Date: Fri, 7 Oct 2011 02:52:54 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Reuben Hawkins <reubenhwk@...il.com> Subject: radvd 1.8.2 released with security fixes Hi, I was hoping that Vasiliy would post this, but he appears to be unavailable at the moment. Since the release is already out (and postponing it seemed inappropriate), I decided to announce this on oss-security sooner rather than later. http://www.litech.org/radvd/ http://lists.litech.org/pipermail/radvd-announce-l/2011-October/000022.html radvd-1.8.2/INTRO.html describes radvd as follows: --- IPv6 has a lot more support for autoconfiguration than IPv4. But for this autoconfiguration to work on the hosts of a network, the routers of the local network have to run a program which answers the autoconfiguration requests of the hosts. On Linux this program is called radvd, which stands for Router ADVertisement Daemon. This daemon listens to Router Solicitations (RS) and answers with Router Advertisement (RA). [...] --- Vasiliy Kulikov discovered a number of security vulnerabilities and some other issues in radvd 1.8.1, and provided patches for some of them. Reuben Hawkins, the current upstream maintainer for radvd, promptly merged the patches, made additional fixes, and made the 1.8.2 release. radvd-1.8.2/CHANGES describes 5 fixes that were determined to be of security relevance: --- 1) A privilege escalation flaw was found in radvd, due to a buffer overflow in the process_ra() function. ND_OPT_DNSSL_INFORMATION option parsing "label_len" was not checked for negative values, leading to a "suffix" buffer overflow which can lead to privilege escalation, at least if radvd is compiled without GCC's stack protection. If radvd is invoked without privilege separation (the -u option), this can lead to an escalation to root privileges. Note: Red Hat Enterprise Linux starts radvd by default with the unprivileged user. (CVE-2011-3601) 2) An arbitrary file overwrite flaw was found in radvd's set_interface_var() function, where it did not check the interface name (generated by the unprivileged user) and blindly overwrites a filename with a decimal value by the root process. If a local attacker could create symlinks pointing to arbitrary files on the system, they could overwrite the target file contents. If only radvd is compromised (e.g. no local access), the attacker may only overwrite files with specific names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602) 3) The radvd daemon would not fail on privsep_init() errors, which could cause it to run with full root privileges when it should be running as an unprivileged user. (CVE-2011-3603) 4) A number of buffer overread flaws were found in radvd's process_ra() function due to numerous missed len() checks. This can lead to memory reads outside of the stack, resulting in a crash of radvd. (CVE-2011-3604) 5) A temporary denial of service flaw was found in radvd's process_rs() function, where it would call mdelay() on the same thread in which it handled all input. If ->UnicastOnly were set, an attacker could cause a flood with ND_ROUTER_SOLICIT and fill the input queue of the daemon. This would cause a brief outage of approximately MAX_RA_DELAY_TIME / 2 * sizeof_input_queue when handling new clients, where MAX_RA_DELAY_TIME is 500ms, leading to delays of more than a minute. Note: this is only the case in unicast-only mode; there is no denial of service in the (normal, default) anycast mode. (CVE-2011-3605) --- Some additional issues fixed in radvd 1.8.2 were determined to have no obvious security relevance. For those wanting a patch for review or backports, it is sufficient to diff 1.8.2 against 1.8.1 - there are no unrelated changes. SHA-1: c7e8ac6222099c62519b9893f833440037352971 radvd-1.8.1.tar.gz 9a396ab58216c87308bc86a18864f84aeeba38a9 radvd-1.8.2.tar.gz We'd like to thank Reuben Hawkins for prompt handling of these issues. We're also grateful to linux-distros list members who have contributed to the brief pre-disclosure discussion (5 days). The linux-distros list is meant for medium severity issues. Although some of the radvd issues were high impact, Vasiliy and I felt that risk probability during the embargo period was low enough that the overall severity was medium. Besides Linux distros, FreeBSD and NetBSD were notified. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.