-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2022-001 ================================= Topic: PPPoE discovery phase memory corruption Version: NetBSD-current: affected prior to 2022-05-05 NetBSD 9.2: affected NetBSD 8.2: affected Severity: Malicious host on the local network may cause kernel memory corruption. Fixed: NetBSD-current: May 4, 2022 NetBSD-9 branch: May 4, 2022 NetBSD-8 branch: May 4, 2022 Please note that NetBSD releases prior to 8 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A vulnerability has been discovered in the processing of PPPoE discovery phase packets. A malicious host on the same network (within the same broadcast domain) could cause a NetBSD machine trying to initiate a PPPoE session to overwrite memory outside of the allocated bounds. This vulnerability has been assigned CVE-2022-29867. Technical Details ================= During establishment of a new PPPoE session the client broadcasts discovery packets on the local network and awaits offer packets from potential PPPoE servers. If the client receives multiple offers, it picks one and continues session establishement only with that server. Due to bugs in the processing of the offer packets, a malicious server could send multiple offers and details from the offer would be accumulated into a single answer packet. Due to this accumulation it was possible to overrun some size limits inherently asserted by the PPPoE standard. This bug triggered a second bug that caused an mbuf cluster to be allocated even for sizes that do not fit into a fixed size cluster. When creating an answer packet the bounds of the allocated mbuf cluster then were not honored and data written outside the allocated memory area. This would cause memory corruption in the mbuf cluster pool, with unclear consequences. The content of the overwritten data areas was under control of the attacker. Solutions and Workarounds ========================= The attack can only happen while a PPPoE session is being established. During session lifetime or when no pppoe(4) interface is active, the malicious packets are ignored by the kernel. To apply a fixed version from a releng build, fetch a fitting kern-GENERIC.tgz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/kern-GENERIC.tgz cd / tar xzpf /var/tmp/kern-GENERIC.tgz with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20220505* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P sys/net/if_pppoe.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: https://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Sony Interactive Entertainment (SIE): The bug was originally reported to SIE under PlayStation's public bug bounty program (https://hackerone.com/playstation). The researcher John Ceeeena! (@m00nbsd) who found the bug and provided a PoC exploit. Revision History ================ 2022-05-10 Initial release 2022-05-12 Minor corrections More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2022-001.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/support/security/ Copyright 2022, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2022-001.txt,v 1.5 2022/05/12 16:29:51 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmJ9NgIcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/xvfD/9iAZbGl4uWQOB9zWrK y1PIg8nGqCfvFpaleltXnX4vWRb5Sw/K7rzu6fBZ7x2ywHVR+leP3fwDNFEjXGFs 8qo0He335mCXi6NMpcTBjEkYzUrfx3ZJA2kDUA3/O8e0bpgPqYNh1FLhNqVu6Tau we8C8XuTJamj/r3ltNogqnpJNexKrWjqwmbSc9zGVNoIMLYs1RnSWYS+IuVEZeEB uQri5oq8EG8NJhp9gWaiz7SnY3QvaNbCA0togK6h6l/TDzt30u4XJc7alRRJrAiK a1JB9xvcfxZxIZK6oXjI7rdMCO8ohK1n0hUKQ+M+oPtw7LO8xlWWGDO0o7EEHJjC w725pLg9NAPs2UcBIhfLBaLoLzoFtFcKvfAzoeZBuXOSqpF7lVSczte3hmtTHq+a AYAa4HpTNl2jOtunp1JcQ1EZ8gbbZr5eXSPKpCNS19ouA1tt7xvup8dySPeT+Hjz PnXIoNi4iO9SsjHTq8O27ujHoLPSzEqJlxGKfQu3m4ZT4r/68Qe9PKgWxnWdFDYr gtBjWHuzs51dOIM6k9jxHmNW3S1mCwa+/tXKmW/K/4Wch3kOOcmDEJUqbOX6/HQX 0tBvEJn7RpNt098d1P/G2Rjb9RmobdyFl3TdUk0GUrD+AgCZPDmvH/XpjyvbUzWb /NosKJ/0+HT155YuH+YtJdKZNw== =jDOf -----END PGP SIGNATURE-----