File: [local] / www / security.html (download) (as text)
Revision 1.130, Fri May 26 21:21:46 2000 UTC (24 years ago) by deraadt
Branch: MAIN
Changes since 1.129: +4 -1 lines
semconfig() patch for 2.6
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
<html>
<head>
<title>OpenBSD Security</title>
<link rev=made href=mailto:www@openbsd.org>
<meta name="resource-type" content="document">
<meta name="description" content="OpenBSD advisories">
<meta name="keywords" content="openbsd,main">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1997,1998 by OpenBSD.">
</head>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#23238E">
<img alt="[OpenBSD]" height=30 width=141 SRC="images/smalltitle.gif">
<p>
<h2><font color=#e00000>Security</font><hr></h2>
<table width="100%">
<tr>
<td colspan="2">
<strong>Index</strong>
</td>
</tr>
<tr>
<td valign="top">
<a href=#goals>Security goals of the Project</a>.<br>
<a href=#disclosure>Full Disclosure policy</a>.<br>
<a href=#process>Source code auditing process</a>.<br>
<a href=#default>"Secure by Default"</a>.<br>
<a href=#crypto>Use of Cryptography</a>.<br>
<p>
<a href=#watching>Watching changes</a>.<br>
<a href=#reporting>Reporting security issues</a>.<br>
<a href=#papers>Further Reading</a><br>
<p>
</td>
<td valign="top">
<a href="#27">For 2.7 security advisories</a>.<br>
<a href="#26">For 2.6 security advisories</a>.<br>
<a href="#25">For 2.5 security advisories</a>.<br>
<a href="#24">For 2.4 security advisories</a>.<br>
<a href="#23">For 2.3 security advisories</a>.<br>
<a href="#22">For 2.2 security advisories</a>.<br>
<a href="#21">For 2.1 security advisories</a>.<br>
<a href="#20">For 2.0 security advisories</a>.<br>
</td>
</tr>
</table>
<hr>
<dl>
<a name=goals></a>
<li><h3><font color=#e00000>Goal</font></h3><p>
OpenBSD believes in strong security. Our aspiration is to be NUMBER
ONE in the industry for security (if we are not already there). Our
open software development model permits us to take a more
uncompromising view towards increased security than Sun, SGI, IBM, HP,
or other vendors are able to. We can make changes the vendors would
not make. Also, since OpenBSD is exported with <a href=crypto.html>
cryptography</a>, we are able to take cryptographic approaches towards
fixing security problems.<p>
<a name=disclosure></a>
<li><h3><font color=#e00000>Full Disclosure</font></h3><p>
Like many readers of the
<a href=http://www.securityfocus.com/bugtraq/archive>
BUGTRAQ mailing list</a>,
we believe in full disclosure of security problems. In the
operating system arena, we were probably the first to embrace
the concept. Many vendors, even of free software, still try
to hide issues from their users.<p>
Security information moves very fast in cracker circles. On the other
hand, our experience is that coding and releasing of proper security
fixes typically requires about an hour of work -- very fast fix
turnaround is possible. Thus we think that full disclosure helps the
people who really care about security.<p>
<a name=process>
<li><h3><font color=#e00000>Audit Process</font></h3><p>
Our security auditing team typically has between six and twelve
members who continue to search for and fix new security holes. We
have been auditing since the summer of 1996. The process we follow to
increase security is simply a comprehensive file-by-file analysis of
every critical software component. We are not so much looking for
security holes, as we are looking for basic software bugs, and if
years later someone discovers a the problem used to be a security
issue, and we fixed it because it was just a bug, well, all the
better. Flaws have been found in just about every area of the system.
Entire new classes of security problems have been found during our
audit, and often source code which had been audited earlier needs
re-auditing with these new flaws in mind. Code often gets audited
multiple times, and by multiple people with different auditing
skills.<p>
Some members of our security auditing team worked for Secure Networks,
the company that made the industry's premier network security scanning
software package Ballista (Secure Networks got purchased by Network
Associates, Ballista got renamed to Cybercop Scanner, and well...)
That company did a lot of security research, and thus fit in well
with the OpenBSD stance. OpenBSD passed Ballista's tests with flying
colours since day 1.<p>
Another facet of our security auditing process is its proactiveness.
In most cases we have found that the determination of exploitability
is not an issue. During our ongoing auditing process we find many
bugs, and endeavor to fix them even though exploitability is not
proven. We fix the bug, and we move on to find other bugs to fix. We
have fixed many simple and obvious careless programming errors in code
and only months later discovered that the problems were in fact
exploitable. (Or, more likely someone on
<a href=http://www.securityfocus.com/bugtraq/archive>BUGTRAQ</a>
would report that other operating systems were vulnerable to a `newly
discovered problem', and then it would be discovered that OpenBSD had
been fixed in a previous release). In other cases we have been saved
from full exploitability of complex step-by-step attacks because we
had fixed one of the intermediate steps. An example of where we
managed such a success is the lpd advisory that Secure Networks put out.
<p>
<li><h3><font color=#e00000>The Reward</font></h3><p>
Our proactive auditing process has really paid off. Statements like
``This problem was fixed in OpenBSD about 6 months ago'' have become
commonplace in security forums like
<a href=http://www.securityfocus.com/bugtraq/archive>BUGTRAQ</a>.<p>
The most intense part of our security auditing happened immediately
before the OpenBSD 2.0 release and during the 2.0->2.1 transition,
over the last third of 1996 and first half of 1997. Thousands (yes,
thousands) of security issues were fixed rapidly over this year-long
period; bugs like the standard buffer overflows, protocol
implementation weaknesses, information gathering, and filesystem
races. Hence most of the security problems that we encountered were
fixed before our 2.1 release, and then a far smaller number needed
fixing for our 2.2 release. We do not find as many problems anymore,
it is simply a case of diminishing returns. Recently the security
problems we find and fix tend to be significantly more obscure or
complicated. Still we will persist for a number of reasons:<p>
<ul>
<li>Occasionally we find a simple problem we missed earlier. Doh!
<li>Security is like an arms race; the best attackers will continue
to search for more complicated exploits, so we will too.
<li>Finding and fixing subtle flaws in complicated software is
a lot of fun.
</ul>
<p>
The auditing process is not over yet, and as you can see we continue
to find and fix new security flaws.<p>
<a name=default></a>
<li><h3><font color=#e00000>"Secure by Default"</font></h3><p>
To ensure that novice users of OpenBSD do not need to become security
experts overnight (a viewpoint which other vendors seem to have), we
ship the operating system in a Secure by Default mode. All non-essential
services are disabled. As the user/administrator becomes more familiar
with the system, he will discover that he has to enable daemons and other
parts of the system. During the process of learning how to enable a new
service, the novice is more likely to learn of security considerations.<p>
This is in stark contrast to the increasing number of systems that
ship with NFS, mountd, web servers, and various other services enabled
by default, creating instantaneous security problems for their users
within minutes after their first install.<p>
<a name=crypto>
<li><h3><font color=#e00000>Cryptography</font></h3><p>
And of course, since the OpenBSD project is based in Canada, it is possible
for us to integrate cryptography. For more information, read the page
outlining <a href=crypto.html>what we have done with cryptography</a>.</p>
<li><h3><font color=#e00000>Advisories</font></h3><p>
<dl>
<li>
<a name=27></a>
<h3><font color=#e00000>OpenBSD 2.7 Security Advisories</font></h3>
These are the OpenBSD 2.7 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the
OpenBSD 2.6 advisories listed below are fixed in OpenBSD 2.7.
<p>
<ul>
<li><a href=errata.html#bridge>May 26, 2000:
The bridge(4) <i>learning</i> flag may be bypassed.
(patch included)</a>
<li><a href=errata.html#ipf>May 25, 2000:
Improper use of ipf <i>keep-state</i> rules can result
in firewall rules being bypassed. (patch included)</a>
</ul>
<p>
<li>
<a name=26></a>
<h3><font color=#e00000>OpenBSD 2.6 Security Advisories</font></h3>
These are the OpenBSD 2.6 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the
OpenBSD 2.5 advisories listed below are fixed in OpenBSD 2.6.
<p>
<ul>
<li><a href=errata26.html#semconfig>May 26, 2000:
SYSV semaphore support contained an undocumented system call
which could lock out processes from exiting. (patch included)</a>
<li><a href=errata26.html#ipf>May 25, 2000:
Improper use of ipf <i>keep-state</i> rules can result
in firewall rules being bypassed. (patch included)</a>
<li><a href=errata26.html#xlockmore>May 25, 2000:
xlockmore has a bug which a localhost attacker can use to gain
access to the encrypted root password hash (which is normally
encoded using blowfish (see
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3">
crypt(3)</a>)
(patch included).</a>
<li><a href=errata26.html#procfs>Jan 20, 2000:
Systems running with procfs enabled and mounted are
vulnerable to a very tricky exploit. procfs is not
mounted by default.
(patch included).</a>
<li><a href=errata26.html#ifmedia>Nov 9, 1999:
Any user could change interface media configurations, resulting in
a localhost denial of service attack.
(patch included).</a>
<li><a href=errata26.html#sslUSA>Dec 2, 1999:
A buffer overflow in the RSAREF code included in the
USA version of libssl, is possibly exploitable in
httpd, ssh, or isakmpd, if SSL/RSA features are enabled.
(patch included).<br></a>
<strong>Update:</strong> Turns out that this was not exploitable
in any of the software included in OpenBSD 2.6.
<li><a href=errata26.html#sendmail>Dec 4, 1999:
Sendmail permitted any user to cause a aliases file wrap,
thus exposing the system to a race where the aliases file
did not exist.
(patch included).</a>
</ul>
<p>
<li>
<a name=25></a>
<h3><font color=#e00000>OpenBSD 2.5 Security Advisories</font></h3>
These are the OpenBSD 2.5 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the
OpenBSD 2.4 advisories listed below are fixed in OpenBSD 2.5.
<p>
<ul>
<li><a href=errata25.html#cron>Aug 30, 1999:
In cron(8), make sure argv[] is NULL terminated in the
fake popen() and run sendmail as the user, not as root.
(patch included).</a>
<li><a href=errata25.html#miscfs>Aug 12, 1999: The procfs and fdescfs
filesystems had an overrun in their handling of uio_offset
in their readdir() routines. (These filesystems are not
enabled by default). (patch included).</a>
<li><a href=errata25.html#profil>Aug 9, 1999: Stop profiling (see profil(2))
when we execve() a new process. (patch included).</a>
<li><a href=errata25.html#ipsec_in_use>Aug 6, 1999: Packets that should have
been handled by IPsec may be transmitted as cleartext.
PF_KEY SA expirations may leak kernel resources.
(patch included).</a>
<li><a href=errata25.html#rc>Aug 5, 1999: In /etc/rc, use mktemp(1) for
motd re-writing and change the find(1) to use -execdir
(patch included).</a>
<li><a href=errata25.html#chflags>Jul 30, 1999: Do not permit regular
users to chflags(2) or fchflags(2) on character or block devices
which they may currently be the owner of (patch included).</a>
<li><a href=errata25.html#nroff>Jul 27, 1999: Cause groff(1) to be invoked
with the -S flag, when called by nroff(1) (patch included).</a>
</ul>
<p>
<li>
<a name=24></a>
<h3><font color=#e00000>OpenBSD 2.4 Security Advisories</font></h3>
These are the OpenBSD 2.4 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the
OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4.
<p>
<ul>
<li><a href=errata24.html#poll>Mar 22, 1999: The nfds argument for poll(2) needs
to be constrained, to avoid kvm starvation (patch included).</a>
<li><a href=errata24.html#tss>Mar 21, 1999: A change in TSS handling stops
another kernel crash case caused by the <strong>crashme</strong>
program (patch included).</a>
<li><a href=errata24.html#nlink>Feb 25, 1999: An unbounded increment on the
nlink value in FFS and EXT2FS filesystems can cause a system crash.
(patch included).</a>
<li><a href=errata24.html#ping>Feb 23, 1999: Yet another buffer overflow
existed in ping(8). (patch included).</a>
<li><a href=errata24.html#ipqrace>Feb 19, 1999: ipintr() had a race in use of
the ipq, which could permit an attacker to cause a crash.
(patch included).</a>
<li><a href=errata24.html#accept>Feb 17, 1999: A race condition in the
kernel between accept(2) and select(2) could permit an attacker
to hang sockets from remote.
(patch included).</a>
<li><a href=errata24.html#maxqueue>Feb 17, 1999: IP fragment assembly can
bog the machine excessively and cause problems.
(patch included).</a>
<li><a href=errata24.html#trctrap>Feb 12, 1999: i386 T_TRCTRAP handling and
DDB interacted to possibly cause a crash.
(patch included).</a>
<li><a href=errata24.html#rst>Feb 11, 1999: TCP/IP RST handling was sloppy.
(patch included).</a>
<li><a href=errata24.html#bootpd>Nov 27, 1998: There is a remotely exploitable
problem in bootpd(8). (patch included).</a>
<li><a href=errata24.html#termcap>Nov 19, 1998: There is a possibly locally
exploitable problem relating to environment variables in termcap
and curses. (patch included).</a>
<li><a href=errata24.html#tcpfix>Nov 13, 1998: There is a remote machine lockup
bug in the TCP decoding kernel. (patch included).</a>
</ul>
<p>
<li>
<a name=23></a>
<h3><font color=#e00000>OpenBSD 2.3 Security Advisories</font></h3>
These are the OpenBSD 2.3 advisories -- all these problems are solved
in <a href=anoncvs.html>OpenBSD current</a>. Obviously, all the
OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3.
<p>
<ul>
<li><a href=errata23.html#bootpd>Nov 27, 1998: There is a remotely exploitable
problem in bootpd(8). (patch included).</a>
<li><a href=errata23.html#tcpfix>Nov 13, 1998: There is a remote machine lockup
bug in the TCP decoding kernel. (patch included).</a>
<li><a href=errata23.html#fdalloc>Jul 2, 1998: setuid and setgid processes
should not be executed with fd slots 0, 1, or 2 free.
(patch included).</a>
<li><a href=errata23.html#resolver>August 31, 1998: A benign looking resolver buffer overflow bug was re-introduced accidentally (patches included).</a>
<li><a href=errata23.html#xlib>June 6, 1998: Further problems with the X
libraries (patches included).</a>
<li><a href=errata23.html#pctr>June 4, 1998: on non-Intel i386 machines, any user
can use pctr(4) to crash the machine.</a>
<li><a href=errata23.html#kill>May 17, 1998: kill(2) of setuid/setgid target
processes too permissive (4th revision patch included).</a>
<li><a href=errata23.html#immutable>May 11, 1998: mmap() permits partial bypassing
of immutable and append-only file flags. (patch included).</a>
<li><a href=errata23.html#xterm-xaw>May 1, 1998: Buffer overflow in xterm and Xaw
(CERT advisory VB-98.04) (patch included).</a>
<li><a href=errata23.html#ipsec>May 5, 1998: Incorrect handling of IPSEC packets
if IPSEC is enabled (patch included).</a>
</ul>
<p>
<li>
<a name=22></a>
<h3><font color=#e00000>OpenBSD 2.2 Security Advisories</font></h3>
These are the OpenBSD 2.2 advisories. All these problems are solved
in <a href=23.html>OpenBSD 2.3</a>. Some of these problems
still exist in other operating systems. (The supplied patches are for
OpenBSD 2.2; they may or may not work on OpenBSD 2.1).
<p>
<ul>
<li><a href=errata22.html#ipsec>May 5, 1998: Incorrect handling of IPSEC
packets if IPSEC is enabled (patch included).</a>
<li><a href=errata22.html#xterm-xaw>May 1, 1998: Buffer overflow in xterm
and Xaw (CERT advisory VB-98.04) (patch included).</a>
<li><a href=errata22.html#uucpd>Apr 22, 1998: Buffer overflow in uucpd
(patch included).</a>
<li><a href=errata22.html#rmjob>Apr 22, 1998: Buffer mismanagement in lprm
(patch included).</a>
<li><a href=errata22.html#ping>Mar 31, 1998: Overflow in ping -R (patch included).</a>
<li><a href=errata22.html#named>Mar 30, 1998: Overflow in named fake-iquery
(patch included).</a>
<li><a href=errata22.html#mountd>Mar 2, 1998: Accidental NFS filesystem
export (patch included).</a>
<li><a href="advisories/mmap.txt">Feb 26, 1998: Read-write mmap() flaw.</a>
Revision 3 of the patch is available <a href=errata22.html#mmap>here</a>
<li><a href="advisories/sourceroute.txt">Feb 19, 1998: Sourcerouted Packet
Acceptance.</a>
A patch is available <a href=errata22.html#sourceroute>here</a>.
<li><a href=errata22.html#ruserok>Feb 13, 1998: Setuid coredump & Ruserok()
flaw (patch included).</a>
<li><a href=errata22.html#ldso>Feb 9, 1998: MIPS ld.so flaw (patch included).</a>
<li><a href=errata22.html#f00f>Dec 10, 1997: Intel P5 f00f lockup
(patch included).</a>
</ul>
<p>
<li>
<a name=21></a>
<h3><font color=#e00000>OpenBSD 2.1 Security Advisories</font></h3>
These are the OpenBSD 2.1 advisories. All these problems are solved
in <a href=22.html>OpenBSD 2.2</a>. Some of these problems still
exist in other operating systems. (If you are running OpenBSD 2.1, we
would strongly recommend an upgrade to the newest release, as this
patch list only attempts at fixing the most important security
problems. In particular, OpenBSD 2.2 fixes numerous localhost
security problems. Many of those problems were solved in ways which
make it hard for us to provide patches).
<p>
<ul>
<li><a href="advisories/signals.txt">Sep 15, 1997: Deviant Signals (patch included)</a>
<li><a href="advisories/rfork.txt">Aug 2, 1997: Rfork() system call flaw
(patch included)</a>
<li><a href="advisories/procfs.txt">Jun 24, 1997: Procfs flaws (patch included)</a>
</ul>
<p>
<li>
<a name=20></a>
<h3><font color=#e00000>OpenBSD 2.0 Security Advisories</font></h3>
These are the OpenBSD 2.0 advisories. All these problems are solved
in <a href=21.html>OpenBSD 2.1</a>. Some of these problems still
exist in other operating systems. (If you are running OpenBSD 2.0, we
commend you for being there back in the old days!, but you're really
missing out if you don't install a new version!)
<p>
<ul>
<li><a href="advisories/res_random.txt">April 22, 1997: Predictable IDs in the
resolver (patch included)</a>
<li>Many others... if people can hunt them down, please let me know
and we'll put them up here.
</ul>
</dl>
<p>
<a name=watching></a>
<li><h3><font color=#e00000>Watching our Changes</font></h3><p>
Since we take a proactive stance with security, we are continually
finding and fixing new security problems. Not all of these problems
get widely reported because (as stated earlier) many of them are not
confirmed to be exploitable; many simple bugs we fix do turn out to
have security consequences we could not predict. We do not have the
time resources to make these changes available in the above format.<p>
Thus there are usually minor security fixes in the current source code
beyond the previous major OpenBSD release. We make a limited
guarantee that these problems are of minimal impact and unproven
exploitability. If we discover that a problem definitely matters for
security, patches will show up here <strong>VERY</strong> quickly.<p>
People who are really concerned with security can do a number of
things:<p>
<ul>
<li>If you understand security issues, watch our
<a href=mail.html>source-changes mailing list</a> and keep an
eye out for things which appear security related. Since
exploitability is not proven for many of the fixes we make,
do not expect the relevant commit message to say "SECURITY FIX!".
If a problem is proven and serious, a patch will be available
here very shortly after.
<li>Track our current source code tree, and teach yourself how to do a
complete system build from time to time (read /usr/src/Makefile
carefully). Users can make the assumption that the current
source tree always has stronger security than the previous release.
However, building your own system from source code is not trivial;
it is nearly 300MB of source code, and problems do occur as we
transition between major releases.
<li>Install a binary snapshot for your
architecture, which are made available fairly often. For
instance, an i386 snapshot is typically made available weekly.
</ul>
<p>
<a name=reporting>
<li><h3><font color=#e00000>Reporting problems</font></h3><p>
<p> If you find a new security problem, you can mail it to
<a href=mailto:deraadt@openbsd.org>deraadt@openbsd.org</a>.
<br>
If you wish to PGP encode it (but please only do so if privacy is very
urgent, since it is inconvenient) use this <a href="advisories/pgpkey.txt">pgp key</a>.
<p>
<a name=papers></a>
<li><h3><font color=#e00000>Further Reading</font></h3><p>
A number of papers have been written by OpenBSD team members, about security
related changes they have done in OpenBSD. The postscript versions of these
documents are available as follows.<p>
<ul>
<li>A Future-Adaptable Password Scheme.<br>
<a href=events.html#usenix99>Usenix 1999</a>,
by <a href=mailto:provos@openbsd.org>Niels Provos<a/>,
<a href=mailto:dm@openbsd.org>David Mazieres</a>.<br>
<a href=papers/bcrypt-paper.ps>paper</a> and
<a href=papers/bcrypt-slides.ps>slides</a>.
<p>
<li>Cryptography in OpenBSD: An Overview.<br>
<a href=events.html#usenix99>Usenix 1999</a>,
by <a href=mailto:deraadt@openbsd.org>Theo de Raadt</a>,
<a href=mailto:niklas@openbsd.org>Niklas Hallqvist</a>,
<a href=mailto:art@openbsd.org>Artur Grabowski</a>,
<a href=mailto:angelos@openbsd.org>Angelos D. Keromytis</a>,
<a href=mailto:provos@openbsd.org>Niels Provos</a>.<br>
<a href=papers/crypt-paper.ps>paper</a> and
<a href=papers/crypt-slides.ps>slides</a>.
<p>
<li>strlcpy and strlcat -- consistent, safe, string copy and concatenation.<br>
<a href=events.html#usenix99>Usenix 1999</a>,
by <a href=mailto:millert@openbsd.org>Todd C. Miller</a>,
<a href=mailto:deraadt@openbsd.org>Theo de Raadt</a>.<br>
<a href=papers/strlcpy-paper.ps>paper</a> and
<a href=papers/strlcpy-slides.ps>slides</a>.
<p>
<li>Dealing with Public Ethernet Jacks-Switches, Gateways, and Authentication.<br>
<a href=events.html#lisa99>LISA 1999</a>,
by <a href=mailto:beck@openbsd.org>Bob Beck</a>.<br>
<a href=papers/authgw-paper.ps>paper</a> and
<a href=papers/authgw-slides.ps>slides</a>.
<p>
</ul>
</dl>
<hr>
<a href=index.html><img height=24 width=24 src=back.gif border=0 alt=OpenBSD></a>
<a href=mailto:www@openbsd.org>www@openbsd.org</a>
<br>
<small>$OpenBSD: security.html,v 1.130 2000/05/26 21:21:46 deraadt Exp $</small>
</body>
</html>
![[BACK]](/icons/back.gif){kind=icon}
Return to security.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www