Contributed by weerd on from the evil-ipsec dept.
A bug has been found in the IPsec parts of ip_output.c that can lead to NULL pointer dereference in getsockopt(). On kernels from before 4.4, this could lead to a local privilege escalation on certain architectures. The currently supported releases, however, protect against this by no longer allowing userland to map the NULL page in the kernel, reducing the attack to a local Denial of Service by panicking the kernel.
Patches are available for OpenBSD 4.6 (patch, errata), OpenBSD 4.5 (patch, errata) and OpenBSD 4.4 (patch, errata). Of course, the patches are already available in -current, the commit message for the IPv4 case can be found below, the IPv6 commit is nearly identical. This issue affects all architectures.
Date: Wed, 28 Oct 2009 12:02:01 -0600 (MDT) From: Theo de RaadtTo: source-changes@cvs.openbsd.org Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2009/10/28 12:02:00 Modified files: sys/netinet : ip_output.c Log message: *NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL, IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not sparc64), sh, ...) on OpenBSD 4.3 or older ok claudio
Please update your systems at your earliest convenience.
(Comments are closed)
By Anonymous Coward (anon) on
For the avoidance of doubt, the patches also in -stable for 4.4, 4.5 and 4.6.
For 4.4 and later it's a reliability fix (local users can crash the system, but not escalate privileges). For OS versions before 4.4 it's a security fix (local user privilege escalation).
By Joachim Schipper (Joachim) j.schipper@math.uu.nl on http://wwww.joachimschipper.nl
That is rather less interesting than "any user", and while root->kernel privilege escalation is somewhat serious, root panic'ing the kernel isn't terribly interesting (I managed it consistently by creating a too-large ffs partition on a softraid volume, for instance.)
It should still be fixed, of course, but there is no reason for panic. ;-)
Comments
By Clement LECIGNE (clem1) on http://www.clem1.be
No, this security bug can be triggered by a local non-root user just by issuing an evil getsockopt(), this will cause a kernel panic on OpenBSD versions >= 4.4. On OpenBSD < 4.3, I was able to gain root exploiting this vulnerability since we could mmap() a NULL address in these versions.
Comments
By Joachim Schipper (Joachim) on http://www.joachimschipper.nl/About me
>
> No, this security bug can be triggered by a local non-root user (...)
Thanks for the correction!