OpenBSD Journal

OpenBSD Journal

Meet Radiant Award Recipient Claudio Jeker

Contributed by rueda on from the radiant pufferfish dept.

The Internet Security Research Group and partners have announced that Claudio Jeker (claudio@) is the third Radiant Award recipient. From the announcement:

We’re excited to announce the third Radiant Award recipient, Claudio Jeker.

When we at ISRG think about the greatest threats to Web security today, the lack of Border Gateway Protocol (BGP) security might top our list. Claudio's passion for networking, his focus on security, and his talent as a software developer are enabling him to make great contributions to fixing this and other Web security problems. In particular, he is making great contributions to OpenBSD and OpenBGPD.

Congratulations Claudio!

attention please: host's IP stack behavior got changed slightly

Contributed by rueda on from the predrop-in-on-any-to-wrongif dept.

Alexandr Nedvedicky (sashan@) wrote to tech@ regarding a recent significant change:

Hello,

commit from today [1] makes IP stack more paranoid. Up to now OpenBSD
implemented so called 'weak host model' [2]. The today's commit alters
that for hosts, which don't forward packets (don't act as routers).

Your laptops, desktops and servers now check packet destination address
with IP address bound to interface, where such packet is received on.
If there will be mismatch the packet will be discarded and 'wrongif'
counter will be bumped. You can use 'netstat -s|grep wrongif' to
display the counter value.

It is understood the behavior, which has been settled in IP stack since 80's,
got changed. tech@openbsd.org (or bugs@openbsd.org) wants to hear back from you,
if this change breaks your existing set up. There is a common believe this
change won't hurt majority (> 97%) users, though there is some non-zero risk,
hence this announcement is being sent.

thanks and
regards
sashan

[1] https://marc.info/?l=openbsd-cvs&m=157580332113635&w=2

[2] https://en.wikipedia.org/wiki/Host_model

Read more…

syscall call-from verification

Contributed by rueda on from the hard-as-nails-(in-the-coffin-of-exploit-techniques) dept.

Theo de Raadt (deraadt@) has committed code for a new exploit-prevention mechanism:

[…]
Repurpose the "syscalls must be on a writeable page" mechanism to
enforce a new policy: system calls must be in pre-registered regions.
We have discussed more strict checks than this, but none satisfy the
cost/benefit based upon our understanding of attack methods, anyways
let's see what the next iteration looks like.

This is intended to harden (translation: attackers must put extra
effort into attacking) against a mixture of W^X failures and JIT bugs
which allow syscall misinterpretation, especially in environments with
polymorphic-instruction/variable-sized instructions.  It fits in a bit
with libc/libcrypto/ld.so random relink on boot and no-restart-at-crash
behaviour, particularily for remote problems. Less effective once on-host
since someone the libraries can be read.
[…]

The full commit details are well worth reading, as is the manual page for the (new) msyscall(2), and some associated discussion on tech@.

As this change involves ABI breakage, upgrading via snapshots is the easiest way to avoid trouble.

p2k19 Hackathon Report: Stefan Sperling on iwm(4) wifi progress, more

Contributed by Peter N. M. Hansteen on from the packets-in-the-air dept.

Next up in our hackathon series from p2k19 is one from Stefan Sperling (stsp@), who writes:

My main goal for the p2k19 hackathon was 9260 device support in iwm(4). Firmware updates for previous device generation were an important prerequisite step. One day before p2k19, the oldest generation of hardware supported by the iwm(4) driver was switched to latest available firmware images.

Read more…

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.6

0132019-12-11 SECURITY ld.so may fail to remove the LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions.
0122019-12-08 SECURITY A user can log in with a different user's login class.
0112019-12-04 SECURITY xenodm uses the libc authentication layer incorrectly.
0102019-12-04 SECURITY libc's authentication layer performed insufficient username validation.
0092019-12-04 SECURITY Environment-provided paths are used for dlopen() in mesa, resulting in escalation to the auth group in xlock(1).
0082019-11-22 SECURITY Shared memory regions used by some Mesa drivers had permissions which allowed others to access that memory.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]