Technical discussion regarding security issues in NetBSD

Piotr Meyer | 5 Apr 2010 22:14

Picon

NetBSD 5.x security

I made some research and I found following issues on NetBSD 5.x / i386
in features described in security(8):

1. ASLR

   a) Bug described in: 
      http://mail-index.netbsd.org/netbsd-bugs/2009/08/12/msg012786.html
      still exists and made ASLR unusable (random crashes, frequently
      in applications linked with '-ltph').

   b) System built witch MKPIE doesn't work at all, init still panics,
      as described in:
      http://mail-index.netbsd.org/port-i386/2009/05/01/msg001339.html

   - I tested botch cases. Yes, this doesn't work.

2. SSP (Stack Smashing Protection) is disabled by default:
   http://mail-index.netbsd.org/current-users/2009/11/12/msg011206.html

   (Interesting: looks like FreeBSD 8 has stack protection enabled by 
    default: http://www.freebsd.org/releases/8.0R/relnotes.html)

3. CVE-2009-2793 problem, described in:
   http://seclists.org/fulldisclosure/2009/Sep/221 was fixed in Jan 2010
   but still isn't backported to stable branch, so any local user can
   cause panic on "stable" NetBSD 5.x installation (I test it). Is any
   backport planned?

Did I miss something? I'm curious to know, how looks current TODO for 
security in NetBSD: will be these issues fixed, or - maybe - some features

(Continue reading)

Christos Zoulas | 5 Apr 2010 23:58

Re: NetBSD 5.x security

In article <20100405201404.GB19056 <at> drozd.smutek.pl>,
Piotr Meyer  <aniou <at> smutek.pl> wrote:
>I made some research and I found following issues on NetBSD 5.x / i386
>in features described in security(8):
>
>1. ASLR
>
>   a) Bug described in: 
>      http://mail-index.netbsd.org/netbsd-bugs/2009/08/12/msg012786.html
>      still exists and made ASLR unusable (random crashes, frequently
>      in applications linked with '-ltph').

This has to do with stack size; you can reduce the number of random
bits via sysctl if you want to use large stack sizes, or disable ASLR
on the binary. The bug report is still open, and we'll fix it properly
but this is a work-around.

>
>   b) System built witch MKPIE doesn't work at all, init still panics,
>      as described in:
>      http://mail-index.netbsd.org/port-i386/2009/05/01/msg001339.html
>
>   - I tested botch cases. Yes, this doesn't work.

I think it is missing /lib/libgcc_s.so too. This has been fixed in current.
I think you can either compile init without PIE or copy the library there.

>2. SSP (Stack Smashing Protection) is disabled by default:
>   http://mail-index.netbsd.org/current-users/2009/11/12/msg011206.html
>

(Continue reading)

Alistair Crooks | 6 Apr 2010 15:55

SoC project suggestion

Hi folks,

Some people have asked me for more information about the Summer of
Code project to implement file system flags to scrub the data blocks
on files which have a flag associated with them.  The details are to
be found here:

	http://www.netbsd.org/contrib/soc-projects.html#fs_scrub_flags

To give a bit more information - this is not intended to be an
all-encompassing disk wipe/shred utility, or an implementation of
a utility to overwrite spared sectors.

Instead, I'm thinking of the number of times we delete a file, only to
have a nagging suspicion that ''rm -P'' should have been used.  By the
time the thought has formed, it is too late, and the data blocks
themselves are on the freelist.  The only way to overwrite the data
blocks would be to fill up all partitions on that disk to 100%, which
is not always a feasible course of action.

This project is meant to associate a system and user flag with a file
in userland, similar to the immutable flags we already have, and, on
the last unlink of the file, the data blocks would be overwritten. 
It would be useful to have for shadow password files and dbs (and
temporary entries), pgp and ssh keys, and other sensitive data that a
user may have - which is where the user flag comes in.  There are
various ways of doing this scrubbing, and part of this project is to
investigate this.

If you are interested in this project, which is useful without being

(Continue reading)

Thor Lancelot Simon | 6 Apr 2010 23:16

Picon

alternate secmodel example?

Has anyone got an example of a secmodel other than the default 44bsd
model that I could look at?

--

-- 
Thor Lancelot Simon	                               tls <at> rek.tjls.com
  "All of my opinions are consistent, but I cannot present them all
   at once."	-Jean-Jacques Rousseau, On The Social Contract

Jed Davis | 8 Apr 2010 19:08

Picon

Re: SoC project suggestion

Alistair Crooks <agc <at> pkgsrc.org> writes:

> This project is meant to associate a system and user flag with a file
> in userland, similar to the immutable flags we already have, and, on
> the last unlink of the file, the data blocks would be overwritten. 
> It would be useful to have for shadow password files and dbs (and
> temporary entries), pgp and ssh keys, and other sensitive data that a
> user may have - which is where the user flag comes in.  There are
> various ways of doing this scrubbing, and part of this project is to
> investigate this.

One interesting thing is that this would -- in theory -- allow scrubbing
files on LFS, both on deletion and when blocks are relocated due to
either copy-on-write or the segment cleaner.  Because the cleaner, as I
understand it, already has to walk through the inode to determine if a
block is garbage, it can find out "for free" whether it should overwrite
the block before marking the segment clean.

LFS has bigger problems, of course, and this is likely out of scope for
a SoC project anyway, but it might be worth noting.

--

-- 
(let ((C call-with-current-continuation)) (apply (lambda (x y) (x y)) (map
((lambda (r) ((C C) (lambda (s) (r (lambda l (apply (s s) l))))))  (lambda
(f) (lambda (l) (if (null? l) C (lambda (k) (display (car l)) ((f (cdr l))
(C k)))))))    '((#\J #\d #\D #\v #\s) (#\e #\space #\a #\i #\newline)))))

Piotr Meyer | 19 Apr 2010 13:30

Picon

Re: NetBSD 5.x security

On Mon, Apr 05, 2010 at 09:58:38PM +0000, Christos Zoulas wrote:

> >   b) System built witch MKPIE doesn't work at all, init still panics,

[...]

> I think it is missing /lib/libgcc_s.so too. This has been fixed in current.
> I think you can either compile init without PIE or copy the library there.

I try -current and, after some troubles ([1] i [2] - could developers looks
at this, please?), I got working system, even with Full RELRO [3]. :)

1 - http://mail-index.netbsd.org/current-users/2010/04/17/msg013128.html
2 - http://mail-index.netbsd.org/current-users/2010/04/18/msg013147.html
    http://mail-index.netbsd.org/current-users/2010/04/19/msg013156.html
3 - http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

--

-- 
Piotr 'aniou' Meyer

Christos Zoulas | 19 Apr 2010 15:03

Re: NetBSD 5.x security

On Apr 19,  1:30pm, aniou <at> smutek.pl (Piotr Meyer) wrote:
-- Subject: Re: NetBSD 5.x security

| On Mon, Apr 05, 2010 at 09:58:38PM +0000, Christos Zoulas wrote:
| 
| > >   b) System built witch MKPIE doesn't work at all, init still panics,
| 
| [...]
| 
| > I think it is missing /lib/libgcc_s.so too. This has been fixed in current.
| > I think you can either compile init without PIE or copy the library there.
| 
| I try -current and, after some troubles ([1] i [2] - could developers looks
| at this, please?), I got working system, even with Full RELRO [3]. :)
| 
| 
| 1 - http://mail-index.netbsd.org/current-users/2010/04/17/msg013128.html
| 2 - http://mail-index.netbsd.org/current-users/2010/04/18/msg013147.html
|     http://mail-index.netbsd.org/current-users/2010/04/19/msg013156.html
| 3 - http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

I could not reproduce the problem [1],[2] on my systems. Is this for the
/rescue part of the build?

christos

NetBSD Security Officer | 27 Apr 2010 00:14

Picon

NetBSD Security Advisory 2010-004: amd64 per-page No-execute (NX) bit disabled


		 NetBSD Security Advisory 2010-004
		 =================================

Topic:		amd64 per-page No-execute (NX) bit disabled

Version:	NetBSD-current:		affected prior to April 19, 2010
		NetBSD 5.0.*:		affected
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		not affected

Severity:	Possible execution of arbitrary code without memory protection

Fixed:		NetBSD-current:		April 19, 2010
		NetBSD-5-0 branch:	April 22, 2010
		NetBSD-5 branch:	April 22, 2010

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

An issue in the x86 CPU features detection code disables the use of the
per-page NX bit under amd64, making it impossible to mark certain pages
of memory as not being executable.

Technical Details
=================

(Continue reading)

NetBSD Security Officer | 27 Apr 2010 00:15

Picon

NetBSD Security Advisory 2010-005: NTP server Denial of Service vulnerability


		 NetBSD Security Advisory 2010-005
		 =================================

Topic:		NTP server Denial of Service vulnerability

Version:	NetBSD-current:		affected prior to 2009-12-08
		NetBSD 5.0.2:		not affected
		NetBSD 5.0.1:		affected
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		affected
		NetBSD 4.0:		affected
		pkgsrc:			ntp package prior to 4.2.4p8

Severity:	Remote Denial of Service

Fixed:		NetBSD-current:		Dec 8, 2009
		NetBSD-5-0 branch:	Dec 8, 2009
		NetBSD-5 branch:	Dec 8, 2009
		NetBSD-4-0 branch:	Dec 8, 2009
		NetBSD-4 branch:	Dec 8, 2009
		pkgsrc 2009Q4:		ntp-4.2.4p8 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A programming error in the handling of NTP MODE_PRIVATE packets

(Continue reading)

Group

gmane.os.netbsd.devel.security.

Search Archive

Page

1

Articles in period: 9

April 2010

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

[GSoC 2013] Implement file system flags to scrub data blocks before de (30 Apr 2013)
regarding project to"Implement file system flags to scrub data blocks (14 Apr 2013)
Google Summer of Code 2013. (13 Apr 2013)
OpenCrypto swcrypto(4) enhancements (10 Apr 2013)
NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak Cryptogr (30 Mar 2013)
ECDSA and key leaks due to RNG problems. (25 Mar 2013)
Updated NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak (7 Mar 2013)
NetBSD Security Advisory 2013-003: Pseudo-Random bits weaker than expe (27 Feb 2013)
NetBSD Security Advisory 2013-004: Vulnerabilities in grep (27 Feb 2013)
NetBSD Security Advisory 2013-002: kqueue related kernel panic trigger (27 Feb 2013)
You have (1) new ecard! (26 Feb 2013)
You have (1) new ecard! (8 Feb 2013)
Invitation to Bid - Jared #2528 - Evansville, IN (30 Jan 2013)
Notice of Addendum #: 1 - Oregon Park District (29 Jan 2013)
Invitation to Bid - Spencer Gifts #205 - St. Clair Square (29 Jan 2013)
NetBSD Security Advisory 2013-001: kernel panic triggered from userlan (29 Jan 2013)
Your Blue Book Network Project Leads ( MREF#188430675 ) (27 Jan 2013)
� Last day to save on our website presence package (25 Jan 2013)
Analyst Report: Understanding Responsive Design (25 Jan 2013)
Your Blue Book Network Project Leads ( MREF#188213540 ) (24 Jan 2013)
Invitation to Bid - Fuzzy's Taco (24 Jan 2013)

Archives

2	May 2013
6	April 2013
3	March 2013
6	February 2013
16	January 2013
6	December 2012
28	November 2012
6	October 2012
4	September 2012
2	August 2012
20	July 2012
12	June 2012
4	May 2012
4	April 2012
10	March 2012
16	December 2011
2	November 2011
2	October 2011
1	September 2011
7	August 2011
1	July 2011
3	June 2011
1	May 2011
16	April 2011
2	March 2011
3	February 2011
3	January 2011
2	December 2010
13	November 2010
9	October 2010
10	September 2010
3	August 2010
4	July 2010
1	June 2010
9	April 2010
1	March 2010
11	February 2010
7	January 2010
10	December 2009
2	November 2009
1	October 2009
1	August 2009
12	July 2009
11	June 2009
8	May 2009
7	April 2009
38	March 2009
10	February 2009
19	January 2009
3	December 2008
16	November 2008
11	October 2008
2	September 2008
17	August 2008
18	July 2008
14	June 2008
16	May 2008
6	April 2008
7	March 2008
7	February 2008
37	January 2008
27	December 2007
12	November 2007
12	October 2007
3	September 2007
11	August 2007
12	July 2007
50	June 2007
7	May 2007
2	April 2007
12	March 2007
73	February 2007
32	January 2007
55	December 2006
61	November 2006
28	October 2006
37	September 2006
71	August 2006
18	July 2006
8	June 2006
6	May 2006
22	April 2006
97	March 2006
59	February 2006
111	January 2006
45	December 2005
45	November 2005
41	October 2005
54	September 2005
113	August 2005
107	July 2005
46	June 2005
27	May 2005
87	April 2005
163	March 2005
21	February 2005
30	January 2005
9	December 2004
73	November 2004
10	October 2004
4	September 2004
8	August 2004
62	June 2004
85	May 2004
35	April 2004
28	March 2004
15	February 2004
12	December 2003
21	November 2003
23	October 2003
246	September 2003
27	August 2003
16	July 2003
58	June 2003
22	May 2003
20	April 2003
36	March 2003
3	February 2003
31	January 2003
27	December 2002
56	November 2002
179	October 2002
67	September 2002
87	August 2002
92	July 2002
143	June 2002
87	May 2002
75	April 2002
1	March 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template