[lacnog] El principio E2E (Re: Fwd: NetBSD Security Advisory 2018-004: Remote Memory Corruption in IPv6)

Fernando Gont fgont en si6networks.com
Mar Feb 13 07:24:33 BRST 2018 

BTW, cuando alguno se pregunta "por que no quiero poner mi caja
directamente conetada a Internet", este tipo de cosa sirve para
justificar la respuesta.


P.S.: Cuando uno hace la "composicion" de este tipo de vulnerabilidad,
con escenarios como los de el articulo envíado por Ricardo, llega a
escenarios hipoteticos bastante interesantes. :-)



On 02/13/2018 06:12 AM, Fernando Gont wrote:
> FYI
> 
> A esto hago referencia cuando hablo de la madurez de las
> implementaciones IPv6.
> 
> 
> -------- Forwarded Message --------
> Subject: NetBSD Security Advisory 2018-004: Remote Memory Corruption in IPv6
> Date: Mon, 12 Feb 2018 20:11:48 -0500
> From: NetBSD Security-Officer <security-officer en netbsd.org>
> Reply-To: NetBSD Security Officer <security-officer en NetBSD.org>
> To: tech-security en NetBSD.org
> 
> 
> 
> 		NetBSD Security Advisory 2018-004
> 		=================================
> 
> Topic:		Remote Memory Corruption in IPv6
> 
> Version:	NetBSD-current:		source prior to Tue, Jan 30th 2018
> 		NetBSD 7.1:		affected
> 		NetBSD 7.0 - 7.0.2:	affected
> 		NetBSD 6.1 - 6.1.4:	affected
> 		NetBSD 6.0 - 6.0.5:	affected
> 
> Severity:	Remote DoS, Remote Memory Corruption
> 
> Fixed:		NetBSD-current:		Tue, Jan 30th 2018
> 		NetBSD-7-1 branch:	Tue, Jan 30th 2018
> 		NetBSD-7-0 branch:	Tue, Jan 30th 2018
> 		NetBSD-7 branch:	Tue, Jan 30th 2018
> 		NetBSD-6-1 branch:	Tue, Jan 30th 2018
> 		NetBSD-6-0 branch:	Tue, Jan 30th 2018
> 		NetBSD-6 branch:	Tue, Jan 30th 2018
> 
> Teeny versions released later than the fix date will contain the fix.
> 
> Please note that NetBSD releases prior to 6.0 are no longer supported.
> It is recommended that all users upgrade to a supported release.
> 
> 
> Abstract
> ========
> 
> A mistake in the way received IPv6 packets are handled allowed an attacker
> to remotely trigger a memory corruption.
> 
> 
> Technical Details
> =================
> 
> When a packet is received, the kernel stores it in memory as chain of mbufs.
> An mbuf is basically a block of contiguous memory.
> 
> A function, located deep into the IPv6 entry point, was not performing the
> necessary checks when treating a received IPv6 packet. It was parsing the
> IPv6 options assuming they were located in the first mbuf of the chain, but
> this assumption was incorrect. Therefore, it was possible for this function
> to return a pointer that pointed to an area located after the first mbuf.
> 
> This pointer was then either read from, or written to with one byte that
> could be controlled by the packet.
> 
> It has been demonstrated that by sending a special combination of nested
> IPv6 fragments, this bug could be exploited remotely, and could allow an
> attacker to cause the kernel to behave unexpectedly because random areas of
> memory were overwritten. It is not clear whether this attack could be turned
> to a code execution attack.
> 
> The PF firewall can mitigate this particular attack, because it rejects
> nested IPv6 fragments by default. NPF does not reject such fragments by
> default. The status of IPF in this regard has not been investigated. It is
> possible that other vectors than IPv6 fragments could trigger this
> vulnerability.
> 
> 
> Solutions and Workarounds
> =========================
> 
> For all NetBSD versions, you need to obtain fixed kernel sources,
> rebuild and install the new kernel, and reboot the system.
> 
> The fixed source may be obtained from the NetBSD CVS repository.
> The following instructions briefly summarize how to upgrade your
> kernel. In these instructions, replace:
> 
>   ARCH     with your architecture (from uname -m),
>   KERNCONF with the name of your kernel configuration file and
>   VERSION  with the file version below
> 
> File versions containing the fixes:
> 
>  FILE     HEAD     netbsd-7     netbsd-7-0     netbsd-7-1
>  ----     ----     --------     ----------     ----------
>  src/sys/netinet6/frag6.c
>           1.65     1.55.4.1     1.55.6.1       1.55.10.1
>  src/sys/netinet6/ip6_input.c
>           1.187    1.149.2.2    1.149.2.1.2.1  1.149.2.1.6.1
>  src/sys/netinet6/ip6_var.h
>           1.78     1.62.2.2     1.62.2.1.2.1   1.62.2.1.6.1
>  src/sys/netinet6/raw_ip6.c
>           1.160    1.136.2.2    1.136.6.1      1.136.2.1.2.1
> 
> 
>  FILE              netbsd-6     netbsd-6-0     netbsd-6-1
>  ----              --------     ----------     ----------
>  src/sys/netinet6/frag6.c
>                    1.52.2.3     1.52.2.1.4.2   1.52.2.2.2.1
>  src/sys/netinet6/ip6_input.c
>                    1.136.2.2    1.136.6.2      1.136.8.2
>  src/sys/netinet6/ip6_var.h
>                    1.58.2.2     1.58.6.2       1.58.8.2
>  src/sys/netinet6/raw_ip6.c
>                    1.109.2.1    1.109.6.1      1.109.8.1
>  src/sys/netinet6/ah_input.c
>                    1.59.8.1     1.59.12.1      1.59.14.1
>  src/sys/netinet6/esp_input.c
>                    1.50.8.1     1.50.12.1      1.50.14.1
>  src/sys/netinet6/ipcomp_input.c
>                    1.38.8.1     1.38.12.1      1.38.14.1
> 
> Note: for NetBSD-6, there are three more files that contain the fix.
> 
> 
> To update from CVS, re-build, and re-install the kernel:
> 
> 	# cd src
> 	# cvs update -d -P -r VERSION sys/netinet6/frag6.c
> 	# cvs update -d -P -r VERSION sys/netinet6/ip6_input.c
> 	# cvs update -d -P -r VERSION sys/netinet6/ip6_var.h
> 	# cvs update -d -P -r VERSION sys/netinet6/raw_ip6.c
> 
> If you run NetBSD-6:
> 	# cvs update -d -P -r VERSION sys/netinet6/ah_input.c
> 	# cvs update -d -P -r VERSION sys/netinet6/esp_input.c
> 	# cvs update -d -P -r VERSION sys/netinet6/ipcomp_input.c
> 
> 	# ./build.sh kernel=KERNCONF
> 	# mv /netbsd /netbsd.old
> 	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
> 	# shutdown -r now
> 
> For more information on how to do this, see:
> 
>    http://www.NetBSD.org/guide/en/chap-kernel.html
> 
> 
> Thanks To
> =========
> 
> Maxime Villard for finding and fixing the issue.
> 
> 
> Revision History
> ================
> 
> 	2018-02-12	Initial release
> 
> 
> More Information
> ================
> 
> Advisories may be updated as new information becomes available.
> The most recent version of this advisory (PGP signed) can be found at
> 
> http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-0XX.txt.asc
> 
> Information about NetBSD and NetBSD security can be found at
> http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
> 
> 
> Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
> Redistribution permitted only in full, unmodified form.
> 
> 
> 


-- 
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución LACNOG