--- 1016 Thu Feb 24 17:36:19 2000 +++ 2816 Thu Feb 24 17:36:25 2000 @@ -3,17 +3,21 @@ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Organisation: The NetBSD Foundation, Inc. -Message-ID: <14505.23693.773699.404104@passion.geek.com.au> -Date: Wed, 16 Feb 2000 07:59:08 +1100 +Message-ID: <14510.6825.588170.461046@passion.geek.com.au> +Date: Sat, 19 Feb 2000 15:27:24 +1100 Reply-To: Daniel Carosone Sender: Bugtraq List From: Daniel Carosone -Subject: NetBSD Security Advisory 2000-001 +Subject: UPDATED: NetBSD Security Advisory 2000-001 X-To: netbsd-announce@netbsd.org X-cc: tech-security@netbsd.org, current-users@netbsd.org, bugtraq@securityfocus.com, cert@cert.org, auscert@auscert.org.au To: BUGTRAQ@SECURITYFOCUS.COM +An updated version of this security advisory has been issued; note +that the advisory is now applicable to a wider range of systems than +had previously been stated. + -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2000-001 @@ -21,7 +25,7 @@ Topic: procfs security hole Version: NetBSD 1.4.1 and prior; NetBSD-current until 20000126 -Severity: If the proc filesystem is mounted, any user can become root +Severity: If the kernel has procfs configured, any user can become root Abstract @@ -35,8 +39,9 @@ memory image of another setuid binary can be manipulated in such a way that it will execute a shell. -Note that the procfs filesystem is not used in default NetBSD -installations. +Systems which have procfs configured in the kernel, but not mounted +normally, are still vulnerable because user processes may mount +procfs. This includes most default NetBSD installations. Technical Details ================= @@ -64,25 +69,44 @@ ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs +This patch will be included in the upcoming NetBSD 1.4.2 minor release. + NetBSD-current since 20000126 is not vulnerable. Users of -NetBSD-current should upgrade to a source tree later than 20000126 +NetBSD-current should upgrade to a source tree later than 20000126. -If this action cannot be taken, an immediate workaround is to disable -the use of the proc filesystem. It is not mounted by default in NetBSD, -and nothing in the NetBSD base tree depends on it. You can disable -it by removing any procfs lines from /etc/fstab. +If this action cannot be taken, a workaround is to disable the use of +the proc filesystem. It is not mounted by default in NetBSD, and +nothing in the NetBSD base tree depends on it. + +The procfs filesystem should be disabled by removing it from the +kernel config and rebuilding a new kernel. It is recommended that the +patch above be applied in this case anyway. + +An earlier version of this advisory suggested removing any procfs +lines from /etc/fstab, however this is not sufficient. User processes +are able to mount filesystems (subject to some conditions) and the +procfs filesystem is compiled into default NetBSD kernels. If a user +mounts the procfs filesystem, the system will be vulnerable as above. + +In response to this issue, as of 20000216 NetBSD-current implements a +sysctl 'vfs.generic.usermount' to allow administrators to select +whether user mounts should be allowed; by default they are now +disallowed. Thanks To ========= -Jason Thorpe and Charles Hannum for commenting on the fix. +Jason Thorpe and Charles Hannum for commenting on the fix, Chris Jones +for observing the user mount problem, and Frank van der Linden for +implementing both the fix to procfs and the usermount sysctl. Revision History ================ - 1999/01/29 - initial version - 1999/01/31 - corrected spelling of "onto" - 1999/02/13 - minor editorial changes for release. + 2000/01/29 - initial version + 2000/01/31 - corrected spelling of "onto" + 2000/02/13 - minor editorial changes for release. + 2000/02/16 - Noted user mount problem, corrected these dates More Information ================ @@ -91,17 +115,17 @@ http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. -Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved. +Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved. -$NetBSD: NetBSD-SA2000-001.txt,v 1.2 2000/02/13 03:25:24 dan Exp $ +$NetBSD: NetBSD-SA2000-001.txt,v 1.3 2000/02/19 04:02:43 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv -iQCVAwUBOKlSgj5Ru2/4N2IFAQECjgP/RtIkVx/KPOvt71DVPic0SGmN2o+Pu8cs -KVKbVs0Dyt1aKJjCqYFsvm1JSD1YYa3LqRPEzA5wIKkqRRdswr1+4+h1ucEkQjyg -OIVauDaLvgTT2KeR9aNbAmLE6ZMTWwcY6CvuBt6gU1Cqf8ej/5qzSUNmKujEu1cj -RVxHgh1mtM4= -=4JqF +iQCVAwUBOK4Wqz5Ru2/4N2IFAQGPTgP+M9nt09uREXySNWGXqQFek8VRqetkQOqZ +QPBd1k8GTvWUWZPkp3PtC1EbOzebV3u7gQ6Z+D7LCnxnH3y4EFYrULmIeNVXy55u +vj5m0FIE2FN285X4jv0ZXwYdyDFqzObzlwhjXthB4+wYUvuS+g7R+7FVyVYX8Mr7 +pmuZ1rSgIRY= +=lCCD -----END PGP SIGNATURE-----