[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

Per olof Ljungmark peo at intersonic.se
Wed May 1 10:17:07 UTC 2013 

Path to patch seems wrong?

On 2013-04-29 22:55, FreeBSD Security Advisories wrote:
> =============================================================================
> FreeBSD-SA-13:05.nfsserver                                  Security Advisory
>                                                           The FreeBSD Project
> 
> Topic:          Insufficient input validation in the NFS server
> 
> Category:       core
> Module:         nfsserver
> Announced:      2013-04-29
> Credits:        Adam Nowacki
> Affects:        All supported versions of FreeBSD.
> Corrected:      2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
>                 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
>                 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
>                 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
>                 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
>                 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
> CVE Name:       CVE-2013-3266
> 
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
> 
> I.   Background
> 
> The Network File System (NFS) allows a host to export some or all of its
> file systems so that other hosts can access them over the network and mount
> them as if they were on local disks.  FreeBSD includes server and client
> implementations of NFS.
> 
> FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
> NFSv2 and NFSv3 implementation and a new implementation which also
> supports NFSv4.
> 
> FreeBSD 9.0 and onward uses the new NFS implementation by default.
> 
> II.  Problem Description
> 
> When processing READDIR requests, the NFS server does not check that
> it is in fact operating on a directory node.  An attacker can use a
> specially modified NFS client to submit a READDIR request on a file,
> causing the underlying filesystem to interpret that file as a
> directory.
> 
> III. Impact
> 
> The exact consequences of an attack depend on the amount of input
> validation in the underlying filesystem:
> 
>  - If the file resides on a UFS filesystem on a little-endian server,
>    an attacker can cause random heap corruption with completely
>    unpredictable consequences.
> 
>  - If the file resides on a ZFS filesystem, an attacker can write
>    arbitrary data on the stack.  It is believed, but has not been
>    confirmed, that this can be exploited to run arbitrary code in
>    kernel context.
> 
> Other filesystems may also be vulnerable.
> 
> IV.  Workaround
> 
> Systems that do not provide NFS service are not vulnerable.  Neither
> are systems that do but use the old NFS implementation, which is the
> default in FreeBSD 8.x.
> 
> To determine which implementation an NFS server is running, run the
> following command:
> 
> # kldstat -v | grep -cw nfsd
> 
> This will print 1 if the system is running the new NFS implementation,
> and 0 otherwise.
> 
> V.   Solution
> 
> Perform one of the following:
> 
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
> 
> 2) To update your vulnerable system via a source code patch:
> 
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
> # gpg --verify nfsserver.patch.asc
> 
> b) Apply the patch.
> 
> # cd /usr/src
> # patch < /path/to/patch
> 
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
> 
> 3) To update your vulnerable system via a binary patch:
> 
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
> 
> # freebsd-update fetch
> # freebsd-update install
> 
> VI.  Correction details
> 
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
> 
> Branch/path                                                      Revision
> -------------------------------------------------------------------------
> stable/8/                                                         r250058
> releng/8.3/                                                       r250059
> releng/8.4/                                                       r250062
> stable/9/                                                         r250060
> releng/9.1/                                                       r250061
> -------------------------------------------------------------------------
> 
> VII. References
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
> 
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
> 

-- 
Intersonic AB
Registered in Solna, Sweden
SE556539368201

More information about the freebsd-security mailing list