On Tue, May 12, 2020 at 07:44:31PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-20:13.libalias Security Advisory > The FreeBSD Project > > Topic: Memory disclosure vulnerability in libalias > > Category: core > Module: libalias > Announced: 2020-05-12 > Credits: Vishnu Dev TJ working with Trend Micro Zero Day Initiative > Affects: All supported versions of FreeBSD > Corrected: 2020-05-12 16:52:08 UTC (stable/12, 12.1-STABLE) > 2020-05-12 16:54:39 UTC (releng/12.1, 12.1-RELEASE-p5) > 2020-05-12 16:52:08 UTC (stable/11, 11.4-STABLE) > 2020-05-12 16:54:39 UTC (releng/11.4, 11.4-BETA1-p1) > 2020-05-12 16:54:39 UTC (releng/11.3, 11.3-RELEASE-p9) > CVE Name: CVE-2020-7455 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > The ipfw(4) system facility allows IP packet filtering, redirecting, and > traffic accounting. The ipfw(4) packet filter also contains two different > methods of accomplishing network address translation (NAT): in-kernel and > userspace. Both implementations use the same functions provided by libalias. > > The libalias(3) library is a collection of functions for aliasing and > dealiasing of IP packets, intended for masquerading and NAT. Additionally, > libalias(3) includes modules to support protocols that require additional > logic to support address translation. > > Note: libalias(3) is not used by either the pf(4) or ipf(4) firewalls. > > II. Problem Description > > The FTP packet handler in libalias incorrectly calculates some packet > lengths. This may result in disclosing small amounts of memory from the > kernel (for the in-kernel NAT implementation) or from the process space for > natd (for the userspace implementation). > > III. Impact > > A malicious attacker could send specially constructed packets that exploit the > erroneous calculation allowing the attacker to disclose small amount of memory > either from the kernel (for the in-kernel NAT implementation) or from the > process space for natd (for the userspace implementation). > > IV. Workaround > > No workaround is available. Only systems using NAT and ipfw together are > affected. Systems using ipfw without NAT, or systems leveraging pf(4) or > ipf(4) are not affected.
This is not correct. For kernel NAT to be affected, alias_ftp.ko has to be loaded. natd is vulnerable because libalias_ftp.so is loaded by the default /etc/libalias.conf. The workaround in both cases is to make sure that the alias_ftp module is not used. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
