kfreebsd-9: SCTP kernel memory disclosures (CVE-2014-3953)

Debian Bug report logs - #754237
kfreebsd-9: SCTP kernel memory disclosures (CVE-2014-3953)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: kfreebsd-9: SCTP kernel memory disclosures (CVE-2014-3953)

Date: Tue, 08 Jul 2014 23:48:48 +0100

Package: src:kfreebsd-9
Version: 9.0-10+deb70.7
Severity: grave
Tags: security upstream
Control: found -1 kfreebsd-9/9.2-2

Hi,

FreeBSD-SA-14:17.kmem describes kernel memory disclosures in
SCTP control messages:

http://security.freebsd.org/advisories/FreeBSD-SA-14:17.kmem.asc
> [...] the process may be able to retrieve 2 bytes of kernel memory
> for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
> bytes for SCTP_EXTRCV.  If the local process is permitted to receive
> SCTP notification, a maximum of 112 bytes of kernel memory may be
> returned to userland.

I think this affects all our kernels including 8.3 and 9.0 in wheezy.

I'm not sure if SCTP must be configured by a superuser first, but for
now I'll assume any nonprivileged user might be able to exploit this.

-- System Information:
Debian Release: 7.1
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 9.0-2-amd64-xenhvm-ipsec
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #12 received at 754237@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>

Cc: 754237@bugs.debian.org

Subject: RFC: disable SCTP in Debian's kFreeBSD?

Date: Wed, 09 Jul 2014 01:26:22 +0100

Hi,

SCTP, an IP transport protocol, is enabled by default in upstream
FreeBSD's GENERIC config:

> # SCTP is a NEW transport protocol defined by
> # RFC2960 updated by RFC3309 and RFC3758 [...]
> options         SCTP

(Although RFC2960 was published in 2000, so it is not so new any more.)
 To date I've never configured SCTP on any servers before, or knowingly
used it on any other systems.  "The SCTP web site", sctp.org, had no
news entries after 2004 and seems to have gone offline.

Linux has SCTP support.  Debian has some command-line tools for that and
a library, each with around 5000 popcon users:
https://qa.debian.org/popcon.php?package=lksctp-tools

FreeBSD's SCTP support seems to be a reference implementation by Cisco.
 Another implementation by the KAME Project had an OpenBSD port, but
seems that never quite made it into the tree.

Support for SCTP seems notably missing from Microsoft Windows:
https://stackoverflow.com/questions/2153700

There exists some backward-compatibility mechanism to run SCTP over UDP
sockets if that's needed.


In wheezy, we've patched a kernel memory disclosure vulnerability that
was remotely exploitable if SCTP sockets were used. (CVE-2013-5209)

STABLE-9 quietly fixed jailed processes being able to see or use SCTP
source addresses that should not have been available to them:
http://svnweb.freebsd.org/base?view=revision&revision=267674

We now have a local kernel memory disclosure bug (CVE-2014-3953) - I'm
unsure if SCTP must be in use to exploit it - but the patch will not
apply cleanly to 9.0 and 8.3 that we have in wheezy, so would need
backporting by us.


I wonder if it is worth it?  Is SCTP really used by us, even close to
working or desirable to anyone?

A search for Debian packages with "sctp" in the name shows binary
packages that have only built on linux-any arches:
https://packages.debian.org/search?keywords=sctp

I've used Debian Code Search to look for potential users:
http://codesearch.debian.net/search?q=include.*sctp\.h
and found these:
* openssl - is disabled by OPENSSL_NO_SCTP, which is default
* iceweasel/icedove - kfreebsd buildd logs don't mention it, linux does
* libav - I don't see any mention in the buildd log
* chromium-browser - wasn't in wheezy
* openjdk-7 - wasn't in wheezy

* about a dozen other packages I thought were less interesting than the
above, didn't bother to check if SCTP was really implemented/supported

* SCTP was mentioned in lots of network diagnostic tools e.g. wireshark,
nmap, ns2 - but what is the point of that if not using the protocol for
anything?


So I'm obviously asking here - could we just drop SCTP from the default
kernel config?  In jessie/sid?  Even in wheezy-security?

Thanks for reading!
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #17 received at 754237@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Steven Chamberlain <steven@pyro.eu.org>

Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>, 754237@bugs.debian.org

Subject: Re: RFC: disable SCTP in Debian's kFreeBSD?

Date: Wed, 6 Aug 2014 23:18:11 +0200

On Wed, Jul 09, 2014 at 01:26:22AM +0100, Steven Chamberlain wrote:
> Hi,
> So I'm obviously asking here - could we just drop SCTP from the default
> kernel config?  In jessie/sid?  Even in wheezy-security?

We can certainly do this for wheezy-security if the kfreebsd maintainers
think it's the best course of action.

Cheers,
        Moritz

Message #22 received at 754237@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>, 754237@bugs.debian.org

Subject: Re: RFC: disable SCTP in Debian's kFreeBSD?

Date: Mon, 25 Aug 2014 01:27:43 +0100

On 06/08/14 22:18, Moritz Mühlenhoff wrote:
> On Wed, Jul 09, 2014 at 01:26:22AM +0100, Steven Chamberlain wrote:
>> So I'm obviously asking here - could we just drop SCTP from the default
>> kernel config?  In jessie/sid?  Even in wheezy-security?
> 
> We can certainly do this for wheezy-security if the kfreebsd maintainers
> think it's the best course of action.

Okay then, thanks.  I propose we drop SCTP support from wheezy kernels,
via wheezy-security, to address CVE-2014-3953 and other concerns.

In kfreebsd-10 however, there's been a lot of work on SCTP recently,
suggesting there's some renewed interest in the protocol.  I'm inclined
to keep it in the 10.1 kernel config for now.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #27 received at 754237@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Steven Chamberlain <steven@pyro.eu.org>

Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>, 754237@bugs.debian.org

Subject: Re: RFC: disable SCTP in Debian's kFreeBSD?

Date: Mon, 25 Aug 2014 07:37:12 +0200

On Mon, Aug 25, 2014 at 01:27:43AM +0100, Steven Chamberlain wrote:
> On 06/08/14 22:18, Moritz Mühlenhoff wrote:
> > On Wed, Jul 09, 2014 at 01:26:22AM +0100, Steven Chamberlain wrote:
> >> So I'm obviously asking here - could we just drop SCTP from the default
> >> kernel config?  In jessie/sid?  Even in wheezy-security?
> > 
> > We can certainly do this for wheezy-security if the kfreebsd maintainers
> > think it's the best course of action.
> 
> Okay then, thanks.  I propose we drop SCTP support from wheezy kernels,
> via wheezy-security, to address CVE-2014-3953 and other concerns.

Ok, please note that kfreebsd-9 also needs
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:17.kmem.asc
 
> In kfreebsd-10 however, there's been a lot of work on SCTP recently,
> suggesting there's some renewed interest in the protocol.  I'm inclined
> to keep it in the 10.1 kernel config for now.

Ok.

Cheers,
        Moritz

Message #34 received at 754237-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 531167-done@bugs.debian.org,623217-done@bugs.debian.org,630783-done@bugs.debian.org,651624-done@bugs.debian.org,652448-done@bugs.debian.org,652469-done@bugs.debian.org,658639-done@bugs.debian.org,666729-done@bugs.debian.org,675768-done@bugs.debian.org,677707-done@bugs.debian.org,684072-done@bugs.debian.org,691674-done@bugs.debian.org,691798-done@bugs.debian.org,692080-done@bugs.debian.org,700742-done@bugs.debian.org,702943-done@bugs.debian.org,705126-done@bugs.debian.org,706490-done@bugs.debian.org,708451-done@bugs.debian.org,710959-done@bugs.debian.org,730004-done@bugs.debian.org,731182-done@bugs.debian.org,747983-done@bugs.debian.org,748078-done@bugs.debian.org,750364-done@bugs.debian.org,750493-done@bugs.debian.org,754236-done@bugs.debian.org,754237-done@bugs.debian.org,

Cc: kfreebsd-9@packages.debian.org, kfreebsd-9@packages.qa.debian.org

Subject: Bug#765606: Removed package(s) from unstable

Date: Tue, 21 Oct 2014 11:33:49 +0000

Version: 9.2-2+rm

Dear submitter,

as the package kfreebsd-9 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/765606

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.