-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2013-006 ================================= Topic: Arbitrary Kernel Read with netstat -P Version: NetBSD-current: source prior to Jun 21st, 2013 NetBSD 6.0: affected NetBSD 6.0.*: affected NetBSD 6.1: affected NetBSD 5.1: affected NetBSD 5.2: affected Severity: Information Disclosure Fixed: NetBSD-current: June 20th, 2013 NetBSD-6-0 branch: July 29th, 2013 NetBSD-6-1 branch: July 29th, 2013 NetBSD-6 branch: July 29th, 2013 NetBSD-5-1 branch: July 30th, 2013 NetBSD-5-2 branch: July 30th, 2013 NetBSD-5 branch: July 30th, 2013 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== netstat -P may disclose contents of kernel memory that aren't Protocol Control Blocks. Technical Details ================= netstat -P does not check whether the address it gets called with is actually pointing to a Protocol Control Block, nor whether (if it is a PCB) the reader should have privileges to read it. This allows a malicious user to study arbitrary sections of kernel memory. Solutions and Workarounds ========================= Workaround: Remove the setgid flag from netstat (chmod 555 /usr/bin/netstat). Solutions: - - Install a new netstat binary from a daily build later than the fix date from the same branch: fetch from http://nyftp.NetBSD.org/pub/NetBSD-daily//// the file binary/sets/base.tgz cd / && tar xzpf ./usr/bin/netstat - - Rebuild your system with the fixes applied. HEAD netbsd-6 netbsd-6-1 netbsd-6-0 src/usr.bin/netstat/inet.c 1.103 1.101.2.1 1.101.14.1 1.101.8.1 src/usr.bin/netstat/inet6.c 1.62 1.59.6.1 1.59.16.1 1.59.12.1 src/usr.bin/netstat/main.c 1.86 1.81.4.1 1.81.10.1 1.81.8.1 src/usr.bin/netstat/netstat.h 1.47 1.43.4.1 1.43.10.1 1.43.8.1 netbsd-5 netbsd-5-2 netbsd-5-1 src/usr.bin/netstat/inet.c 1.88.6.2 1.88.6.1.10.1 1.88.6.1.6.1 src/usr.bin/netstat/inet6.c 1.50.6.2 1.50.6.1.10.1 1.50.6.1.6.1 src/usr.bin/netstat/main.c 1.70.4.1 1.70.2.1 1.70.12.1 src/usr.bin/netstat/netstat.h 1.36.8.1 1.36.6.1 1.36.16.1 Thanks To ========= Thanks to Beverly Schwartz for finding the problem, and informing the NetBSD Security Officer about it. Revision History ================ 2013-07-30 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2013-006.txt,v 1.2 2013/07/30 20:44:22 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJR+CYEAAoJEAZJc6xMSnBuUNQP/R5ky2UAEDkRrzkuVHU0Hufr PxOfq5U4Y34nUZQ7IOrZbieBcCuuMNnkQ+Ckm4cSlIGMo5Tv1E2+wTlssS+3A92c 3+FbDe3DYxbKrKP9oHl5AHD+eOAZ0Vx3UlrgK3qAKuEGIxoCLFbIz5LvR9sIJI2S 1Fsxp0705B1pqpkIUN+kZofNe/yFE6JSOnna5bc/inNfBNE18L4sdTGmBQdEloxz 8br2II3uVWMN/9nro8vGKG+NfuWRCr0+mLD7oQ9/csa0gSBKCd6zL7goJruNKNSk N8js85jz6fZIOFuy8WwD2cAJ1zHAaJvoFMQ48HFOTkFzlUqV+NmmTIKZbLlgUFD5 VxzYOVt7cZLuv3tLlVJapKNLTOS3+fQrsG3iAsnc+N55M+zbd1b11STURT/H/KGv +FhKmfsAitYTXBptRXv9masJMzfhvUo5vdSpZ3NT2z2ceQx/czW7C08JCqYDOCpd uROm5CzIRRVHoAIqwdUBb+RcoG9ANTlok5X3SYDdmP2pZh5obXKIP8Bfy8BWusqm Nc5wf+lix/9egzht9nOH8Hlq4ioix4kAvJZ3wW4Jfln0tCPattm55iTt0DYk7o5G 8+O4pEcccyokqZiZDihv8T1sICWgnAi7B0Rar4YixthT2Rky8C05QGlGVKZZcbyb ep0P++Vom2F/4t1iFsyq =ZpXK -----END PGP SIGNATURE-----