Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD security Advisories: FreeBSD-SA-03:09.sign

Posted by Hemos on from the alert-alert-alert dept.

Dan writes "FreeBSD security team has released two new advisories. The first advisory entitled "Insufficient range checking of signal numbers" could allow a malicious local user to use this vulnerability as a local denial-of-service attack. The second advisory "Kernel memory disclosure via ibcs2" could allow a malicious user to call the iBCS2 version of statfs(2) with an arbitrarily large length parameter, causing the kernel to return a large portion of kernel memory containing sensitive information."

29 of 78 comments (clear)

  1. Here's the text in case it gets /.'ed by DrSkwid · · Score: 4, Informative

    nah, who am I kidding

    the signal thing is more than a D.O.S. though

    However, in FreeBSD 5.x, the assertion code is not present if the
    `INVARIANTS' kernel option is not used. In FreeBSD 5.0-RELEASE and
    5.1-RELEASE, `INVARIANTS' is not enabled by default. In this
    configuration, a malicious local user could use this vulnerability
    to modify kernel memory, potentially leading to complete system
    compromise. (FreeBSD 4.x is not vulnerable in this way.)

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  2. sensitive information by patch-rustem · · Score: 5, Funny
    ... to return a large portion of kernel memory containing sensitive information.

    What, like the sys admins porn collection.

    --
    Karma: Bad due to google bombing - Robert Watkins woz 'ere.
  3. Bias in topic titles?? Never!! by Anonymous Coward · · Score: 5, Funny

    It's sort of interesting that this FreeBSD vulnerability is headlined with such a cryptic title. Now, if it were a vulnerability in Windows, it would probably have been titled 'New Windows Exploit crushes small furry animals mercilessly.'

  4. Re:Bias in topic titles?? Never!! by beefdart · · Score: 2, Informative

    Its not like someone could throw up an ActiveX enabled webpage, and root your box.

    The last few windows vulnerabilities have been a huge deal. Microsoft wouldnt bother to fix a hole this small unless someone made a worm for it.

  5. "Malicious Local User" by Farley+Mullet · · Score: 4, Insightful

    If someone malicious has access to your computer, bad things can happen. It's good to see that the FreeBSD team is tightening things up, but the bottom line is that if someone has an account on a system and they're determined, they'll find a way to do some damage.

    1. Re:"Malicious Local User" by Anonymous Coward · · Score: 1, Insightful

      Given all the big changes they've been making to the kernel, I'm not surprised that they're encountering un-dotted i's and uncrossed t's. That's one of the reasons that OpenBSD is the BSD with the fewest new features apart from those related directly to improving security. Theo is fond of saying that new features create new security holes. I wouldn't be too hard on the folks at FreeBSD though. It is -current they're concentrating on, after all.

  6. freebsd-security mailing list by dodell · · Score: 4, Insightful

    Subscribe to this list, and you had this story about 12 hours ago. You also downloaded and updated your src tree and fixed the bug in a matter of a few minutes. Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?

    --
    www.sitetronics.com/wordpress
    1. Re:freebsd-security mailing list by zenyu · · Score: 3, Insightful

      Subscribe to this list, and you had this story about 12 hours ago. You also downloaded and updated your src tree and fixed the bug in a matter of a few minutes. Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?

      Prolly cuz the editor and poster were thinking of "only one remote security breach in the default configuration in seven years" OpenBSD. There are local user exploits found all the time in the Linux distros and in the BSDs, when remote vulnerabilities are found in any of them it usually does make it to /.

      But yeah, I usually read about and check my system based on security advisories before it ever makes it to slashdot.. prolly everyone else does as well which explains the 12 hour lag.

    2. Re:freebsd-security mailing list by kernelistic · · Score: 2, Informative

      It's interesting to note that you need to have shell access to do anything to the FreeBSD systems affected.

    3. Re:freebsd-security mailing list by Anonymous Coward · · Score: 3, Funny

      Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?

      Because if they reported the Linux SAs, even the SCO stories would be lost the the tidal wave.

    4. Re:freebsd-security mailing list by ratfynk · · Score: 1

      As to why, is obvious, and the fact that with MS you do not, will eventually kill most Win servers! MS knows this and is the reason why they are implimenting Paladium, or fritz chip solutions. Make everything that runs on windows servers have traceable and revokeable security certificates. The mother of all shoot yourself in the foot security measures. The next few years are going to be very interesting for free software as alot of important people, especially the big ISPs start to get really pissed at Microsoft! That is if some branch of MS doesn't devour them all first.

      --
      OH THE SHAME I fell off the wagon and use sigs again!
    5. Re:freebsd-security mailing list by Stephen+Samuel · · Score: 1
      Why is it that a FreeBSD SA makes it to this site and Linux SAs don't?
      1. They're fighting to get one BSD story per day. This is today's story.
      2. Like any news -- it's the unusaual that gets the attention. BSD SA's are unusual.
      3. we wanted to get a rise out of you -- we succeeded.
      --
      Free Software: Like love, it grows best when given away.
  7. Malloc(sizeof(ram.total) - sizeof(ram.used)); by mnmn · · Score: 2, Interesting

    I wouldnt worry about ibcs, always compile a kernel without it(and other binary compatibilities) for real usage. The statfs problem looks real and worrisome though. We've seen too many of similar problems where a user grabs large memory and reads the sensitive data.

    I wonder if a C-reading script could read all the source code and mark all the big mallocs/reallocs that users get access to.

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
    1. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by phoenix_rizzen · · Score: 2, Informative

      One thing to note about FreeBSD: just because it isn't compiled into the kernel doesn't mean you don't have access to it. Almost everything that is not directly compiled into the kernel is compiled as a module. If you fire up an app that requires ibcs2 support, then the kernel will load the ibcs2.ko kernel module. Any problems with the ibcs2 subsystem will then be in your kernel.

      IOW, you do need to worry about this, and you do need to patch your system.

    2. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by mnmn · · Score: 1

      I custom-compile all kernels for the FreeBSD servers and remove everything I dont need, not even as 'option'. I also delete the old modules lying around. I like em lean.

      --
      "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
    3. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by beefdart · · Score: 1

      >Almost everything that is not directly compiled into the kernel is compiled as a module.

      If you dont do your own, custom installs, yes...

    4. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by phoenix_rizzen · · Score: 2, Interesting

      How does one disable the building of kernel modules? I've only ever seen the NO_MODULES_WITH_WORLD knob, but nothing to completely disable the building of modules.

    5. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by kernelistic · · Score: 2, Informative

      Read the tunefs(8) and tuning(7) manpages.

      Here's a list of things that you might want to try out:

      - Rethink your slicing, see tuning(7) for more on this.
      - Enable softupdates on the data filesystems of choice.
      - Compile a custom kernel with only the drivers that you *really* need.
      - Tune the VFS sysctls. This item cannot be stressed enough. The values selected depend upon the role of the server.
      - Tune your IP stack. There's a number of sysctls that will quadruple your network throughput. Google has a number of guides which provide good insight.

      Remember: Copying a file from a directory to another is by no means a scientific test, as it depends upon the layout of the disk, sector size, disk cache, and a laundry list of other variables. The output of bonnie++ is what you should use to benchmark your IO subsystem.

    6. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by ffsnjb · · Score: 4, Informative

      uncomment the
      NO_MODULES= true # do not build modules with the kernel

      line in /etc/make.conf

      I don't build modules on my production machines, there is no need. This prevents that.

      --
      "Why do you consent to live in ignorance and fear?" - Bad Religion
    7. Re:Malloc(sizeof(ram.total) - sizeof(ram.used)); by phoenix_rizzen · · Score: 1

      Aha! Learn something new everyday. Thanks. (Don't know how I've missed that, considering how many times I've edited make.conf.)

  8. Binary patches... by cperciva · · Score: 3, Informative

    Binary patches aren't available for these advisories yet, but they will be soon (ETA 12 hours?)

    See my sig for details.

    --
    Tarsnap: Online backups for the truly paranoid
  9. Re:*BSD is dying by beefdart · · Score: 1

    And posts like that prove Darwin wrong...

    "I dont hate Linux, just the most of the stupid kiddies who use it"

  10. Re:What We Can Learn From BSD by beefdart · · Score: 1

    And people like that prove Darwin wrong...

    "I dont hate Linux, just the most of the stupid kiddies who use it"

  11. hot mail security flaw I knew it! by ratfynk · · Score: 2, Funny

    Hmmm so let me get this straight, security flaw 2 send lots of requests to the hot mail server and get lots of core info back. So thats why Hot Mail works the way it does and all we get is spam!

    --
    OH THE SHAME I fell off the wagon and use sigs again!
  12. Linux is dying by cozman69 · · Score: 1, Funny

    Linux is dead. Long live BSD.

  13. Re:BSD problems by beefdart · · Score: 1

    Well first off, no one in there right mind would listen to what you have to say: "Even Emacs Lite is straining to keep up as I type this."
    cause you use Emacs.

    If you have half a brain there is no faster x86 OS than FreeBSD.

    I am not an addict, I just use the best tool out there.

  14. Re:BSD problems by Phactorial · · Score: 1

    There wasn't. Now, there is. Please get a clue.

  15. Re:BSD problems by R.Caley · · Score: 1
    I don't want to start a holy war here

    Sure you don't.

    [20 minutes + on a PIII 800 to copy a 17MB file]

    Charitably, you have a machine which is seriously fucked up at the hardware level. Less charitably, you are making it up.

    For comparison, PIII 500, old scavenged (ie slow) disks, 11 seconds to copy a 130MB file between disks, 18 seconds within one disk.

    I have a policy of not tuning my systems, so this is about as slow as it is possible for FBSD to get, without underlying problems. I have no reason to think any of the other BSDs are significantly slower.

    If you really have the problem you claim, I can only think you are either getting huge numbers of recoverable hardware disk errors, or something has eaten all your memory and the system is thrashing wildly.

    --
    _O_
    .|<     The named which can be named is not the true named
  16. Re:BSD problems by adri · · Score: 1

    Yay, you've been owned by a troll!