Nabble - openbsd user - security-announce

CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

2009-11-26T01:41:59Z

The SSL/TLS protocol is subject to man-in-the-middle attacks
related to renegotiation (described in draft-ietf-tls-renegotiation-00)
allowing a MITM to inject chosen plaintext to the beginning of the
application data. Practical attacks exist against HTTPS and possibly
other protocols.

In -current, OpenSSL's ability to accept renegotiations has been
disabled by default. Patches are available for OpenBSD 4.6 and 4.5:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/010_openssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/common/004_openssl.patch

These are also available in the 4.5 and 4.6 -stable branches.

OpenBSD patch: XMM exceptions incorrectly handled in i386 kernel

2009-10-05T04:21:27Z

XMM exceptions are incorrectly handled in the OpenBSD/i386 kernel, resulting
in a kernel panic that can be triggered by a local user.

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.4, 4.5 and 4.6.

Patch for OpenBSD 4.6:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/i386/002_xmm.patch

Patch for OpenBSD 4.5:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/i386/008_xmm.patch

Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/i386/015_xmm.patch

These patches are also available in the OPENBSD_4_6, OPENBSD_4_5 and
OPENBSD_4_4 patch branches.

Thanks to Slava Pestov for reporting this issue.

(no subject)

2009-04-30T10:21:50Z

Users are cautioned about rogue ftp sites claiming to have OpenBSD.

The best place to get OpenBSD is from an official CD set, produced in
a secured location

It has come to our attention that some ftp sites (ftp.kd85.com) which
are not official OpenBSD mirrors are purporting to serve OpenBSD 4.5
at this time. We have noted that what is actually present in the 4.5
directory is not 4.5, but rather a late development cycle snapshot which
they have moved into place claiming it is 4.5.

While we have no problem with anyone mirroring OpenBSD for the good
of the user community, we do believe that people who offer up the wrong
thing are being deceptive and will hurt the userbase - particularly when
the packages being offered up are not the release versions.

please ensure you look at http://www.openbsd.org/ftp.html when
choosing to do an ftp install, and don't be fooled by someone "phishing"
for your ftp traffic.

OpenBSD patch: pf nat/rdr of crafted datagram panics kernel

2009-04-11T16:46:24Z

When pf attempts to perform translation on a specially crafted IP datagram
a null pointer dereference will occur, resulting in a kernel panic.
In certain configurations this may be triggered by a remote attacker.

Restricting translation rules to protocols that are specific to the IP version
in use is an effective workaround until the patch can be installed. As an
example, for IPv4 nat/binat/rdr rules you can use:

nat/rdr ... inet proto { tcp udp icmp } ...

Or for IPv6 nat/binat/rdr rules you can use:

nat/rdr ... inet6 proto { tcp udp icmp6 } ...

This issue has been fixed in -current. Source code patches are available for
OpenBSD 4.3, 4.4 and 4.5.

Patch for OpenBSD 4.5:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_pf.patch

Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/013_pf.patch

Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/013_pf.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.

Correction: OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

2009-04-08T00:21:42Z

On Wed, 8 Apr 2009, Damien Miller wrote:

> Patch for OpenBSD 4.5:
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Correction, this should be:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/001_openssl.patch

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

2009-04-07T19:53:23Z

A number of exploitable flaws in OpenSSL's ASN.1 handling code have been
found. These errors permit denial-of-service (crashing) of applications
that use OpenSSL's libcrypto to parse or print ASN.1 objects.

The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789
and are described in more detail in OpenSSL's security advisory:

http://www.openssl.org/news/secadv_20090325.txt

Please note that the other, more serious issue described in the OpenSSL
advisory "Incorrect Error Checking During CMS verification" does not
affect OpenBSD as we have not enabled the offending code.

Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD
-current has been updated to OpenSSL 0.9.8k, which is not vulnerable.

Patch for OpenBSD 4.5:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch

Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.

Sudo CVE 2009-0034: possible elevated access

2009-02-23T12:20:51Z

Summary:
A bug was introduced in Sudo's group matching code in version
1.6.9 when support for matching based on the supplemental group
vector was added. This bug may allow certain users listed in
the sudoers file to run a command as a different user than their
access rule specifies.

Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/011_sudo.patch

Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/011_sudo.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches. OpenBSD-current is not affected.

Details:
Given a sudoers rule like the following:

bob ALL=(%users) ALL

user bob should only be able to run commands as a user that
is a member of the Unix group users.

However, due to the bug, if bob is himself a member of users,
he will actually be able to run a command as any user.

Impact:
The bug only impacts sudoers configurations where a Unix group
is used in the RunAs list, which is (%users) in the example above.

For example, the following sudoers rule is not affected
by the bug:

bob ALL = ALL

Credit:
This problem was brought to my attention by Harald Koenig.

Background:
Code was added to sudo version 1.7.0 to cache the user's
supplemental group vector and use it in group matches. When
this changed was back-ported to sudo version 1.6.9, the check
to only use the supplemental groups when matching against the
invoking user got dropped.

bind CVE-2009-0025: incorrect DSA verification checks

2009-01-14T14:45:05Z

Some exploitable logic errors have been found in the bind nameserver's
use of OpenSSL DSA verification functions. These errors may permit an
attacker to bypass validation of DSA DNSSEC signatures.

This vulnerability has been designated CVE-2009-0025. More information
is available from the ISC at:

https://www.isc.org/node/373

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
had an identical fix applied.

Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/008_bind.patch

Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.

OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures

2009-01-09T05:12:40Z

Some exploitable logic errors have been discovered in OpenSSL versions
prior to 0.9.8j. These errors may permit an attacker to bypass
validation of DSA/ECDSA certificates and conduct a "man in the middle
attack" against SSL/TLS connection that use them. Fortunately, DSA and
ECDSA certificates appear to be rarely used in practice.

This vulnerability has been designated CVE-2008-5077. More information
is available from the OpenSSL project at:

http://www.openssl.org/news/secadv_20090107.txt

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
been updated to OpenSSL 0.9.8j

Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patch

Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.

Revised: OpenSSH security advisory: cbc.adv

2008-11-23T13:58:55Z

Hi,

There was an error in the original advisory. The estimate of 32768
attempts to carry out a successful attack is incorrect. The correct
estimate is 11356 attempts. A revised version is now available at:
http://www.openssh.com/txt/cbc.adv

The advisory and its recommendations are otherwise unchanged.

-d

OpenSSH security advisory: cbc.adv

2008-11-21T02:19:03Z

OpenSSH Security Advisory: cbc.adv

Regarding the "Plaintext Recovery Attack Against SSH" reported as
CPNI-957037[1]:

The OpenSSH team has been made aware of an attack against the SSH
protocol version 2 by researchers at the University of London.
Unfortunately, due to the report lacking any detailed technical
description of the attack and CPNI's unwillingness to share necessary
information, we are unable to properly assess its impact.

Based on the description contained in the CPNI report and a slightly
more detailed description forwarded by CERT this issue appears to be
substantially similar to a known weakness in the SSH binary packet
protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
The new component seems to be an attack that can recover 14 bits of
plaintext with a success probability of 2^-14, though we suspect this
underestimates the work required by a practical attack.

For most SSH usage scenarios, this attack has a very low likelihood of
being carried out successfully - each attempt has a low probability
of success and each failure will cause connection termination with a
fatal error. It is therefore very unlikely for an interactive session
to be usefully attacked using this protocol weakness: an attacker would
expect around 32768 connection-killing attempts before they are likely
to succeed. This level of disruption would certainly be noticed and it
is highly unlikely that any user would retry the connection enough times
for the attack to succeed.

The usage pattern where the attack is most likely to succeed is where an
automated connection is configured to retry indefinitely in the event of
errors. In this case, it might be possible to recover as much as 14 bits
of plaintext per hour (assuming a very fast 10 connections per second).
Implementing a limit on the number of connection retries (e.g. 256) is
sufficient to render the attack infeasible for this case.

AES CTR mode and arcfour ciphers are not vulnerable to this attack at
all. These may be preferentially selected by placing the following
directive in sshd_config and ssh_config:

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

A future version of OpenSSH may make CTR mode ciphers the default and/or
implement other countermeasures, but at present we do not feel that this
issue is serious enough to make an emergency release.

-d

[1] http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
[2] http://www.cs.washington.edu/homes/yoshi/papers/TISSEC04/

errata 005 for OpenBSD 4.2: local users can provoke a kernel panic

2008-01-11T09:05:34Z

Summary:
Improper checks in an ioctl can lead to a kernel panic.

Details:
recently added calls to rtlabel_id2name() for "ifconfig rtlabel"
did not properly check the return value before using it.
rtlabel_id2name can return NULL if there is no label assigned
or the ID is invalid.

Impact:
local users can cause a kernel panic by using the SIOCGIFRTLABEL
ioctl on interfaces with no route label assigned.
ifconfig does not use that ioctl.

Workaround:
none

Fix:
A fix has been committed to OpenBSD-current and the OpenBSD 4.2-stable
branch.
A patch for OpenBSD 4.2 will appear at the URL below shortly.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/005_ifrtlabel.patch

Older OpenBSD versions are not affected.

Credits:
The bug was found by Chris Cappuccio who also provided an initial
fix. The final fix was done by Henning Brauer.

attachment0 (194 bytes) Download Attachment

Security fix for openssl

2007-10-12T03:39:30Z

Summary:
The SSL_get_shared_ciphers() function in OpenSSL contains an
off-by-one overflow.

Impact:
A client can send a specially prepared list of ciphers to an
application using the SSL_get_shared_ciphers() function from
the OpenSSL library, potentially resulting in remote code
execution.

Fix:
A fix has been committed to OpenBSD-current. Patches are
available for OpenBSD 4.2, 4.1 and 4.0.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/011_openssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/017_openssl.patch

Credits:
The bug was found and fixed by Moritz Jodeit (moritz@).
Original Adivsory:
<http://www.securityfocus.com/archive/1/480855/30/0/threaded>

Security fix for dhcpd

2007-10-09T15:22:20Z

Summary:
Malicious DHCP clients on the local network could cause dhcpd(8)
to corrupt its stack.

Impact:
A DHCP client with a carefully chosen maximum message size that
is less than the minimum IP MTU could lead to a buffer overflow
in dhcpd(8). This could cause dhcpd(8) to crash or could
potentially result in remote code execution.

Workaround:
Disable dhcpd if it is enabled. Note that OpenBSD does not
ship with dhcpd(8) enabled by default.

Fix:
A fix has been committed to OpenBSD-current. Patches are
available for OpenBSD 4.2, 4.1 and 4.0.

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/001_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.1/common/010_dhcpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/016_dhcpd.patch

Credits:
The bug was found by Nahuel Riva and Gerardo Richarte of Core
Security Technologies

IPv6 Type 0 Route Header Design Flaw

2007-04-23T12:09:19Z

IPv6 type 0 route headers can be used to mount a DoS attack against
hosts and networks. This is a design flaw in IPv6 and not a bug in
OpenBSD.

This problem has been fixed in the OpenBSD CVS repository in the
-current and -stable branches. The -current snapshots of OpenBSD
contain these fixes as well.

It is recommended that users of OpenBSD update their kernel asap
using cvs or manually apply the source code patches listed below.

A source code patch for OpenBSD 4.0-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/012_route6.patch.

A source code patch for OpenBSD 3.9-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch.

Multiple vulnerabilities in X.Org

2007-04-04T08:29:06Z

Multiple vulnerabilities have been discovered in X.Org:

- XC-MISC CVE-2007-1003

XC-MISC Extension ProcXCMiscGetXIDList Memory Corruption
Vulnerability

This vulnerability was discovered by Sean Larsson, iDefense Labs.

- bdf CVE-2007-1351

BDFFont Parsing Integer Overflow Vulnerability

The discoverer of this vulnerability wishes to remain anonymous.

- fontdir CVE-2007-1352

fonts.dir File Parsing Integer Overflow Vulnerability

The discoverer of this vulnerability wishes to remain anonymous.

- libX11 CVE-2007-1667

Multiple integer overflows in the XGetPixel() and XInitImage functions
in ImUtil.c

These vulnerabilities have been fixed in the OpenBSD CVS repository
in the -current and -stable branches. The -current snapshots of X11
contain these fixes as well.

It is recommended that users of X11 on OpenBSD update their X11
installation using cvs or manually apply the source code patches listed
below.

A source code patch for OpenBSD 4.0-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/011_xorg.patch.

A source code patch for OpenBSD 3.9-stable can be downloaded from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/021_xorg.patch.

OpenBSD SECURITY FIX: Incorrect mbuf handling for ICMP6 packets, 2nd revision

2007-03-17T15:24:29Z

A second revision of the patch fixing incorrect mbuf handling for ICMP6
packets has been created.

It will be available via ftp soon from the URLs given below.
The fix has also been applied to the OpenBSD 3.9 and 4.0 stable branches
in cvs, please see http://www.openbsd.org/stable.html for details.

Please make sure you get the second revision of the patch, as noted in
the patch files.

OpenBSD 3.9: errata 020
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/020_m_dup1.patch

OpenBSD 4.0: errata 010
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/010_m_dup1.patch

agp_ioctl() vulnerability fix

2007-01-03T13:34:16Z

Insufficient validation in vga(4) may allow an attacker to gain root
privileges if the kernel is compiled with option PCIAGP and the actual
device is not an AGP device. The PCIAGP option is present by default on
i386 kernels only. This vulnerability has been discovered by Ilja van
Sprundel.

A patch addressing this problem is available in the -STABLE branches for
OpenBSD 3.9 and OpenBSD 4.0. Standalone patch files are also available:

- for OpenBSD 4.0:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch

- for OpenBSD 3.9:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.9/i386/017_agp.patch

For more information about OpenBSD errata and how to apply them, please
refer to FAQ 10.15: http://www.OpenBSD.org/faq/faq10.html#Patches

The ELF ld.so(1) fails to properly sanitize the environment.

2006-11-20T19:14:09Z

The ELF ld.so(1) fails to properly sanitize the environment.
There is a potential localhost security problem in cases we
have not found yet. This patch applies to all ELF-based systems
(m68k, m88k, and vax are a.out-based systems).

Patches for the respective releases:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/005_ldso.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/016_ldso.patch

potential denial of service problem in sendmail.

2006-06-16T19:58:21Z

A potential denial of service problem has been found in sendmail.
A malformed MIME message could trigger excessive recursion which
will lead to stack exhaustion. This denial of service attack only
affects delivery of mail from the queue and delivery of a malformed
message. Other incoming mail is still accepted and delivered.
However, mail messages in the queue may not be reattempted if a
malformed MIME message exists.

Patches for the respective releases:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/003_sendmail2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/008_sendmail2.patch

X.Org server security vulnerability

2006-05-02T23:38:46Z

A security vulnerability has been found in the X.Org server --
CVE-2006-1526. Clients authorized to connect to the X server are able to
crash it and to execute malicious code within the X server.

Patches for the respective releases:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/002_xorg.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/007_xorg.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/013_xorg.patch

security hole in sendmail

2006-03-30T16:08:11Z

A race condition exists in sendmail's handling of asynchronous signals.
A remote attacker may be able to execute arbitrary source code with the
privileges of the user running sendmail, typically root.

The fixes have been applied to the 3.7-stable, 3.8-stable and 3.9-stable
branches, and are also available as patches. 3.9-current has been
updated to the new sendmail version which has this addressed as well.

Patches for the respective releases:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/006_sendmail.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/012_sendmail.patch