Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
advisory:2021-02-02-2 [2021/02/02 10:45] – created ynezzadvisory:2021-02-02-2 [2021/02/03 11:35] – [AFFECTED VERSIONS] fix information about 19.07 release ynezz
Line 1: Line 1:
-====== Security Advisory 2021-02-02-netifd and odhcp6c routing loop on IPv6 point to point links ======+====== Security Advisory 2021-02-02-wolfSSL heap buffer overflow in RsaPad_PSS (CVE-2020-36177) ======
  
 ===== DESCRIPTION ===== ===== DESCRIPTION =====
  
-If a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefixIf such a packet is received and not directed to a local IPv6 address it will be routed to the point-to-point link due to the link prefix route; the upstream ISP router will route the IPv6 packet back due to the assigned prefix route creating a "ping pong" effect. +RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. The issue is marked as critical with CVSS score of 9.8.
- +
-The possible routing loop on point-to-point links (e.g PPP) can happen, when the WAN interface is assigned a globally unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked and installed on the wan interface (e.g. 2001:db8:1:0:5054:ff:feab:d87c/64). +
- +
-The prefix route 2001:db8:1::/64 would be present in the routing table which will route any packet with as destination 2001:db8:1::/64 to the WAN interface and would be routed back by the upstream router due to the WAN interface having assigned global unique prefixBesides not installing the prefix route 2001:db8:1::/64 on point-to-point links adding an unreachable route is required to avoid the routing loop.+
  
 ===== REQUIREMENTS ===== ===== REQUIREMENTS =====
  
-The WAN interface needs to be a point-to-point interface (e.g. PPP) and recevied IPv6 router advertisement messages contains IPv6 prefixes for which the on-link flag is set.+FIXME
  
 ===== MITIGATIONS ===== ===== MITIGATIONS =====
  
-You need to update the affected netifd and odhcp6c packages you're using with the command below.+You need to update the affected libwolfssl24 package you're using with the command below.
  
-   opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c+   opkg update; opkg upgrade libwolfssl24
  
 Then verify, that you're running fixed version. Then verify, that you're running fixed version.
  
-   opkg list-installed netifd +   opkg list-installed libwolfssl24
-   opkg list-installed odhcp6c+
  
 The above command should output following: The above command should output following:
  
-   netifd 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release +   libwolfssl24 4.6.0-stable-1 - for stable OpenWrt 19.07 release 
-   netifd 2021-01-09-c00c8335-1 - for master/snapshot +   libwolfssl24 4.6.0-stable-1 - for master/snapshot
-    +
-   odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release +
-   odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot+
  
 The fix is contained in the following and later versions: The fix is contained in the following and later versions:
  
-  * OpenWrt 19.07: 2021-01-17 (fixed by [[https://git.openwrt.org/250dbb3a60f334adc31587a3f6f75f2168df7cac|v19.07.6-4-g250dbb3a60f3]] and [[https://git.openwrt.org/9999c87d3a3cf93344be99d314bdd63e2ca782f1|v19.07.6-5-g9999c87d3a3c]]) +  * OpenWrt 19.07: 2021-02-02 (fixed by [[https://git.openwrt.org/2044c01de8f214c43c6c13dcb538e3730f97a7f8|v19.07.6-11-g2044c01de8f2]]) 
-  * OpenWrt master: 2021-01-09 (fixed by [[https://git.openwrt.org/e857b097678d660c1121cd7ab8e753bb864970ab|reboot-15532-ge857b097678d]] and [[https://git.openwrt.org/430154135106cbea6816a379774fd250a72a7063|reboot-15531-g430154135106]])+  * OpenWrt master: 2021-01-01 (fixed by [[https://git.openwrt.org/ba40da9045f77feb04abe63eb8a92f13f9efe471|reboot-15389-gba40da9045f7]])
  
  
 ===== AFFECTED VERSIONS ===== ===== AFFECTED VERSIONS =====
  
-To our knowledge, OpenWrt version 19.07.0 to 19.07.6 are affected.  The fixed +To our knowledge, OpenWrt snapshot images are affected. OpenWrt stable release 
-packages will be integrated in the upcoming OpenWrt 19.07.7 release.  Older +versions 19.07.0 to 19.07.6 are not affected, because vulnerable **libwolfssl24** 
-versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end+package is not shipped by default in the official firmware images.  Older 
 +versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end 
 of life and not supported any more. of life and not supported any more.
- 
 ===== CREDITS ===== ===== CREDITS =====
  
-This issue was identified by Xiang Li from [[https://netsec.ccert.edu.cn/|Network and Information Security]] Lab at Tsinghua University and fixed by Hans Dedecker.+This issue was found by [[https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567|libFuzzer's address sanitizer]] in OSS-Fuzz project and fixed by Sean Parkinson from wolfSSL team.
  
 ===== REFERENCES ===== ===== REFERENCES =====
  
-==== Development snapshot ==== +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36177 
-  * netifd [[commit>e857b097678d660c1121cd7ab8e753bb864970ab]] +  * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567 
-  * odhcp6c [[commit>430154135106cbea6816a379774fd250a72a7063]] +  * https://github.com/wolfSSL/wolfssl/commit/63bf5dc56ccbfc12a73b06327361687091a4c6f7 
- +  * https://github.com/wolfSSL/wolfssl/commit/fb2288c46dd4c864b78f00a47a364b96a09a5c0f 
-==== OpenWrt 19.07 release ==== +  * https://github.com/wolfSSL/wolfssl/pull/3426
-  * netifd [[commit>9999c87d3a3cf93344be99d314bdd63e2ca782f1]] +
-  * odhcp6c [[commit>250dbb3a60f334adc31587a3f6f75f2168df7cac]]+
  • Last modified: 2021/02/03 11:38
  • by ynezz