Vulnerability Update: libarchive

Around three months ago, a post was published (mirror) on GitHub's Gist service. In the report, multiple vulnerabilities against portsnap, freebsd-update, bspatch, and libarchive were detailed. To this date, FreeBSD has been silent on official mailing lists. However, Allan Jude talked very briefly about it on BSDNow. FreeBSD is still vulnerable to the portsnap, freebsd-update, bspatch, and libarchive vulnerabilities.

Shortly after HardenedBSD was made aware of the vulnerabilities, Shawn Webb researched how HardenedBSD was affected. Since HardenedBSD has disabled portsnap and freebsd-update by default, HardenedBSD is not vulnerable to the portsnap and freebsd-update vulnerabilities. HardenedBSD does not have supporting infrastructure for portsnap or freebsd-update. The report detailed four vulnerabilities in libarchive, two of which were fixed with FreeBSD's import of libarchive 3.2.1. The other two were fixed by HardenedBSD commits acc5eaecbe4970cfb96d9549fe7dc8ceb4676557 and 6a6ac73ae630927b2dd996df3cd85c8c612c459c. The second commit has potential for fall-out, so additional testing is being performed.

For binary updates to base, HardenedBSD relies on a tool called hbsd-update, which is enabled by default in base. hbsd-update was affected. hbsd-update updates come in a single tarball that contains multiple file within it. Prior to the series of commits fixing hbsd-update, the outer tarball was not validated prior to extraction. Only the inner files were validated by enforcing digital signatures. The libarchive vulnerabilities could allow a malicious third-party to distribute update archives that could place arbitrary files on the filesystem. To address this issue, the hash of the current hbsd-update is published as part of the DNS TXT record. HardenedBSD's DNS entries are signed with DNSSEC, which hbsd-update now verifies. By utilizing DNSSEC, hbsd-update can ensure that not only the version information is valid, but also the hash of the update archive--effectively turning the DNS TXT record into a digital signature for the outer file. Those who publish their own binary updates using hbsd-update-build are advised to do the same.

Due to the new DNSSEC validation feature in hbsd-update, the unbound-host application has been wired into the base build. FreeBSD includes the code for unbound-host; however, it is not wired into the build. Additionally, we now install the DNSSEC root key 257 as part of the hbsd-update trust store. Since DNSSEC key material is routinely rotated, we will maintain the DNSSEC root key pinning in the trust store long-term.

Once FreeBSD has fixed the issues surrounding libarchive, we at HardenedBSD will evaluate using their fixes. We hope FreeBSD will communicate with their community soon regarding the already-public vulnerabilities.