Debian Bug report logs - #690986
CVE-2012-5363 CVE-2012-5365

version graph

Package: kfreebsd-8; Maintainer for kfreebsd-8 is GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 19 Oct 2012 19:39:05 UTC

Severity: important

Tags: security

Found in versions 8.1+dfsg-8+squeeze4, 8.1+dfsg-7, 8.2-15~bpo60+1, 8.3-6

Fixed in version 8.3-7+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Forwarded to freebsd-net@freebsd.org

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#690986; Package kfreebsd-8. (Fri, 19 Oct 2012 19:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Fri, 19 Oct 2012 19:39:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-5363 CVE-2012-5365
Date: Fri, 19 Oct 2012 21:34:36 +0200
Package: kfreebsd-8
Severity: important
Tags: security

Two security issues were found in the kfreebsd network stack:

http://www.openwall.com/lists/oss-security/2012/10/10/8

Issue #1 was assigned CVE-2012-5363
Issue #1 was assigned CVE-2012-5365

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#690986; Package kfreebsd-8. (Fri, 19 Oct 2012 22:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Fri, 19 Oct 2012 22:03:04 GMT) Full text and rfc822 format available.

Message #10 received at 690986@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: freebsd-net@freebsd.org
Cc: Moritz Muehlenhoff <jmm@debian.org>, 690986@bugs.debian.org, 690986-forwarded@bugs.debian.org
Subject: Debian Bug#690986: CVE-2012-5363 CVE-2012-5365
Date: Fri, 19 Oct 2012 23:00:17 +0100
Hi,

On 19/10/12 20:34, Moritz Muehlenhoff wrote:
> Two security issues were found in the kfreebsd network stack:
> http://www.openwall.com/lists/oss-security/2012/10/10/8

> Issue #1 was assigned CVE-2012-5363
> Issue #2 was assigned CVE-2012-5365

Thank you for mentioning it.

Issue #2 seems similar to CVE-2011-2393, which I assumed was only
relevant where we'd set net.inet6.ip6.accept_rtadv=1, which isn't the
upstream FreeBSD default.  Issue #1 however might affect any FreeBSD
system acting as an IPv6 router.

If this can actually be confirmed, then the worst case I can imagine, is
if a FreeBSD box acts as an IPv6 router for multiple interfaces, perhaps
serving different users;  any one of them might flood with Neighbour
Solicitations on their local link and create a DoS affecting other
interfaces.


I found some code committed to OpenBSD (in 2008, uh-oh), supposedly from
KAME (but I can't find it in their repository?), implementing
per-interface and global limits on the number of prefixes/routes
accepted via RA.  I imagine that's the best way to avoid some or all of
these issues.

> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6_proto.c?sortby=date#rev1.56

Just recently it seems this was also committed to NetBSD HEAD:  "4 new
sysctls to avoid ipv6 DoS attacks from OpenBSD".  I don't know of an
easier way to link to a whole CVS commit, but here are (hopefully all)
the changes to individual files:

> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_input.c.diff?r1=1.138&r2=1.139&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_var.h.diff?r1=1.58&r2=1.59&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.c.diff?r1=1.142&r2=1.143&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.h.diff?r1=1.56&r2=1.57&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/icmp6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.96&r2=1.97&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_var.h.diff?r1=1.64&r2=1.65&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6_rtr.c.diff?r1=1.82&r2=1.83&sortby=date&only_with_tag=MAIN

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Reply sent to Steven Chamberlain <steven@pyro.eu.org>:
You have marked Bug as forwarded. (Fri, 19 Oct 2012 22:03:07 GMT) Full text and rfc822 format available.

Marked as found in versions 8.2-15~bpo60+1. Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Sun, 10 Feb 2013 20:27:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#690986; Package kfreebsd-8. (Tue, 30 Jul 2013 10:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Tue, 30 Jul 2013 10:48:04 GMT) Full text and rfc822 format available.

Message #20 received at 690986@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 690986@bugs.debian.org
Subject: Re: Bug#690986: Debian Bug#690986: CVE-2012-5363 CVE-2012-5365
Date: Tue, 30 Jul 2013 11:45:58 +0100
Some further explanation of one of these issues:

> CVE-2012-5363 - flood of ICMPv6 Neighbor Solicitation messages
> 
> These packets announce an IPv6 host's presence on the local network.
> The source addresses of these packets are cached in a table
> of 'neighbour' hosts.  The table can be filled if a large number of
> source addresses are spoofed.  This incurs heavy CPU load and can break
> IPv6 networking on all interfaces.

It is important to note this is different from the others, and is not
related to having accept_rtadv enabled, but affects any FreeBSD IPv6 host.

A very elegant and complete fix for this is applied in OpenBSD and more
recently NetBSD, and this specific change is something we might want to
try ourselves and/or see merged upstream:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/nd6.c.diff?r1=1.77;r2=1.78

This works by:

* triggering garbage collection of the neighbour cache when it fills
(this avoids a total DoS)

* using an LRU list, to try to preserve entries for hosts that are being
actively communicated with, in preference to spoofed entries which
eventually fall to the bottom of the list and are purged (this mitigates
the impact of cache purges on genuine IPv6 communication, and makes it
viable for the cache to be made smaller)

* limiting the size of the neighbour cache (ip6_neighborgcthresh) to
2048 entries by default (operations on a smaller cache incur less CPU
load) :

http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.95&r2=1.95.8.1&f=h

There were other changes in this commit, to try to mitigate
CVE-2011-2393 and CVE-2012-5365, but less than ideal.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Mon, 02 Sep 2013 21:19:09 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 02 Sep 2013 21:19:09 GMT) Full text and rfc822 format available.

Message #25 received at 690986-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 550429-done@bugs.debian.org,570805-done@bugs.debian.org,593733-done@bugs.debian.org,601273-done@bugs.debian.org,602120-done@bugs.debian.org,610252-done@bugs.debian.org,614419-done@bugs.debian.org,631613-done@bugs.debian.org,641167-done@bugs.debian.org,644353-done@bugs.debian.org,644718-done@bugs.debian.org,658617-done@bugs.debian.org,669604-done@bugs.debian.org,687788-done@bugs.debian.org,690986-done@bugs.debian.org,706418-done@bugs.debian.org,720470-done@bugs.debian.org,720476-done@bugs.debian.org,
Cc: kfreebsd-8@packages.debian.org, kfreebsd-8@packages.qa.debian.org
Subject: Bug#721540: Removed package(s) from unstable
Date: Mon, 02 Sep 2013 21:16:43 +0000
Version: 8.3-7+rm

Dear submitter,

as the package kfreebsd-8 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/721540

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#690986; Package kfreebsd-8. (Tue, 03 Sep 2013 11:39:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Tue, 03 Sep 2013 11:39:11 GMT) Full text and rfc822 format available.

Message #30 received at 690986@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 690986@bugs.debian.org
Subject: Re: CVE-2012-5363 CVE-2012-5365
Date: Tue, 03 Sep 2013 11:15:02 -0000
Package: kfreebsd-8

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.8) - use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/690986/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#690986; Package kfreebsd-8. (Tue, 03 Sep 2013 13:42:30 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Tue, 03 Sep 2013 13:42:30 GMT) Full text and rfc822 format available.

Message #35 received at 690986@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Jonathan Wiltshire <jmw@debian.org>, 690986@bugs.debian.org
Subject: Re: Bug#690986: CVE-2012-5363 CVE-2012-5365
Date: Tue, 03 Sep 2013 14:41:26 +0100
Control: found -1 8.1+dfsg-8+squeeze4
Control: found -1 8.3-6

(Affected versions in stable and oldstable were not marked as such, so
I'm fixing that now.)

On 03/09/13 12:15, Jonathan Wiltshire wrote:
> Recently you fixed one or more security problems and as a result you closed
> this bug.
> [...] they are now on my radar for fixing in the following suites
> through point releases:

This bug was only closed due to removal of kfreebsd-8 from sid.  Maybe
this report was generated in error because affected versions were not
properly tagged?

No fix is available.  I'd like to keep the security issues 'open' until
someday a mitigation might be introduced in the upstream development
head which could be backported.

Hopefully the note on the PTS about these open issues, the bug in the
BTS, and security tracker data (e.g. via debsecan) are enough to advise
users of these two CVEs.  The issues are DoS-only and IMHO low severity
for most environments.

That said, there are some other outstanding security bugs in kfreebsd-8
we may want to address in a point release...

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Marked as found in versions 8.1+dfsg-8+squeeze4. Request was from Steven Chamberlain <steven@pyro.eu.org> to 690986-submit@bugs.debian.org. (Tue, 03 Sep 2013 13:42:30 GMT) Full text and rfc822 format available.

Marked as found in versions 8.3-6. Request was from Steven Chamberlain <steven@pyro.eu.org> to 690986-submit@bugs.debian.org. (Tue, 03 Sep 2013 13:42:31 GMT) Full text and rfc822 format available.

Marked as found in versions 8.1+dfsg-7. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sun, 24 Nov 2013 20:40:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:43:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.