-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2022-001 ================================= Topic: PPPoE discovery phase memory corruption Version: NetBSD-current: affected prior to 2022-05-05 NetBSD 9.*: affected NetBSD 8.*: affected Severity: Malicious host on the local network may cause kernel memory corruption. Fixed: NetBSD-current: May 4, 2022 NetBSD-9 branch: May 4, 2022 NetBSD-8 branch: May 4, 2022 Please note that NetBSD releases prior to 8 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A vulnerability has been discovered in the processing of PPPoE discovery phase packets. A malicious host on the same network (within the same broadcast domain) could cause a NetBSD machine trying to initiate a PPPoE session to overwrite memory outside of the allocated bounds. This vulnerability has been assigned CVE-2022-29867. Technical Details ================= During establishment of a new PPPoE session the client broadcasts discovery packets on the local network and awaits offer packets from potential PPPoE servers. If the client receives multiple offers, it picks one and continues session establishement only with that server. Due to bugs in the processing of the offer packets, a malicious server could send multiple offers and details from the offer would be accumulated into a single answer packet. Due to this accumulation it was possible to overrun some size limits inherently asserted by the PPPoE standard. This bug triggered a second bug that caused an mbuf cluster to be allocated even for sizes that do not fit into a fixed size cluster. When creating an answer packet the bounds of the allocated mbuf cluster then were not honored and data written outside the allocated memory area. This would cause memory corruption in the mbuf cluster pool, with unclear consequences. The content of the overwritten data areas was under control of the attacker. Solutions and Workarounds ========================= The attack can only happen while a PPPoE session is being established. During session lifetime or when no pppoe(4) interface is active, the malicious packets are ignored by the kernel. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20220505* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/net/if_pppoe.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Sony Interactive Entertainment (SIE): The bug was originally reported to SIE under PlayStation's public bug bounty program (https://hackerone.com/playstation). The researcher John Ceeeena! (@m00nbsd) who found the bug and provided a PoC exploit. Revision History ================ 2022-05-10 Initial release 2022-05-12 Minor corrections 2022-10-08 Mention all branches affected More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-001.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/support/security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2022-001.txt,v 1.6 2022/10/08 13:28:21 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmNBezgcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/6VvD/42MGl3ujXQLGKpapaF p9MJDVXctrb+Dg8Vd9JNexfU2p3yQqoEKCuzvJB96tIcGEXfQY5uwsZk7kZr3JRd uIK/mrZ356x93CBef2XHnZcr497baNY+Egej2RdR8rNwPOZEPYNW+PT4bgc2v/JP TlDbeGePYBaHX80z9Jpcx3ZJYliYetwWv+R+uBjzJ5x6XgGryJwNWPsvyToWgaZV Z1XvNpltCh9m2/19vdX4cDYj4aoN5uRs0Gvu/wH9qF2iTS4OD0+aNh74oLYtLxv+ 9iLbsjXMz/EUbdpW8pjHgiQlRXqIx5iatZCl3hxdAHLFqCI993iU/jHSeTLzzecV DvNeAYvZS9c11ajj3jjGY5NhAhKL6V5PMt2Kd+VChiVWeSekKGrVhQRtJK5kb4nL RGg8jhFF3nYK/r1QGH9kq0Dym2IplEjdtQGXgWIFbuGRBUngz/K+zPMoB5T1ecJj iQ9UVROiQQwXNxAmIizIl5tzhqsAA2o3V85RSi3vCIxC8Tv8kAHQxicNA7JyFw3Y c81zThPSbsn38XgOXmJ/dX6EmKbcHV4g6yrOx3k6l1ov/vfTO8Isqtz56rEhElKW ib7JL0pLEODnxKh5fhsj19chVJQU3jH46MCrU8mkiTWNoWYvSnVl+cjk4A6GHlfT k/hiEQzoqkq5bRWMyBclSITA4g== =HLAV -----END PGP SIGNATURE-----