-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-14:21.routed Security Advisory The FreeBSD Project Topic: routed(8) remote denial of service vulnerability Category: core Module: routed Announced: 2014-10-21 Credits: Hiroki Sato Affects: All supported versions of FreeBSD. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) 2014-10-21 20:20:26 UTC (stable/8, 8.4-STABLE) 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) CVE Name: CVE-2014-3955 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The routing information protocol (RIP) is an older routing protocol which, while not as capable as more recent protocols such as OSPF and BGP, is sometimes preferred for its simplicity and therefore still used as an interior gateway protocol on smaller networks. Routers in a RIP network periodically broadcast their routing table on all enabled interfaces. Neighboring routers and hosts receive these broadcasts and update their routing tables accordingly. The routed(8) daemon is a RIP implementation for FreeBSD. The rtquery(8) utility can be used to send a RIP query to a router and display the result without updating the routing table. II. Problem Description The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. III. Impact Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. IV. Workaround Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP packets with destination port 520 that did not originate on the same subnet as the destination address. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch.asc # gpg --verify routed.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/routed.patch c) Recompile routed. Execute the following commands as root: # cd /usr/src/sbin/routed # make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service routed restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r273413 releng/8.4/ r273416 stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/ r272872 releng/10.0/ r273415 releng/10.1/ r273414 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURsSrAAoJEO1n7NZdz2rneOIQAIXaYGwNAYmVFUqa/YOtxSlQ l1ETThsuHxuDUrlkHD82uZu6yJi+HdGz1R2xBLYlxpwk/4GO3D/IdUZI0w1LgNJs JRHmAikUpCgcMh0QfyoHD9KSp3wPiQJ9Cmp6ajrjsdIdjrNbFwczoaWHHQ1MyRwp kv9OEC7t9rJkZRMuCjrSvGTQVqHFixoZUdJV42a2PNYTyWZmwE33GJ+Zgv/59mPw bzGTTI3RTuj1WUJp4MmYV3Eb8y8SnM6szUs4Wlul/uVGfEI3dXYYo3iAHQNHWpAR sUaqoVI16P5x952I9PbMA/J5wq/Nm2bVwEAsJN9NE/KPMdD1I4QzvyAlNRFCro8S C7qS4a0X75nQ+pehRqPVDdnvJbkxfdgsWP+jwVZ4e0244DQfiKWTKTd+If/cPHa8 T0z1uZ4xE/BQ0DpJiu9r/ndcm5ych6TbIkNXmGI05jQPntvSYQzhyUTEp2Rmq3IX rmre4CHWrTYT7/niTJonieErmtGDe5LrUyP2Odv13euKEsCIbSOPVnDFFhAwsAjJ zu2Tm+BPXh0lXHuq/tQ+L5lWv1uoMi9hkLxh6zhFaX4li15sS5tR+GeBXmd9h2Wp +iT5hvgxfnQPZI3Ey932J20+7LMULlkr2aV2h5NcvroolnQIehj12z0IQBelFsXN wtFPveXqXWUfV8WVNBJ1 =uHh+ -----END PGP SIGNATURE-----