Bug 721968 - VUL-0: radvd security issues
VUL-0: radvd security issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P1 - Urgent : Critical
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:43790 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-04 08:11 UTC by Ludwig Nussel
Modified: 2011-12-19 14:19 UTC (History)
5 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-10-04 08:11:03 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

Vasiliy Kulikov found several issues with security consequences in radvd.

- buffer overflow in process_ra()
- directory traversal in set_interface_var()
- buffer overreads in process_ra()
- potential DoS issues
Comment 3 Swamp Workflow Management 2011-10-04 14:40:44 UTC
The SWAMPID for this issue is 43493.
This issue was rated as moderate.
Please submit fixed packages until 2011-10-18.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Sebastian Krahmer 2011-10-05 10:21:42 UTC
Summary of fixes:

https://github.com/reubenhwk/radvd/commits/ (Oct 4th).
Comment 7 Matthias Weckbecker 2011-10-07 08:23:13 UTC
Quote from oss-sec posting including the CVE numbers,

-----------------------------------------------------------------------
Hi,

I was hoping that Vasiliy would post this, but he appears to be
unavailable at the moment.  Since the release is already out (and
postponing it seemed inappropriate), I decided to announce this on
oss-security sooner rather than later.

http://www.litech.org/radvd/
http://lists.litech.org/pipermail/radvd-announce-l/2011-October/000022.html

radvd-1.8.2/INTRO.html describes radvd as follows:

---
IPv6 has a lot more support for autoconfiguration than IPv4.  But for
this autoconfiguration to work on the hosts of a network, the routers of
the local network have to run a program which answers the
autoconfiguration requests of the hosts.

On Linux this program is called radvd, which stands for Router
ADVertisement Daemon.  This daemon listens to Router Solicitations (RS)
and answers with Router Advertisement (RA). [...]
---

Vasiliy Kulikov discovered a number of security vulnerabilities and some
other issues in radvd 1.8.1, and provided patches for some of them.

Reuben Hawkins, the current upstream maintainer for radvd, promptly
merged the patches, made additional fixes, and made the 1.8.2 release.

radvd-1.8.2/CHANGES describes 5 fixes that were determined to be of
security relevance:

---
1) A privilege escalation flaw was found in radvd, due to a buffer overflow
in the process_ra() function.  ND_OPT_DNSSL_INFORMATION option parsing
"label_len" was not checked for negative values, leading to a "suffix"
buffer overflow which can lead to privilege escalation, at least if
radvd is compiled without GCC's stack protection. If radvd is invoked
without privilege separation (the -u option), this can lead to an
escalation to root privileges.  Note: Red Hat Enterprise Linux starts
radvd by default with the unprivileged user. (CVE-2011-3601)

2) An arbitrary file overwrite flaw was found in radvd's
set_interface_var() function, where it did not check the interface name
(generated by the unprivileged user) and blindly overwrites a filename
with a decimal value by the root process.  If a local attacker could
create symlinks pointing to arbitrary files on the system, they could
overwrite the target file contents.  If only radvd is compromised (e.g.
no local access), the attacker may only overwrite files with specific
names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)

3) The radvd daemon would not fail on privsep_init() errors, which could
cause it to run with full root privileges when it should be running as
an unprivileged user. (CVE-2011-3603)

4) A number of buffer overread flaws were found in radvd's process_ra()
function due to numerous missed len() checks. This can lead to memory
reads outside of the stack, resulting in a crash of radvd.
(CVE-2011-3604)

5) A temporary denial of service flaw was found in radvd's process_rs()
function, where it would call mdelay() on the same thread in which it
handled all input.  If ->UnicastOnly were set, an attacker could cause a
flood with ND_ROUTER_SOLICIT and fill the input queue of the daemon.
This would cause a brief outage of approximately MAX_RA_DELAY_TIME / 2 *
sizeof_input_queue when handling new clients, where MAX_RA_DELAY_TIME is
500ms, leading to delays of more than a minute.  Note: this is only the
case in unicast-only mode; there is no denial of service in the (normal,
default) anycast mode. (CVE-2011-3605)
---

Some additional issues fixed in radvd 1.8.2 were determined to have no
obvious security relevance.

For those wanting a patch for review or backports, it is sufficient to
diff 1.8.2 against 1.8.1 - there are no unrelated changes.  SHA-1:

c7e8ac6222099c62519b9893f833440037352971  radvd-1.8.1.tar.gz
9a396ab58216c87308bc86a18864f84aeeba38a9  radvd-1.8.2.tar.gz

We'd like to thank Reuben Hawkins for prompt handling of these issues.
We're also grateful to linux-distros list members who have contributed
to the brief pre-disclosure discussion (5 days).

The linux-distros list is meant for medium severity issues.  Although
some of the radvd issues were high impact, Vasiliy and I felt that risk
probability during the embargo period was low enough that the overall
severity was medium.  Besides Linux distros, FreeBSD and NetBSD were
notified.

Alexander
-----------------------------------------------------------------------
Comment 8 Matthias Weckbecker 2011-10-07 09:04:50 UTC
radvd runs as user 'daemon' on SLES-10-SP4, SLES-10-SP3 and SLE-11-SP1. Maybe we should have a dedicated user instead?
Also I think you will be able to easily see issue #3 in action if you do

g226:~ # rcradvd start
Starting router advertisement daemon[Sep 15 12:14:10] radvd: ioctl(SIOCGIFADDR) failed for ppp0: No such device
[Sep 15 12:14:10] radvd: interface ppp0 has no IPv4 addresses, disabling 6to4 prefix                                                                                                                                   done
g226:~ # ps aux | grep radvd
root     31033 [...] /usr/sbin/radvd -u daemon <- still running as root?!
daemon   31034 [...] /usr/sbin/radvd -u daemon
g226:~ #

... on a default SLE-11-SP1 installation.
Comment 9 Matthias Weckbecker 2011-10-07 11:20:25 UTC
Small addition: FI: None of our products shipping radvd are affected by issue #1.
Comment 10 Matthias Weckbecker 2011-10-07 11:31:07 UTC
(Only Factory is affected by #1)
Comment 12 Bernhard Wiedemann 2011-10-19 16:00:39 UTC
This is an autogenerated message for OBS integration:
This bug (721968) was mentioned in
https://build.opensuse.org/request/show/88754 Factory / radvd
Comment 13 Jiri Bohac 2011-10-19 16:51:17 UTC
Submitrequests created for Factory, oS11.4, os11.3, SLE11-SP2, SLE11-SP1, SLE10-SP4 and SLE10-SP3.

Sorry for the delay.
Comment 14 Bernhard Wiedemann 2011-10-20 10:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (721968) was mentioned in
https://build.opensuse.org/request/show/88822 11.4 / radvd
https://build.opensuse.org/request/show/88825 11.3 / radvd
Comment 15 Jiri Bohac 2011-10-20 10:07:13 UTC
Oops, wrong bug # in some of the changelogs. Fixed now and new submitrequests created.
Comment 16 Marcus Meissner 2011-10-20 15:29:08 UTC
there was no sle11 sp1 radvd submit ... did you forget it?


the sle11 sp2 radvd can just be submitted to sle11 sp1 instead, as there is no radvd fork for sle11 sp2 and it will reuse the sp1 updates.
Comment 17 Jiri Bohac 2011-10-20 16:00:39 UTC
Strange, i think I did exactly that, but I could not find the submitrequest now. 
Just tried again, request 15780.
Comment 18 Marcus Meissner 2011-10-21 12:52:46 UTC
We also need sles9 sp3 teradata fixes, as it also included radvd.

(using old autobuild style management)

getpac -r sles9-sp3-teradata radvd
Comment 19 Tony Yuan 2011-10-26 06:16:29 UTC
(In reply to comment #8)
> radvd runs as user 'daemon' on SLES-10-SP4, SLES-10-SP3 and SLE-11-SP1. Maybe
> we should have a dedicated user instead?
> Also I think you will be able to easily see issue #3 in action if you do
> 
> g226:~ # rcradvd start
> Starting router advertisement daemon[Sep 15 12:14:10] radvd: ioctl(SIOCGIFADDR)
> failed for ppp0: No such device
> [Sep 15 12:14:10] radvd: interface ppp0 has no IPv4 addresses, disabling 6to4
> prefix                                                                         
>                                                          done
> g226:~ # ps aux | grep radvd
> root     31033 [...] /usr/sbin/radvd -u daemon <- still running as root?!
> daemon   31034 [...] /usr/sbin/radvd -u daemon
> g226:~ #
> 
> ... on a default SLE-11-SP1 installation.

Hi Matthias,

I am testing this patch. The update is radvd-1.1-1.24.2.1 for sle11sp1. After installing the patch I found the deamon was still tunning as root!

sles11sp1-i386:~ # ps aux |grep radvd
root      5663  0.0  0.0   2064   340 pts/0    S    04:45   0:00 /usr/sbin/radvd -u daemon
daemon    5664  0.0  0.0   2276   480 ?        Ss   04:45   0:00 /usr/sbin/radvd -u daemon
Comment 20 Sebastian Krahmer 2011-10-26 08:15:13 UTC
I think thats ok that one part continues to run as root,
which is the nature of the PrivSep thingie. At the end it needs
some privileged part to set the network interface stuff.

The question is whether it should run as "daemon" or if it isnt
better to run as "radvd" or similar user. Depending on our
policy.

Yet, I could check if it really needs root or some capability would
suffice. But that'd be a future enhancement.
Comment 21 Jiri Bohac 2011-10-27 16:07:09 UTC
So I guess nothing else is currently needed from me?
Re-assigning to security-team again.
Comment 23 Tony Yuan 2011-10-31 09:20:51 UTC
radvd crashes on startup for sle10sp3-x64 and sle10sp4-x64. no prblem with 32bit.
Comment 31 Swamp Workflow Management 2011-11-15 10:01:44 UTC
Update released for: radvd, radvd-debuginfo, radvd-debugsource
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 34 Swamp Workflow Management 2011-11-15 13:04:42 UTC
Update released for: radvd, radvd-debuginfo
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 35 Swamp Workflow Management 2011-11-15 13:18:21 UTC
Update released for: radvd, radvd-debuginfo, radvd-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 36 Jiri Bohac 2011-11-15 15:20:30 UTC
submitrequest created for SUSE:SLE-10-SP3:Update:Teradata:Test
Comment 37 Bernhard Wiedemann 2011-11-20 08:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (721968) was mentioned in
https://build.opensuse.org/request/show/92688 Evergreen:11.1 / radvd
Comment 38 Matthias Weckbecker 2011-11-22 12:49:37 UTC
Could you possibly submit a fixed version for sles9-sp3-teradata too, please? Thanks.
Comment 39 Jiri Bohac 2011-11-24 21:06:38 UTC
submitrequest 16412 (done a long time ago, forgot to mention it here, sorry).
Comment 40 Swamp Workflow Management 2011-11-27 19:02:15 UTC
Update released for: radvd, radvd-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 41 Ruediger Oertel 2011-12-01 16:25:04 UTC
well ID:16412 was submitted to SLE10-SP3 teradata
should I assume this is intended for sles9-sp3-teradata ?
(which would also include an update from 0.7.2 to 0.9) ?
Comment 42 Dirk Mueller 2011-12-06 22:32:26 UTC
I don't think so. Jiri, can you backport the fixies to the 0.7.2 sources from sles9?
Comment 43 Marcus Meissner 2011-12-16 15:57:28 UTC
i merged the sles10 patches into the sles9 radvd and submitted it.
Comment 44 Swamp Workflow Management 2011-12-19 13:08:47 UTC
Update released for: radvd
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 45 Marcus Meissner 2011-12-19 14:19:43 UTC
released all