Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
advisory:2021-02-02-1 [2021/02/02 10:21] – added package versions ynezzadvisory:2021-02-02-1 [2021/02/02 19:44] – [DESCRIPTION] dedeckeh
Line 1: Line 1:
-====== Security Advisory 2021-02-02-wolfSSL heap buffer overflow in RsaPad_PSS (CVE-2020-36177) ======+====== Security Advisory 2021-02-02-netifd and odhcp6c routing loop on IPv6 point to point links (CVE pending) ======
  
 ===== DESCRIPTION ===== ===== DESCRIPTION =====
  
-RsaPad_PSS in wolfcrypt/src/rsa.in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. The issue is marked as critical with CVSS score of 9.8.+In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 addressIf such a packet is received and not directed to a local IPv6 address it will be routed back to the point-to-point link due to the link prefix route; the upstream ISP router will in its turn route the IPv6 packet back due to the assigned prefix route creating a "ping pong" effect. 
 + 
 +The possible routing loop on point-to-point links (e.g PPP) can happen, when the WAN interface is assigned a globally unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked and installed on the wan interface (e.g. 2001:db8:1:0:5054:ff:feab:d87c/64). 
 + 
 +The prefix route 2001:db8:1::/64 would be present in the routing table which will route any packet with as destination 2001:db8:1::/64 to the WAN interface and would be routed back by the upstream router due to the WAN interface having assigned global unique prefixBesides not installing the prefix route 2001:db8:1::/64 on point-to-point links adding an unreachable route is required to avoid the routing loop.
  
 ===== REQUIREMENTS ===== ===== REQUIREMENTS =====
  
-FIXME+The WAN interface needs to be a point-to-point interface (e.g. PPP) and recevied IPv6 router advertisement messages contains IPv6 prefixes for which the on-link flag is set.
  
 ===== MITIGATIONS ===== ===== MITIGATIONS =====
  
-You need to update the affected libwolfssl package you're using with the command below.+You need to update the affected netifd and odhcp6c packages you're using with the command below.
  
-   opkg update; opkg upgrade libwolfssl+   opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c
  
 Then verify, that you're running fixed version. Then verify, that you're running fixed version.
  
-   opkg list-installed libwolfssl+   opkg list-installed netifd 
 +   opkg list-installed odhcp6c
  
 The above command should output following: The above command should output following:
  
-   libwolfssl libwolfssl24 4.6.0-stable-1 - for stable OpenWrt 19.07 release +   netifd 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release 
-   libwolfssl libwolfssl24 4.6.0-stable-1 - for master/snapshot+   netifd 2021-01-09-c00c8335-1 - for master/snapshot 
 +    
 +   odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release 
 +   odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot
  
 The fix is contained in the following and later versions: The fix is contained in the following and later versions:
- 
-FIXME: 
  
   * OpenWrt 19.07: 2021-01-17 (fixed by [[https://git.openwrt.org/250dbb3a60f334adc31587a3f6f75f2168df7cac|v19.07.6-4-g250dbb3a60f3]] and [[https://git.openwrt.org/9999c87d3a3cf93344be99d314bdd63e2ca782f1|v19.07.6-5-g9999c87d3a3c]])   * OpenWrt 19.07: 2021-01-17 (fixed by [[https://git.openwrt.org/250dbb3a60f334adc31587a3f6f75f2168df7cac|v19.07.6-4-g250dbb3a60f3]] and [[https://git.openwrt.org/9999c87d3a3cf93344be99d314bdd63e2ca782f1|v19.07.6-5-g9999c87d3a3c]])
Line 41: Line 47:
 ===== CREDITS ===== ===== CREDITS =====
  
-This issue was found by [[https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567|libFuzzer's address sanitizer]] in OSS-Fuzz project and fixed by Sean Parkinson from wolfSSL team.+This issue was identified by Xiang Li from [[https://netsec.ccert.edu.cn/|Network and Information Security]] Lab at Tsinghua University and fixed by Hans Dedecker.
  
 ===== REFERENCES ===== ===== REFERENCES =====
  
-  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36177 +==== Development snapshot ==== 
-  * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567 +  * netifd [[commit>e857b097678d660c1121cd7ab8e753bb864970ab]] 
-  * https://github.com/wolfSSL/wolfssl/commit/63bf5dc56ccbfc12a73b06327361687091a4c6f7 +  * odhcp6c [[commit>430154135106cbea6816a379774fd250a72a7063]] 
-  * https://github.com/wolfSSL/wolfssl/commit/fb2288c46dd4c864b78f00a47a364b96a09a5c0f + 
-  * https://github.com/wolfSSL/wolfssl/pull/3426+==== OpenWrt 19.07 release ==== 
 +  * netifd [[commit>9999c87d3a3cf93344be99d314bdd63e2ca782f1]] 
 +  * odhcp6c [[commit>250dbb3a60f334adc31587a3f6f75f2168df7cac]]
  • Last modified: 2021/02/08 07:00
  • by ynezz