diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc new file mode 100644 index 0000000000..66c41bd5bd --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:18.nfsclient.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:18.nfsclient Security Advisory + The FreeBSD Project + +Topic: NFS client data corruption and kernel memory disclosure + +Category: core +Module: nfsclient +Announced: 2023-12-12 +Credits: Hostpoint AG +Affects: FreeBSD 13.2 and 14.0 +Corrected: 2023-12-12 19:13:50 UTC (stable/14, 14.0-STABLE) + 2023-12-12 19:17:36 UTC (releng/14.0, 14.0-RELEASE-p3) + 2023-12-12 19:14:16 UTC (stable/13, 13.2-STABLE) + 2023-12-12 19:18:17 UTC (releng/13.2, 13.2-RELEASE-p8) +CVE Name: CVE-2023-6660 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Network File System (NFS) is a distributed file system that allows remote +systems to access files and directories over a network as if they were local. +FreeBSD includes both server and client implementations of NFS. + +II. Problem Description + +In FreeBSD 13.2 and 14.0, the NFS client was optimized to improve the +performance of IO_APPEND writes, that is, writes which add data to the end of +a file and so extend its size. This uncovered an old bug in some routines +which copy userspace data into the kernel. The bug also affects the NFS +client's implementation of direct I/O; however, this implementation is +disabled by default by the vfs.nfs.nfs_directio_enable sysctl and is only +used to handle synchronous writes. + +III. Impact + +When a program running on an affected system appends data to a file via an +NFS client mount, the bug can cause the NFS client to fail to copy in the +data to be written but proceed as though the copy operation had succeeded. +This means that the data to be written is instead replaced with whatever data +had been in the packet buffer previously. Thus, an unprivileged user with +access to an affected system may abuse the bug to trigger disclosure of +sensitive information. In particular, the leak is limited to data previously +stored in mbufs, which are used for network transmission and reception, and +for certain types of inter-process communication. + +The bug can also be triggered unintentionally by system applications, in +which case the data written by the application to an NFS mount may be +corrupted. Corrupted data is written over the network to the NFS server, and +thus also susceptible to being snooped by other hosts on the network. + +Note that the bug exists only in the NFS client; the version and +implementation of the server has no effect on whether a given system is +affected by the problem. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platfrom on FreeBSD 13 and earlier, can be updated via +the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch +# fetch https://security.FreeBSD.org/patches/SA-23:18/nfsclient.patch.asc +# gpg --verify nfsclient.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 8d42f85d9d7b stable/14-n265954 +releng/14.0/ ab60666a00c9 releng/14.0-n265397 +stable/13/ f1d1d50e1d08 stable/13-n256860 +releng/13.2/ 3f079b3f2f33 releng/13.2-n254649 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6660> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:18.nfsclient.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmV4s/kACgkQbljekB8A +Gu8kvg//RUe/q2SFiVyo94disTET5JjVAPjKzMrHuhoI92OA994zS3MXmU6cQZAh +ikWzMTf25/tgGvN8/Cujhp6zIXiPwUvwJXQqL6JN2/lqHHztxYz/m3Ol8Pc2q2yx +hDbY0dOeyaGK9CuH7hjMtu/jeh6vj+TyvzLg/KuxgdOkjdDd352CF43alkb5Q55t +3V8pcY49zCk+5aMJv667mphGxf4yRC/+bkVtJIqoAUpAg/VORMJmMiEt0LS3v7t5 +Oaal8rVfcPu8jPhkt8dIzcp1lrr+AfsOnEB68x2ECiYp2LCWp/ya7rG+DMD537kw +IhSKRpqMvc4rQpjGQIsewO+sexyYC/zYrUu4BYMUnLVEqQ+GPN7jV7uAjoGuvsus +uOAuN3l4T1x50VyBGA9Z2sVAHOkDAh98J8HDtdCK+IxNnTKFsFHBE/4zFLXkVYwr +vo15qZpHzdTnHhhq5GjxZU+j1Sw0TbMWYPVPsgv8HqZciPjmv5bW7nxvB60sqb1a +LYhE2cWilWxNKWQLhFt60ooGb09Auu+wDgnXLmTmpc/phOI+hCNOPedRF/0yPS7D +dE0Q1vjdoiJgcAdntve8fzlwq1KSG4mQZRrJvMverW+/YLtbEFYY/iFT+jYWRMcN +QwyjgbABQ9tzOVaPjSGJp/UB7SjDn8KFoOfeXWZrMkOYz95lXUk= +=Wsy4 +-----END PGP SIGNATURE----- |