[lacnog] El principio E2E (Re: Fwd: NetBSD Security Advisory 2018-004: Remote Memory Corruption in IPv6)

Carlos M. Martinez carlosm3011 en gmail.com
Mar Feb 20 14:19:19 BRT 2018


Perdón que agarre este hilo viejo… pero… ¿que sería entonces lo 
que si conectás a Internet? porque alguna caja vas a tener que 
conectar, o si no vas a tener que volverte a la informática de 1983.

Mi duda más general es, donde dibujás la línea, ¿que es lo que en tu 
opinión está suficientemente maduro? Hasta varios concentradores de 
VPN han tenido vulnerabilidades serias en los últimos tiempos.

s2

/Carlos

On 13 Feb 2018, at 6:24, Fernando Gont wrote:

> BTW, cuando alguno se pregunta "por que no quiero poner mi caja
> directamente conetada a Internet", este tipo de cosa sirve para
> justificar la respuesta.
>
>
> P.S.: Cuando uno hace la "composicion" de este tipo de vulnerabilidad,
> con escenarios como los de el articulo envíado por Ricardo, llega a
> escenarios hipoteticos bastante interesantes. :-)
>
>
>
> On 02/13/2018 06:12 AM, Fernando Gont wrote:
>> FYI
>>
>> A esto hago referencia cuando hablo de la madurez de las
>> implementaciones IPv6.
>>
>>
>> -------- Forwarded Message --------
>> Subject: NetBSD Security Advisory 2018-004: Remote Memory Corruption 
>> in IPv6
>> Date: Mon, 12 Feb 2018 20:11:48 -0500
>> From: NetBSD Security-Officer <security-officer en netbsd.org>
>> Reply-To: NetBSD Security Officer <security-officer en NetBSD.org>
>> To: tech-security en NetBSD.org
>>
>>
>>
>> 		NetBSD Security Advisory 2018-004
>> 		=================================
>>
>> Topic:		Remote Memory Corruption in IPv6
>>
>> Version:	NetBSD-current:		source prior to Tue, Jan 30th 2018
>> 		NetBSD 7.1:		affected
>> 		NetBSD 7.0 - 7.0.2:	affected
>> 		NetBSD 6.1 - 6.1.4:	affected
>> 		NetBSD 6.0 - 6.0.5:	affected
>>
>> Severity:	Remote DoS, Remote Memory Corruption
>>
>> Fixed:		NetBSD-current:		Tue, Jan 30th 2018
>> 		NetBSD-7-1 branch:	Tue, Jan 30th 2018
>> 		NetBSD-7-0 branch:	Tue, Jan 30th 2018
>> 		NetBSD-7 branch:	Tue, Jan 30th 2018
>> 		NetBSD-6-1 branch:	Tue, Jan 30th 2018
>> 		NetBSD-6-0 branch:	Tue, Jan 30th 2018
>> 		NetBSD-6 branch:	Tue, Jan 30th 2018
>>
>> Teeny versions released later than the fix date will contain the fix.
>>
>> Please note that NetBSD releases prior to 6.0 are no longer 
>> supported.
>> It is recommended that all users upgrade to a supported release.
>>
>>
>> Abstract
>> ========
>>
>> A mistake in the way received IPv6 packets are handled allowed an 
>> attacker
>> to remotely trigger a memory corruption.
>>
>>
>> Technical Details
>> =================
>>
>> When a packet is received, the kernel stores it in memory as chain of 
>> mbufs.
>> An mbuf is basically a block of contiguous memory.
>>
>> A function, located deep into the IPv6 entry point, was not 
>> performing the
>> necessary checks when treating a received IPv6 packet. It was parsing 
>> the
>> IPv6 options assuming they were located in the first mbuf of the 
>> chain, but
>> this assumption was incorrect. Therefore, it was possible for this 
>> function
>> to return a pointer that pointed to an area located after the first 
>> mbuf.
>>
>> This pointer was then either read from, or written to with one byte 
>> that
>> could be controlled by the packet.
>>
>> It has been demonstrated that by sending a special combination of 
>> nested
>> IPv6 fragments, this bug could be exploited remotely, and could allow 
>> an
>> attacker to cause the kernel to behave unexpectedly because random 
>> areas of
>> memory were overwritten. It is not clear whether this attack could be 
>> turned
>> to a code execution attack.
>>
>> The PF firewall can mitigate this particular attack, because it 
>> rejects
>> nested IPv6 fragments by default. NPF does not reject such fragments 
>> by
>> default. The status of IPF in this regard has not been investigated. 
>> It is
>> possible that other vectors than IPv6 fragments could trigger this
>> vulnerability.
>>
>>
>> Solutions and Workarounds
>> =========================
>>
>> For all NetBSD versions, you need to obtain fixed kernel sources,
>> rebuild and install the new kernel, and reboot the system.
>>
>> The fixed source may be obtained from the NetBSD CVS repository.
>> The following instructions briefly summarize how to upgrade your
>> kernel. In these instructions, replace:
>>
>>   ARCH     with your architecture (from uname -m),
>>   KERNCONF with the name of your kernel configuration file and
>>   VERSION  with the file version below
>>
>> File versions containing the fixes:
>>
>>  FILE     HEAD     netbsd-7     netbsd-7-0     netbsd-7-1
>>  ----     ----     --------     ----------     ----------
>>  src/sys/netinet6/frag6.c
>>           1.65     1.55.4.1     1.55.6.1       1.55.10.1
>>  src/sys/netinet6/ip6_input.c
>>           1.187    1.149.2.2    1.149.2.1.2.1  1.149.2.1.6.1
>>  src/sys/netinet6/ip6_var.h
>>           1.78     1.62.2.2     1.62.2.1.2.1   1.62.2.1.6.1
>>  src/sys/netinet6/raw_ip6.c
>>           1.160    1.136.2.2    1.136.6.1      1.136.2.1.2.1
>>
>>
>>  FILE              netbsd-6     netbsd-6-0     netbsd-6-1
>>  ----              --------     ----------     ----------
>>  src/sys/netinet6/frag6.c
>>                    1.52.2.3     1.52.2.1.4.2   1.52.2.2.2.1
>>  src/sys/netinet6/ip6_input.c
>>                    1.136.2.2    1.136.6.2      1.136.8.2
>>  src/sys/netinet6/ip6_var.h
>>                    1.58.2.2     1.58.6.2       1.58.8.2
>>  src/sys/netinet6/raw_ip6.c
>>                    1.109.2.1    1.109.6.1      1.109.8.1
>>  src/sys/netinet6/ah_input.c
>>                    1.59.8.1     1.59.12.1      1.59.14.1
>>  src/sys/netinet6/esp_input.c
>>                    1.50.8.1     1.50.12.1      1.50.14.1
>>  src/sys/netinet6/ipcomp_input.c
>>                    1.38.8.1     1.38.12.1      1.38.14.1
>>
>> Note: for NetBSD-6, there are three more files that contain the fix.
>>
>>
>> To update from CVS, re-build, and re-install the kernel:
>>
>> 	# cd src
>> 	# cvs update -d -P -r VERSION sys/netinet6/frag6.c
>> 	# cvs update -d -P -r VERSION sys/netinet6/ip6_input.c
>> 	# cvs update -d -P -r VERSION sys/netinet6/ip6_var.h
>> 	# cvs update -d -P -r VERSION sys/netinet6/raw_ip6.c
>>
>> If you run NetBSD-6:
>> 	# cvs update -d -P -r VERSION sys/netinet6/ah_input.c
>> 	# cvs update -d -P -r VERSION sys/netinet6/esp_input.c
>> 	# cvs update -d -P -r VERSION sys/netinet6/ipcomp_input.c
>>
>> 	# ./build.sh kernel=KERNCONF
>> 	# mv /netbsd /netbsd.old
>> 	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
>> 	# shutdown -r now
>>
>> For more information on how to do this, see:
>>
>>    http://www.NetBSD.org/guide/en/chap-kernel.html
>>
>>
>> Thanks To
>> =========
>>
>> Maxime Villard for finding and fixing the issue.
>>
>>
>> Revision History
>> ================
>>
>> 	2018-02-12	Initial release
>>
>>
>> More Information
>> ================
>>
>> Advisories may be updated as new information becomes available.
>> The most recent version of this advisory (PGP signed) can be found at
>>
>> http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2018-0XX.txt.asc
>>
>> Information about NetBSD and NetBSD security can be found at
>> http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
>>
>>
>> Copyright 2018, The NetBSD Foundation, Inc.  All Rights Reserved.
>> Redistribution permitted only in full, unmodified form.
>>
>>
>>
>
>
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont en si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog


Más información sobre la lista de distribución LACNOG