Security and NetBSD
The NetBSD Project adopts the same approach to security as it does to the rest of the system: Solutions and not hacks. Security issues in NetBSD are handled by the NetBSD Security Officer and the NetBSD Security Alert Team. As well as investigating, documenting and updating code in response to newly reported security issues, the team also performs periodic code audits to search for and remove potential security problems.
The NetBSD source tree contains several millions of lines of code written by many different people and organizations with varying styles and quality. Given the rate of change and the amount of human resources available, it is not possible to manually verify every line of code for correctness. To compensate for that the NetBSD Foundation utilizes modern tools and techniques to automatically detect and manually correct bugs as soon as they appear.
Specifically, the NetBSD source tree is periodically analyzed by two separate code scanners to maintain and improve code quality: Coverity - a commercial code scanner, and Brainy - a private code scanner developed by a NetBSD developer.
Several security features are available in NetBSD, including IPsec - for both IPv4 and IPv6 -, a file integrity system (Veriexec), a kernel authorization framework (kauth(9)), exploit mitigation features (PaX), disk encryption (CGD), and a variety of other internal kernel bug detection features such as KMEM_REDZONE and KMEM_SIZE.
Because high security should not come at the cost of performance and efficiency, not all of these features are enabled by default. For example, some memory integrity systems are available only on DIAGNOSTIC kernels, so that bugs can be detected during the development process and fixed for stable releases, which thereby do not necessarily need such features.
Other classic secure network services are available, such as SSH (OpenSSH) and Kerberos 5 (Heimdal). All services default to their most secure settings, and no services are enabled by default for new installations.
When serious security problems in NetBSD are discovered and corrected, we issue a security advisory, describing the problem and containing a pointer to the fix. These are announced to our netbsd-announce mailing list and our security-announce mailing list as well as to various other mailing lists and websites. In addition, they are archived on this site as well as provided as an RSS feed.
Security issues are fixed as soon as possible, and the fixes are propagated to the stable branches as fast as possible. However, when a vulnerability is found during a code audit, or when several other issues are likely to be spotted and fixed in the near future, the security team may delay the release of a Security Advisory, so that one unique, comprehensive Security Advisory covering several vulnerabilities can be issued. Communication with vendors and other distributions shipping the same code may also cause these delays.
See the release archive for a complete list.
- NetBSD-SA2017-003 Weak privilege separation in XEN
- NetBSD-SA2017-002 Several vulnerabilies in ARP
- NetBSD-SA2017-001 Memory leak in connect(2)
- NetBSD-SA2016-006 Race condition mail.local(8)
- NetBSD-SA2016-005 Potential remote code execution in the bozohttpd CGI handlers
- NetBSD-SA2016-004 Multiple vulnerabilities in the compatibility layers
- NetBSD-SA2016-003 Privilege escalation in calendar(1)
- NetBSD-SA2016-002 BDF file parsing issues in libXfont
- NetBSD-SA2016-001 Multiple vulnerabilities in ntp daemon
- NetBSD-SA2015-009 TCP LAST_ACK state memory exhaustion
- NetBSD-SA2015-008 OpenSSL and TLS protocol vulnerabilities
- NetBSD-SA2015-007 OpenSSL and SSLv3 vulnerabilities
- NetBSD-SA2015-006 OpenSSL and SSLv3 vulnerabilities
- NetBSD-SA2015-005 buffer overflow in libevent (CVE-2014-6272)
- NetBSD-SA2015-004 Two vulnerabilities in the compatibility layers
- NetBSD-SA2015-003 NTPd multiple vulnerabilities (CVE-2014-929[3-6])
- NetBSD-SA2015-002 bind Denial of Service (CVE-2014-8500)
- NetBSD-SA2015-001 Protocol handling issues in X Window System servers
- NetBSD-SA2014-015 OpenSSL and SSLv3 vulnerabilities
- NetBSD-SA2014-014 Multiple vulnerabilities in the mount system call
- NetBSD-SA2014-013 ftp(1) can be made to execute arbitrary commands by a malicious webserver
- NetBSD-SA2014-012 Memory leak in the setsockopt system call
- NetBSD-SA2014-011 User-controlled memory allocation in the modctl system call
- NetBSD-SA2014-010 Multiple vulnerabilities in the compatibility layers
- NetBSD-SA2014-009 Multiple vulnerabilities in the execve system call
- NetBSD-SA2014-008 Multiple OpenSSL vulnerabilities
- NetBSD-SA2014-007 bozohttpd basic http authentication bypass
- NetBSD-SA2014-006 Multiple OpenSSL vulnerabilities
- NetBSD-SA2014-005 libXfont multiple vulnerabilities
- NetBSD-SA2014-004 OpenSSL information disclosure ("heartbleed")
- NetBSD-SA2014-003 posix_spawn unbounded kernel memory allocation
- NetBSD-SA2014-002 ntpd used as DDoS amplifier
- NetBSD-SA2014-001 Stack buffer overflow in libXfont
See the advisory archive for a complete list.
In some cases a security issue will be discovered in NetBSD-current and then be resolved soon after. These issues are often short lived and do not impact any NetBSD releases. In these cases we don't release patches or advisories specifically for NetBSD-current, but instead recommend that you update to a version containing the fixes. See the advisories above for the fix dates. If a security issue is identified that just impacts NetBSD-current, the NetBSD Security Officer will send an email to the current-users mailing list detailing the issue and what updates are necessary. Users running NetBSD-current are therefore strongly advised to subscribe to the current-users mailing list so that they are aware of these issues, and they should be upgrading their systems often to gain new features as well as resolving known issues.
The NetBSD Project has two security-related contact points:
To report a security problem in NetBSD, either contact the NetBSD Security Alert Team or send a standard NetBSD problem report, using the send-pr form or the send-pr(1) program on your NetBSD system.
Sensitive information should be encrypted using PGP with the NetBSD Security Officer's PGP key.
The NetBSD Packages Collection provides easy source or binary installation of a large number of third-party applications. Users should remember that there can often be bugs in third-party software, and some of these bugs can leave a machine vulnerable to exploitation. To cope with this, NetBSD provides an easy way to audit your installed packages for known vulnerabilities.
The NetBSD pkgsrc Security Team and package maintainers keep a list of known security vulnerabilities in packages which are (or have been) included in pkgsrc. The list is available from the NetBSD FTP site at:
This file is signed with the pkgsrc-security GPG key.
Through pkg_admin, this list can be downloaded automatically, and a security audit of all packages installed on a system can take place.
There are two parts to this workflow. The first part is running pkg_admin fetch-pkg-vulnerabilities, for downloading the list of vulnerabilities from the NetBSD FTP site. The second part is running pkg_admin audit to check if any of your installed packages are vulnerable. If a package is vulnerable, you will see output similar to the following:
Package wireshark-2.0.1 has a denial-of-service vulnerability, see https://www.wireshark.org/security/wnpa-sec-2016-04.html