git: d6f580f7470f - main - security/vuxml: catch up with recent FreeBSD SAs
Date: Thu, 31 Aug 2023 06:03:32 UTC
The branch main has been updated by philip:
URL: https://cgit.FreeBSD.org/ports/commit/?id=d6f580f7470f1b7714bb26ea743ccc83344add2b
commit d6f580f7470f1b7714bb26ea743ccc83344add2b
Author: Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2023-08-31 06:01:56 +0000
Commit: Philip Paeps <philip@FreeBSD.org>
CommitDate: 2023-08-31 06:01:56 +0000
security/vuxml: catch up with recent FreeBSD SAs
Add FreeBSD SAs issued since FreeBSD-SA-22:13.zlib in August 2022.
2022-11-15 FreeBSD-SA-22:14.heimdal
2022-11-29 FreeBSD-SA-22:15.ping
2023-02-08 FreeBSD-SA-23:01.geli
2023-02-16 FreeBSD-SA-23:02.openssh
2023-02-16 FreeBSD-SA-23:03.openssl
2023-06-21 FreeBSD-SA-23:04.pam_krb5
2023-06-21 FreeBSD-SA-23:05.openssh
2023-08-01 FreeBSD-SA-23:06.ipv6
2023-08-01 FreeBSD-SA-23:07.bhyve
2023-08-01 FreeBSD-SA-23:08.ssh
2023-08-01 FreeBSD-SA-23:09.pam_krb5
---
security/vuxml/vuln/2023.xml | 451 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 451 insertions(+)
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 2a5ec150d30c..004ff289d908 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,454 @@
+ <vuln vid="9b0d9832-47c1-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Network authentication attack via pam_krb5</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.2</ge><lt>13.2_2</lt></range>
+ <range><ge>13.1</ge><lt>13.1_9</lt></range>
+ <range><ge>12.4</ge><lt>12.4_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
+ the patch for that advisory.</p>
+ <h1>Impact:</h1>
+ <p>The impact described in FreeBSD-SA-23:04.pam_krb5 persists.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-3326</cvename>
+ <freebsdsa>SA-23:09.pam_krb5</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-08-01</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="291d0953-47c1-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Potential remote code execution via ssh-agent forwarding</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.2</ge><lt>13.2_2</lt></range>
+ <range><ge>13.1</ge><lt>13.1_9</lt></range>
+ <range><ge>12.4</ge><lt>12.4_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The server may cause ssh-agent to load shared libraries other than
+ those required for PKCS#11 support. These shared libraries may have
+ side effects that occur on load and unload (dlopen and dlclose).</p>
+ <h1>Impact:</h1>
+ <p>An attacker with access to a server that accepts a forwarded
+ ssh-agent connection may be able to execute code on the machine running
+ ssh-agent. Note that the attack relies on properties of operating
+ system-provided libraries. This has been demonstrated on other
+ operating systems; it is unknown whether this attack is possible using
+ the libraries provided by a FreeBSD installation.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-38408</cvename>
+ <freebsdsa>SA-23:08.ssh</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-08-01</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="ab437561-47c0-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- bhyve privileged guest escape via fwctl</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.2</ge><lt>13.2_2</lt></range>
+ <range><ge>13.1</ge><lt>13.1_9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>The fwctl driver implements a state machine which is executed when
+ the guest accesses certain x86 I/O ports. The interface lets the guest
+ copy a string into a buffer resident in the bhyve process' memory. A
+ bug in the state machine implementation can result in a buffer
+ overflowing when copying this string.</p>
+ <h1>Impact:</h1>
+ <p>A malicious, privileged software running in a guest VM can exploit
+ the buffer overflow to achieve code execution on the host in the bhyve
+ userspace process, which typically runs as root. Note that bhyve runs
+ in a Capsicum sandbox, so malicious code is constrained by the
+ capabilities available to the bhyve process.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-3494</cvename>
+ <freebsdsa>SA-23:07.bhyve</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-08-01</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3dabf5b8-47c0-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Remote denial of service in IPv6 fragment reassembly</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>13.2</ge><lt>13.2_2</lt></range>
+ <range><ge>13.1</ge><lt>13.1_9</lt></range>
+ <range><ge>12.4</ge><lt>12.4_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Each fragment of an IPv6 packet contains a fragment header which
+ specifies the offset of the fragment relative to the original packet,
+ and each fragment specifies its length in the IPv6 header. When
+ reassembling the packet, the kernel calculates the complete IPv6 payload
+ length. The payload length must fit into a 16-bit field in the IPv6
+ header.</p>
+ <p>Due to a bug in the kernel, a set of carefully crafted packets can
+ trigger an integer overflow in the calculation of the reassembled
+ packet's payload length field.</p>
+ <h1>Impact:</h1>
+ <p>Once an IPv6 packet has been reassembled, the kernel continues
+ processing its contents. It does so assuming that the fragmentation
+ layer has validated all fields of the constructed IPv6 header. This bug
+ violates such assumptions and can be exploited to trigger a remote
+ kernel panic, resulting in a denial of service.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-3107</cvename>
+ <freebsdsa>SA-23:06.ipv6</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-08-01</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e31a8f8e-47bf-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- ssh-add does not honor per-hop destination constraints</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>12.4</ge><lt>12.4_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>When using ssh-add(1) to add smartcard keys to ssh-agent(1) with
+ per-hop destination constraints, a logic error prevented the constraints
+ from being sent to the agent resulting in keys being added to the agent
+ without constraints.</p>
+ <h1>Impact:</h1>
+ <p>A malicious server could leverage the keys provided by a forwarded
+ agent that would normally not be allowed due to the logic error.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-28531</cvename>
+ <freebsdsa>SA-23:05.openssh</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-06-21</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="41af0277-47bf-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Network authentication attack via pam_krb5</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.2</ge><lt>13.2_1</lt></range>
+ <range><ge>13.1</ge><lt>13.1_8</lt></range>
+ <range><ge>12.4</ge><lt>12.4_3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>pam_krb5 authenticates the user by essentially running kinit(1) with
+ the password, getting a `ticket-granting ticket' (tgt) from the Kerberos
+ KDC (Key Distribution Center) over the network, as a way to verify the
+ password.</p>
+ <p>Normally, the system running the pam_krb5 module will also have a
+ keytab, a key provisioned by the KDC. The pam_krb5 module will use the
+ tgt to get a service ticket and validate it against the keytab, ensuring
+ the tgt is valid and therefore, the password is valid.</p>
+ <p>However, if a keytab is not provisioned on the system, pam_krb5 has
+ no way to validate the response from the KDC, and essentially trusts the
+ tgt provided over the network as being valid.</p>
+ <h1>Impact:</h1>
+ <p>In a non-default FreeBSD installation that leverages pam_krb5 for
+ authentication and does not have a keytab provisioned, an attacker that
+ is able to control both the password and the KDC responses can return a
+ valid tgt, allowing authentication to occur for any user on the
+ system.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-3326</cvename>
+ <freebsdsa>SA-23:04.pam_krb5</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-06-21</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c8eb4c40-47bd-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Multiple vulnerabilities in OpenSSL</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.1</ge><lt>13.1_7</lt></range>
+ <range><ge>12.4</ge><lt>12.4_2</lt></range>
+ <range><ge>12.3</ge><lt>12.3_12</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <h2>X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)</h2>
+ <p>There is a type confusion vulnerability relating to X.400 address processing
+ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
+ the public structure definition for GENERAL_NAME incorrectly specified the type
+ of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
+ the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
+ ASN1_STRING.</p>
+ <h2>Timing Oracle in RSA Decryption (CVE-2022-4304)</h2>
+ <p>A timing based side channel exists in the OpenSSL RSA Decryption
+ implementation.</p>
+ <h2>Use-after-free following BIO_new_NDEF (CVE-2023-0215)</h2>
+ <p>The public API function BIO_new_NDEF is a helper function used for streaming
+ ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support
+ the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
+ directly by end user applications.</p>
+ <p>The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
+ BIO onto the front of it to form a BIO chain, and then returns the new head
+ of the BIO chain to the caller. Under certain conditions, for example if a
+ CMS recipient public key is invalid, the new filter BIO is freed and the
+ function returns a NULL result indicating a failure. However, in this case,
+ the BIO chain is not properly cleaned up and the BIO passed by the caller
+ still retains internal pointers to the previously freed filter BIO.</p>
+ <h2>Double free after calling PEM_read_bio_ex (CVE-2022-4450)</h2>
+ <p>The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+ decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+ data. If the function succeeds then the "name_out", "header" and "data"
+ arguments are populated with pointers to buffers containing the relevant
+ decoded data. The caller is responsible for freeing those buffers. It is
+ possible to construct a PEM file that results in 0 bytes of payload data. In
+ this case PEM_read_bio_ex() will return a failure code but will populate the
+ header argument with a pointer to a buffer that has already been freed.</p>
+ <h1>Impact:</h1>
+ <h2>X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)</h2>
+ <p>When CRL checking is enabled (i.e. the application sets the
+ X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
+ arbitrary pointers to a memcmp call, enabling them to read memory contents or
+ enact a denial of service. In most cases, the attack requires the attacker to
+ provide both the certificate chain and CRL, neither of which need to have a
+ valid signature. If the attacker only controls one of these inputs, the other
+ input must already contain an X.400 address as a CRL distribution point, which
+ is uncommon. As such, this vulnerability is most likely to only affect
+ applications which have implemented their own functionality for retrieving CRLs
+ over a network.</p>
+ <h2>Timing Oracle in RSA Decryption (CVE-2022-4304)</h2>
+ <p>A timing based side channel exists in the OpenSSL RSA Decryption implementation
+ which could be sufficient to recover a plaintext across a network in a
+ Bleichenbacher style attack. To achieve a successful decryption an attacker
+ would have to be able to send a very large number of trial messages for
+ decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
+ RSA-OEAP and RSASVE.</p>
+ <h2>Use-after-free following BIO_new_NDEF (CVE-2023-0215)</h2>
+ <p>A use-after-free will occur under certain conditions. This will most likely
+ result in a crash.</p>
+ <h2>Double free after calling PEM_read_bio_ex (CVE-2022-4450)</h2>
+ <p>A double free may occur. This will most likely lead to a crash. This could be
+ exploited by an attacker who has the ability to supply malicious PEM files
+ for parsing to achieve a denial of service attack.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-0286</cvename>
+ <cvename>2023-0215</cvename>
+ <cvename>2022-4450</cvename>
+ <cvename>2022-4304</cvename>
+ <freebsdsa>SA-23:03.openssl</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-02-16</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="09b7cd39-47bd-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- OpenSSH pre-authentication double free</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>12.4</ge><lt>12.4_2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>A flaw in the backwards-compatibility key exchange route allows a
+ pointer to be freed twice.</p>
+ <h1>Impact:</h1>
+ <p>A remote, unauthenticated attacker may be able to cause a denial of
+ service, or possibly remote code execution.</p>
+ <p>Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of
+ OpenSSH, and are not affected. FreeBSD 13.2-BETA1 and later include the
+ fix.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-25136</cvename>
+ <freebsdsa>SA-23:02.openssh</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-02-16</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3fcab88b-47bc-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- GELI silently omits the keyfile if read from stdin</topic>
+ <affects>
+ <package>
+ <name>FreeBSD-kernel</name>
+ <range><ge>13.1</ge><lt>13.1_6</lt></range>
+ <range><ge>12.4</ge><lt>12.4_1</lt></range>
+ <range><ge>12.3</ge><lt>12.3_11</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>When GELI reads a key file from a standard input, it doesn't store it
+ anywhere. If the user tries to initialize multiple providers at once,
+ for the second and subsequent devices the standard input stream will be
+ already empty. In this case, GELI silently uses a NULL key as the user
+ key file. If the user used only a key file without a user passphrase,
+ the master key was encrypted with an empty key file. This might not be
+ noticed if the devices were also decrypted in a batch operation.</p>
+ <h1>Impact:</h1>
+ <p>Some GELI providers might be silently encrypted with a NULL key
+ file.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2023-0751</cvename>
+ <freebsdsa>SA-23:01.geli</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2023-02-08</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="a005aea9-47bb-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Stack overflow in ping(8)</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.1</ge><lt>13.1_5</lt></range>
+ <range><ge>12.3</ge><lt>12.3_10</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>ping reads raw IP packets from the network to process responses in
+ the pr_pack() function. As part of processing a response ping has to
+ reconstruct the IP header, the ICMP header and if present a "quoted
+ packet," which represents the packet that generated an ICMP error.
+ The quoted packet again has an IP header and an ICMP header.</p>
+ <p>The pr_pack() copies received IP and ICMP headers into stack buffers
+ for further processing. In so doing, it fails to take into account the
+ possible presence of IP option headers following the IP header in either
+ the response or the quoted packet. When IP options are present,
+ pr_pack() overflows the destination buffer by up to 40 bytes.</p>
+ <h1>Impact:</h1>
+ <p>The memory safety bugs described above can be triggered by a remote
+ host, causing the ping program to crash.</p>
+ <p>The ping process runs in a capability mode sandbox on all affected
+ versions of FreeBSD and is thus very constrained in how it can interact
+ with the rest of the system at the point where the bug can occur.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2022-23093</cvename>
+ <freebsdsa>SA-22:15.ping</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2022-11-29</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="97c1b0f7-47b9-11ee-8e38-002590c1f29c">
+ <topic>FreeBSD -- Multiple vulnerabilities in Heimdal</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>13.1</ge><lt>13.1_4</lt></range>
+ <range><ge>12.3</ge><lt>12.3_9</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Multiple security vulnerabilities have been discovered in the Heimdal
+ implementation of the Kerberos 5 network authentication
+ protocols and KDC.</p>
+ <ul>
+ <li>CVE-2022-42898 PAC parse integer overflows</li>
+ <li>CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour</li>
+ <li>CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors</li>
+ <li>CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec</li>
+ <li>CVE-2019-14870 Validate client attributes in protocol-transition</li>
+ <li>CVE-2019-14870 Apply forwardable policy in protocol-transition</li>
+ <li>CVE-2019-14870 Always lookup impersonate client in DB</li>
+ </ul>
+ <h1>Impact:</h1>
+ <p>A malicious actor with control of the network between a client and a
+ service using Kerberos for authentication can impersonate either the
+ client or the service, enabling a man-in-the-middle (MITM) attack
+ circumventing mutual authentication.</p>
+ <p>Note that, while CVE-2022-44640 is a severe vulnerability, possibly
+ enabling remote code execution on other platforms, the version of
+ Heimdal included with the FreeBSD base system cannot be exploited in
+ this way on FreeBSD.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>2019-14870</cvename>
+ <cvename>2021-44758</cvename>
+ <cvename>2022-3437</cvename>
+ <cvename>2022-42898</cvename>
+ <cvename>2022-44640</cvename>
+ <freebsdsa>SA-22:14.heimdal</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2022-11-15</discovery>
+ <entry>2023-08-31</entry>
+ </dates>
+ </vuln>
+
<vuln vid="22fffa69-46fa-11ee-8290-a8a1599412c6">
<topic>chromium -- use after free in MediaStream</topic>
<affects>