-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2024-001 ================================= Topic: Inadequate validation of user-supplied hostname in utmp_update(8) Version: NetBSD-current: affected prior to 2023-09-30 NetBSD 10.0_RC4: affected NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Possibility of injecting arbitrary characters to the utmp logs including terminal escape sequences. Fixed: NetBSD-current: 2023-09-30 NetBSD-10 branch: 2024-02-17 NetBSD-9 branch: 2024-02-17 NetBSD-8 branch: 2024-02-17 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== utmp_update(8) is a helper program that allows users to update theirs utmpx(5) entries. An identified vulnerability reveals inadequate validation of user-supplied data, enabling malicious entities to inject arbitrary information. Technical Details ================= The issue allows malicious users to inject arbitrary data into utmpx(5) database due to the absence of proper filters for provided hostnames. The behaviour can be exploited by the attackers to force tools which display hostnames from utmpx(5) databases such us w(1) or who(1), to unexpectedly inject escape sequences into terminal of the user invoking the program. While this vulnerability does not pose a direct threat to the system's core operations, it can be leveraged indirectly to disrupt accurate system logging, compromise terminal interfaces, and facilitate social engineering attacks by displaying arbitrary content in the terminals of unsuspecting victims The utmp_update(8) utility was fixed by introducing a filter which accepts only printable characters in the hostnames. Solutions and Workarounds ========================= It is suggested to install new version of the utmp_update(8) utility. To apply a fixed version from a releng build, fetch a fitting base.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/libexec/utmp_update with the following replacements: REL = the release version you are using BUILD = the source date of the build. %DATE%* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your utmp_update(8) binaries by updating your source tree and rebuilding and installing a new version of utmp_update(8). * NetBSD-current: Systems running NetBSD-current dated from before 2023-09-30 should be upgraded to NetBSD-current dated 2023-10-01 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): src/libexec/utmp_update/utmp_update.c To update from CVS, re-build, and re-install utmp_update(8): # cd src # cvs update -d -P src/libexec/utmp_update/ # cd src/libexec/utmp_update/ # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2024-02-17 should be upgraded from NetBSD 9.* sources dated 2024-02-18 or later. The following files/directories need to be updated from the netbsd-9 branch: path/to/files To update from CVS, re-build, and re-install utmp_update(8): # cd src # cvs update -r netbsd-9 -d -P src/libexec/utmp_update/ # cd src/libexec/utmp_update/ # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2024-02-17 should be upgraded from NetBSD 8.* sources dated 2024-02-18 or later. The following files/directories need to be updated from the netbsd-8 branch: path/to/files To update from CVS, re-build, and re-install utmp_update(8): # cd src # cvs update -r netbsd-8 -d -P src/libexec/utmp_update/ # cd src/libexec/utmp_update/ # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Adam Simuntis (https://twitter.com/adamsimuntis) for finding and reporting the issue. Christos Zoulas (christos@) for fixing the issue. Revision History ================ 2024-03-10 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2024-001.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2024, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmXt9A4cHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/2I2D/0fUe8mMn37Yo47Qd0J QzSHA/NWzoznBPmmvAjhDN43pcKZuXHj1YazdfchZn03ufn4P+PQU0pZDywmkfQ/ cvJiGELxrorFltuz9JQrPo/uUtwu9YrLZEPz8jMLhLn35VL2xIBzjN7Rab8aP8Rv yB/LT+HjgcgCdWdsKcl3UU6uOiMM2DC0m9HX9fjdi0u9NmUL7aA0Ghqc9SFWQ8Vt drhYRMLwRAiVWuk7w6mFsHcA7AUqtLbrfBL5pXm7Zo+8P/MYQXXlGnHOZfDMYxhA TuVvFowJ8oQWANJRXp/onBYq54lkwpBxz3F09Ihim7iEUwiY8sBKDEK0to8LnbC6 nIREt6gViDL3nYeVaXredwaTx3DxFA9DwWfgDzIbC3lT7wbiSBRN/PwntJYbMuOv pqlo2nm1XrVyXK0ZFHfWd3umwJULGZiRo/IIqxGVXQqltq/u+0M1XzPYFbF8RI2v K2aZZSIK/eqhTNlTkngUBFDNeguENszKKP6Dt9sU6VJ6og84v6xvckSIAvlNUqFG ZmPbNXSlDVn4q9rtvByiQThTn9Ro7TQqMd0eGfatZx0mGIlSEPI3ZgVtFD3O+1xd qWrEuD52EfxuW9ow0NxBFe9WR/kx8KfaDG9rgZmD+pFI7a3dyw0TKfCB+DbKx8Hc oNcwuD1um1IVX+8ugjJa79R5oQ== =P9cs -----END PGP SIGNATURE-----