Issue 158
Published August 09, 2023

Among other BSD news, this week we see bunch of FreeBSD security advisories plus how to host SearXNG instance on OpenBSD.

Releases

No releases.

BSDSec

FreeBSD 13.1 end-of-life: As of August 2nd, 2023, FreeBSD 13.1 reached end-of-life and is no longer supported by the FreeBSD Security Team. Users of FreeBSD 13.1 are strongly encouraged to upgrade to a newer release as soon as possible.

FreeBSD Security Advisory FreeBSD-SA-23:06.ipv6: IPv6 packets may be fragmented in order to accommodate the maximum transmission unit (MTU) of the network path between the source and destination hosts. The FreeBSD kernel keeps track of received packet fragments and will reassemble the original packet once all fragments have been received, at which point the packet is processed normally. Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header. Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet’s payload length field. Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service.

FreeBSD Errata Notice FreeBSD-EN-23:08.vnet: VNET is the name of a technique to virtualize the network stack. It changes global resources, most notably variables, into per network stack resources and handles them in the context of the correct instance. VNET is enabled by default in GENERIC kernels on all architectures except 32-bit ARM. DPCPU is a dynamic per-CPU memory allocator which can instantiate one instance of a global variable with each CPU in the system. Dynamically allocated per-CPU variables can be defined with custom names and types. DPCPU is always enabled. After FreeBSD 13.1 was released, the contributed LLVM components (LLVM, clang, compiler-rt, libc++, libunwind, lld, lldb and openmp) were upgraded to upstream version 14.0.5. The new version of lld, the llvm linker, got additional optimizations for arm64 in the form of so-called relocation relaxations. These relaxations are fine for regular userland applications, as the dynamic linker can handle the optimized relocations. However, due to the way the VNET and DPCPU features are implemented, the optimized relocations can cause panics if they are used in kernel modules. On arm64 systems, loading kernel modules that use VNET or DPCPU features can cause panics. A known example is the WireGuard kernel module, if_wg(4).

FreeBSD Security Advisory FreeBSD-SA-23:09.pam_krb5: Kerberos 5 (krb5) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. pam_krb5 is a PAM module that allows using a Kerberos password to authenticate the user. pam_krb5 is disabled in the default FreeBSD installation. pam_krb5 uses passwords for authentication, which is distinct from Kerberos native protocols like GSSAPI, which allows for login without the exchange of passwords. GSSAPI is not affected by this issue.

FreeBSD Security Advisory FreeBSD-SA-23:08.ssh: ssh-agent is a program to hold private keys used for OpenSSH public key authentication. Connections to ssh-agent may be forwarded from further remote hosts using the -A option to ssh. The server to which the ssh-agent connection is forwarded may cause the ssh-agent process to load (and unload) operating system-provided shared libraries to support the addition and deletion of PKCS#11 keys.The server may cause ssh-agent to load shared libraries other than those required for PKCS#11 support. These shared libraries may have side effects that occur on load and unload (dlopen and dlclose). An attacker with access to a server that accepts a forwarded ssh-agent connection may be able to execute code on the machine running ssh-agent. Note that the attack relies on properties of operating system-provided libraries. This has been demonstrated on other operating systems; it is unknown whether this attack is possible using the libraries provided by a FreeBSD installation.

FreeBSD Security Advisory FreeBSD-SA-23:07.bhyve: bhyve(8)‘s fwctl interface provides a mechanism through which guest firmware can query the hypervisor for information about the virtual machine. The fwctl interface is available to guests when bhyve is run with the “-l bootrom” option, used for example when booting guests in UEFI mode. bhyve is currently only supported on the amd64 platform. The fwctl driver implements a state machine which is executed when the guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process’ memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. A malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

As always, it’s worth following BSDSec. RSS feed and Twitter account available.

News

Valuable News – 2023/08/07: The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems.

New routed IPsec VPN mode committed to OpenBSD-current: The routed IPSec mode has now been committed to -current by David Gwynne (dlg@), likely to be a prominent item for the upcoming OpenBSD 7.4 release.

BSD Now 518: Unix Edition Zero: A Guide to Problem-Solving for Software Developers with Examples, making 20% time work, Long Live Netbooks, OpenBSD Router on Sg105w, Set Up a Simple and Actually Working Wireguard Server, Unix Edition Zero, how to be a -10x engineer, and more.

Tutorials

Self-Hosted SearXNG instance on OpenBSD: Some time ago, author of this post discovered and used searx on OpenBSD . This worked quite well but there were a few annoying bugs that they couldn’t solve. Mainly using OpenSearch with Firefox and timeouts with some Big Tech search engines. After struggling enough, they decided to switch to SearXNG .

Multiboot Microsoft Windows, OpenBSD and Slackware Linux: This is how an author configured a multiboot environnement on the ThinkPad with Microsoft Windows 11, OpenBSD 7.3 and Slackware Linux 15.0. Note that they will encrypt as much storage as possible using the various available OS technologies.

Fixing ThinkPad X1 WiFi on Freebsd: Blog post about replacing AX200 WiFi adapter with an AC9260 for FreeBSD

Did we miss anything?

This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.

Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).

Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.

Thanks for reading and see you next week! Stay safe!

Become a Sponsor! Become a Patron!

We won't spam you. Unsubscribe any time.