-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-003 ================================= Topic: IPv4 forwarding doesn't consult inbound SPD Version: NetBSD-current: source prior to Feb 26, 2002 NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: not affected NetBSD-1.4.*: not affected (no IPsec support) Severity: packets mistakenly go through VPN gateway Fixed: NetBSD-current: Feb 26, 2002 NetBSD-1.5 branch: Feb 26, 2002 (1.5.3 will include the fix) Abstract ======== There was a bug in the IPv4 forwarding path, and the inbound SPD (security policy database) was not consulted on forwarding. As a result, NetBSD routers configured to be a VPN gateway failed to reject unencrypted packets. The problem affects NetBSD systems with the following configuration only: - - an IPv4 router (forwards IPv4 packet, net.inet.ip.forwarding=1) - - configured as VPN gateway (has tunnel-mode IPsec policy) Technical Details ================= http://online.securityfocus.com/archive/1/259598 Solutions and Workarounds ========================= If your system is affected, you must upgrade your kernel (/netbsd). The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version. * NetBSD-current: Systems running NetBSD-current dated from before 2002-02-25 should be upgraded to NetBSD-current dated 2002-02-26 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): sys/netinet/ip_input.c To update from CVS, re-build, re-install the kernel and reboot: % cd src % cvs update -d -P sys/netinet Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel * NetBSD 1.5.1, 1.5.2: Systems running NetBSD 1.5.1 or 1.5.2 sources dated from before 2002-02-25 should be upgraded from NetBSD 1.5.* sources dated 2002-02-26 or later. NetBSD 1.5 is not vulnerable. NetBSD 1.5.3 will include the fix. The following directories need to be updated from the netbsd-1-5 CVS branch: sys/netinet/ip_input.c To update from CVS, re-build, re-install the kernel, and reboot: % cd src % cvs update -d -P sys/netinet Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-003-SPD-1.5.patch To patch: # cd src # patch < /path/to/SA2002-003-SPD-1.5.patch Then build and install a new kernel. If you are not familiar with this process, documentation is available at: http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel Thanks To ========= Greg Troxel and Bill Chiarchiaro Jun-ichiro itojun Hagino for patches, and preparing advisory text. Revision History ================ 2002-03-11 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-003.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-003.txt,v 1.5 2002/03/12 16:49:16 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPI4yFD5Ru2/4N2IFAQGd6gP/VrivjrjqlvdAratqXGfv4TDRGHjnYzbh Giptuvn6TiEI/pLx4n9f5zd8BHr+1qITVlm9WNJkHTbnw+nLCQQAGR6Hwv/LwIX2 16Eb+ogWQnRPm8CyF/YzZyFzMMYKAWnI8ZMYVg2yXjNzbA8xtEcJL1vOxpCZYM9/ bJ/EpJ6V6F0= =4VSK -----END PGP SIGNATURE-----