.

    IV. Workaround

    Disable fragment reassembly, using these commands:
    % sysctl net.inet.ip.maxfragpackets=0
    % sysctl net.inet6.ip6.maxfrags=0

    On systems compiled with VIMAGE, these sysctls will need to be
    executed for each VNET.

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or release or security branch (releng) dated after the correction date, and reboot.

    Perform one of the following:

    1) Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date.

    Afterward, reboot the system.

    2) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the i386 or amd64
    platforms can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install
    Afterward, reboot the system.

    3) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 11.x]
    # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
    # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
    # gpg --verify ip.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
    system.

    VI. Correction details

    The following list contains the correction revision numbers for each
    affected branch.

    Branch/path Revision
    - ------------------------------------------------------------------------- stable/11/ r337804 releng/11.1/ r337828 releng/11.2/ r337828
    - -------------------------------------------------------------------------

    To see which files were modified by a particular revision, run the
    following command, replacing NNNNNN with the revision number, on a
    machine with Subversion installed:

    # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

    Or visit the following URL, replacing NNNNNN with the revision number:

    <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

    VII. References

    <URL:https://www.kb.cert.org/vuls/id/641765>

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6923>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:10.ip.asc> -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.2.9 (FreeBSD)

    iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztekACgkQ05eS9J6n 5cJekQ/+PAOPGiPwpafBGuxwZVOaB3JloxJATPzg8z7PE7lvvo6I4pdwP0wq7ruJ vRejKXJPDPkDcNziyhB+QdhTXt3O1OAvow9n89nNKiLYX44+C2igTSbHGVe7lIFN NHvzGSJsdaPnm9qdvD3R7ZWT4vkNvoDiDiNChBSw829ZyGgLe1wNOOqQvsqVlwQt 1p0ikLHv30wbSX5KlSkLUSYA66pwcEd8eZFM43pwOZw9eIhcggAhufjTWdgnIBZA ZYiMqUi/7ZydO2YW55cVa290tP8JGf6PynmYwBJWTGInz2RlM18TyBcWILewgXic PM7jJ75thqd26BcPCh44toZWT8A7EYYiZ6iieLfAaQD7R6zqkeVwT39kV50YYRmW tA3jmTKhJ1B0AXQbkh3QZw8cfgIOMYzcbjy4MCcBS3XbehRuT58Jvc8nFFsrypuE FF4O3GtqFBKJUrcCJZF0VR0CvU7GUxTeYmS/9dNfQMJlEouFdPatn2jJwTfkiu0O I1NlDHA6jriZxepaSa+zxqF86pxNvTI5gRouWwMdevtEPVZGBF8A+DDA5fk1wcdS dEV4jcxcg1LH+EPBItYTh7seYYPodFdSyu5X/hLGBo/4XyA4Mb3xIjct74nKr0qx bPR3y53fV9+4JWazgO0bIlMG8XVH4go8Rh9n0IKdqv8xwdLVo3w=
    =ddfE
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-announce@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-announce
    To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)