OpenBSD Security Views

Like many readers of the BUGTRAQ mailing list, we believe in full disclosure of security problems. Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work -- very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security.

Our security auditing team typically has between six and twelve members who continue to search for and fix new security holes. We have been auditing since the summer of 1996. The process we follow to increase security is simply a comprehensive file-by-file analysis of every critical software component. Flaws have been found in just about every area of the system. Entire new classes of security problems have been found during our audit, and often source code which had been audited earlier needs re-auditing with these new flaws in mind. Code often gets audited multiple times, and by multiple people with different auditing skills.

Some members of our security auditing team worked for Secure Networks, the company that made the industry's premier network security scanning software package Ballista (Secure Networks got purchased by Network Associates, Ballista got renamed to Cybercop Scanner, and well...) That company did a lot of security research, and thus fit in well with the OpenBSD stance. OpenBSD passes Ballista's tests with flying colours.

Another facet of our security auditing process is its proactiveness. In most cases we have found that the determination of exploitability is not an issue. During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable. (Or, more likely someone on BUGTRAQ would report that other operating systems were vulnerable to a `newly discovered problem', and then it would be discovered that OpenBSD had been fixed in a previous release). In other cases we have been saved from full exploitability of complex step-by-step attacks because we had fixed one of the intermediate steps. An example of where we managed such a success is the lpd advisory that Secure Networks put out.

Our proactive auditing process has really paid off. Statements like ``This problem was fixed in OpenBSD about 6 months ago'' have become commonplace in security forums like BUGTRAQ.

The most intense part of our security auditing happened immediately before the OpenBSD 2.0 release and during the 2.0->2.1 transition, over the last third of 1996 and first half of 1997. Thousands (yes, thousands) of security issues were fixed rapidly over this year-long period; bugs like the standard buffer overflows, protocol implementation weaknesses, information gathering, and filesystem races. Hence most of the security problems that we encountered were fixed before our 2.1 release, and then a far smaller number needed fixing for our 2.2 release. We do not find as many problems anymore, it is simply a case of diminishing returns. Recently the security problems we find and fix tend to be significantly more obscure or complicated. Still we will persist for a number of reasons:

• Occasionally we find a simple problem we missed earlier. Doh!
• Security is like an arms race; the best attackers will continue to search for more complicated exploits, so we will too.
• Finding and fixing subtle flaws in complicated software is a lot of fun.

OpenBSD 2.5 Security Advisories

Aug 30, 1999: In cron(8), make sure argv[] is NULL terminated in the fake popen() and run sendmail as the user, not as root. (patch included).
Aug 12, 1999: The procfs and fdescfs filesystems had an overrun in their handling of uio_offset in their readdir() routines. (These filesystems are not enabled by default). (patch included).
• Aug 9, 1999: Stop profiling (see profil(2)) when we execve() a new process. (patch included).
• Aug 6, 1999: Packets that should have been handled by IPsec may be transmitted as cleartext. PF_KEY SA expirations may leak kernel resources. (patch included).
• Aug 5, 1999: In /etc/rc, use mktemp(1) for motd re-writing and change the find(1) to use -execdir (patch included).
• Jul 30, 1999: Do not permit regular users to chflags(2) or fchflags(2) on character or block devices which they may currently be the owner of (patch included).
• Jul 27, 1999: Cause groff(1) to be invoked with the -S flag, when called by nroff(1) (patch included).

OpenBSD 2.4 Security Advisories

These are the OpenBSD 2.4 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.3 advisories listed below are fixed in OpenBSD 2.4.
• Mar 22, 1999: The nfds argument for poll(2) needs to be constrained, to avoid kvm starvation (patch included).
• Mar 21, 1999: A change in TSS handling stops another kernel crash case caused by the crashme program (patch included).
• Feb 25, 1999: An unbounded increment on the nlink value in FFS and EXT2FS filesystems can cause a system crash. (patch included).
• Feb 23, 1999: Yet another buffer overflow existed in ping(8). (patch included).
• Feb 19, 1999: ipintr() had a race in use of the ipq, which could permit an attacker to cause a crash. (patch included).
• Feb 17, 1999: A race condition in the kernel between accept(2) and select(2) could permit an attacker to hang sockets from remote. (patch included).
• Feb 17, 1999: IP fragment assembly can bog the machine excessively and cause problems. (patch included).
• Feb 12, 1999: i386 T_TRCTRAP handling and DDB interacted to possibly cause a crash. (patch included).
• Feb 11, 1999: TCP/IP RST handling was sloppy. (patch included).
• Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included).
• Nov 19, 1998: There is a possibly locally exploitable problem relating to environment variables in termcap and curses. (patch included).
• Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included).

OpenBSD 2.3 Security Advisories

These are the OpenBSD 2.3 advisories -- all these problems are solved in OpenBSD current. Obviously, all the OpenBSD 2.2 advisories listed below are fixed in OpenBSD 2.3.
• Nov 27, 1998: There is a remotely exploitable problem in bootpd(8). (patch included).
• Nov 13, 1998: There is a remote machine lockup bug in the TCP decoding kernel. (patch included).
• Jul 2, 1998: setuid and setgid processes should not be executed with fd slots 0, 1, or 2 free. (patch included).
• August 31, 1998: A benign looking resolver buffer overflow bug was re-introduced accidentally (patches included).
• June 6, 1998: Further problems with the X libraries (patches included).
• June 4, 1998: on non-Intel i386 machines, any user can use pctr(4) to crash the machine.
• May 17, 1998: kill(2) of setuid/setgid target processes too permissive (4th revision patch included).
• May 11, 1998: mmap() permits partial bypassing of immutable and append-only file flags. (patch included).
• May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included).
• May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included).

OpenBSD 2.2 Security Advisories

These are the OpenBSD 2.2 advisories. All these problems are solved in OpenBSD 2.3. Some of these problems still exist in other operating systems. (The supplied patches are for OpenBSD 2.2; they may or may not work on OpenBSD 2.1).
• May 5, 1998: Incorrect handling of IPSEC packets if IPSEC is enabled (patch included).
• May 1, 1998: Buffer overflow in xterm and Xaw (CERT advisory VB-98.04) (patch included).
• Apr 22, 1998: Buffer overflow in uucpd (patch included).
• Apr 22, 1998: Buffer mismanagement in lprm (patch included).
• Mar 31, 1998: Overflow in ping -R (patch included).
• Mar 30, 1998: Overflow in named fake-iquery (patch included).
• Mar 2, 1998: Accidental NFS filesystem export (patch included).
• Feb 26, 1998: Read-write mmap() flaw. Revision 3 of the patch is available here
• Feb 19, 1998: Sourcerouted Packet Acceptance. A patch is available here.
• Feb 13, 1998: Setuid coredump & Ruserok() flaw (patch included).
• Feb 9, 1998: MIPS ld.so flaw (patch included).
• Dec 10, 1997: Intel P5 f00f lockup (patch included).

OpenBSD 2.1 Security Advisories

These are the OpenBSD 2.1 advisories. All these problems are solved in OpenBSD 2.2. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.1, we would strongly recommend an upgrade to the newest release, as this patch list only attempts at fixing the most important security problems. In particular, OpenBSD 2.2 fixes numerous localhost security problems. Many of those problems were solved in ways which make it hard for us to provide patches).
• Sep 15, 1997: Deviant Signals (patch included)
• Aug 2, 1997: Rfork() system call flaw (patch included)
• Jun 24, 1997: Procfs flaws (patch included)

OpenBSD 2.0 Security Advisories

These are the OpenBSD 2.0 advisories. All these problems are solved in OpenBSD 2.1. Some of these problems still exist in other operating systems. (If you are running OpenBSD 2.0, we commend you for being there back in the old days!, but you're really missing out if you don't install a new version!)
• April 22, 1997: Predictable IDs in the resolver (patch included)
• Many others... if people can hunt them down, please let me know and we'll put them up here.

Watching our Security Changes

Since we take a proactive stance with security, we are continually finding and fixing new security problems. Not all of these problems get widely reported because (as stated earlier) many of them are not confirmed to be exploitable; many simple bugs we fix do turn out to have security consequences we could not predict. We do not have the time resources to make these changes available in the above format.

Thus there are usually minor security fixes in the current source code beyond the previous major OpenBSD release. We make a limited guarantee that these problems are of minimal impact and unproven exploitability. If we discover that a problem definitely matters for security, patches will show up here VERY quickly.

People who are really concerned with security can do a number of things:

• If you understand security issues, watch our source-changes mailing list and keep an eye out for things which appear security related. Since exploitability is not proven for many of the fixes we make, do not expect the relevant commit message to say "SECURITY FIX!". If a problem is proven and serious, a patch will be available here very shortly after.
• Track our current source code tree, and teach yourself how to do a complete system build from time to time (read /usr/src/Makefile carefully). Users can make the assumption that the current source tree always has stronger security than the previous release. However, building your own system from source code is not trivial; it is nearly 300MB of source code, and problems do occur as we transition between major releases.
• Install a binary snapshot for your architecture, which are made available fairly often. For instance, an i386 snapshot is typically made available weekly.

Other Resources

If you find a new security problem, you can mail it to deraadt@openbsd.org.
If you wish to PGP encode it (but please only do so if privacy is very urgent, since it is inconvenient) use this pgp key.

---

www@openbsd.org
$OpenBSD: security.html,v 1.103 1999/08/31 11:43:41 deraadt Exp $