-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2022-004 ================================= Topic: procfs(5) missing permission checks Version: NetBSD-current: affected prior to 2022-06-18 NetBSD 9.*: affected NetBSD 8.*: affected Severity: Malicious user may read from opened file descriptors by other processes. Fixed: NetBSD-current: June 17, 2022 NetBSD-9 branch: June 17, 2022 NetBSD-8 branch: June 17, 2022 Please note that NetBSD releases prior to 8 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Due to missing permission checks it was possible to reuse open descriptors which are exposed in the procfs(5) [pid]/fd/ directory. It might allow malicious user to bypass permission checks and read data from opened descriptor under some circumstances. Technical Details ================= Directory fd/ which is available per process in the procfs(5) is exposing all opened file descriptors by a process, because of the missing VOP_ACCESS check during the VOP_LOOKUP(9) operation. Due to lack of proper access verification, malicious user is allowed to open files from the directory with the file descriptors, because permissions of the directory are not effectively checked. An example scenario that leads to data leak is as follows: the file with permissions 644 protected by the directory permissions 700, if process opened the file, it is possible to obtain file descriptor by malicious user by opening it directly from the exposed fd/ folder by the procfs(5). Solutions and Workarounds ========================= Immediate workaround: unmount procfs(5) and mark it "noauto" in /etc/fstab. Please note that some programs may need access to procfs(5) in order to work correctly. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20220618 and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Mateusz Kocielski (shm@) who analyzed this problem and supplied the fixes. Revision History ================ 2022-10-04 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-004.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/support/security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $Id: NetBSD-SA2022-004.txt,v 1.2 2022/10/08 13:28:21 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmNBe0wcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/9dmD/45cA90Fu1OPbmUUc+g BynxUauVC5PMHZb6fsMxxPWpF3uiR2qP3OkeAsqbIxZ3beN7FNhsAQo12v26qTui cXaFlxVoCrISdhSDAxu1B6/3GPHkGkI86W88WKPWb52Y5LT7l0biV0quwiXVUiil XFbUA2PyK9Hzj67/5A5xgDKeVorOCdx46WX1Rs/Rf7xdpBZbdiFJz3vYZG5KBq09 E+1JR91NMKMBxX6ooZuqvX5E5iqZy4C3gEDR3pWbSnzHUgR0wccfubthAHHmGupY frt4EbRiNM2X+9Fwk9GLPrSLtu8DCSDZkues+JciqUZ4+92LAS1hXKbNJrCSS27b QJNng3yNiu7nSlho7FtEdYeaIehT1Zb17OLQ4eaN4Vx2eH+JiynmdMBzZrEUsMO6 ZljbgzaGMo8VU1gMHP2Tk1P6guKBMtviOf7KRC9tojmlna+qPDdMP0qP5UPS29P/ h6xYleM9+ZXCWLYoNeQGt9J7C50yW071PQAg1NDiG1xkFDJ3O95TZwj7Ioo8twR6 gvVLDWiXJ+pcR0orbeS5QnPTaSKlCz7SjnGtHHGb96ZwnDnKEenV1kNf9aEILSli uVT51qBKE8z4TJuhGG6bsrYFuzMnOpjpKD3d88De7SCWtdu8E54Cd+KrJQQjOKzF HZ7uDl4kLVf4epFX7EBFlPPsmg== =w4zE -----END PGP SIGNATURE-----