Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Per olof Ljungmark (peointersonic.se)
Date: Wed May 01 2013 - 05:06:56 CDT
Path to patch seems wrong?
On 2013-04-29 22:55, FreeBSD Security Advisories wrote:
> FreeBSD-SA-13:05.nfsserver Security Advisory
> The FreeBSD Project
> Topic: Insufficient input validation in the NFS server
> Category: core
> Module: nfsserver
> Announced: 2013-04-29
> Credits: Adam Nowacki
> Affects: All supported versions of FreeBSD.
> Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
> 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
> 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
> 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
> 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
> 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
> CVE Name: CVE-2013-3266
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
> I. Background
> The Network File System (NFS) allows a host to export some or all of its
> file systems so that other hosts can access them over the network and mount
> them as if they were on local disks. FreeBSD includes server and client
> implementations of NFS.
> FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
> NFSv2 and NFSv3 implementation and a new implementation which also
> supports NFSv4.
> FreeBSD 9.0 and onward uses the new NFS implementation by default.
> II. Problem Description
> When processing READDIR requests, the NFS server does not check that
> it is in fact operating on a directory node. An attacker can use a
> specially modified NFS client to submit a READDIR request on a file,
> causing the underlying filesystem to interpret that file as a
> III. Impact
> The exact consequences of an attack depend on the amount of input
> validation in the underlying filesystem:
> - If the file resides on a UFS filesystem on a little-endian server,
> an attacker can cause random heap corruption with completely
> unpredictable consequences.
> - If the file resides on a ZFS filesystem, an attacker can write
> arbitrary data on the stack. It is believed, but has not been
> confirmed, that this can be exploited to run arbitrary code in
> kernel context.
> Other filesystems may also be vulnerable.
> IV. Workaround
> Systems that do not provide NFS service are not vulnerable. Neither
> are systems that do but use the old NFS implementation, which is the
> default in FreeBSD 8.x.
> To determine which implementation an NFS server is running, run the
> following command:
> # kldstat -v | grep -cw nfsd
> This will print 1 if the system is running the new NFS implementation,
> and 0 otherwise.
> V. Solution
> Perform one of the following:
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
> 2) To update your vulnerable system via a source code patch:
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
> # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
> # gpg --verify nfsserver.patch.asc
> b) Apply the patch.
> # cd /usr/src
> # patch < /path/to/patch
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> 3) To update your vulnerable system via a binary patch:
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
> # freebsd-update fetch
> # freebsd-update install
> VI. Correction details
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
> Branch/path Revision
> stable/8/ r250058
> releng/8.3/ r250059
> releng/8.4/ r250062
> stable/9/ r250060
> releng/9.1/ r250061
> VII. References
> The latest revision of this advisory is available at
> freebsd-announcefreebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-announce-unsubscribefreebsd.org"
Registered in Solna, Sweden
freebsd-securityfreebsd.org mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"