-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		 NetBSD Security Advisory 2021-001
		 =================================

Topic:		Predictable ID disclosures in IPv4 and IPv6

Version:	NetBSD-current:		affected 
		NetBSD 9.1:		affected
		NetBSD 8.2:		affected

Severity:	Possible data exfiltration from firewalled or NATed networks

Fixed:		NetBSD-current:		March 9, 2021
		NetBSD-9 branch:	March 9, 2021
		NetBSD-8 branch:	March 9, 2021

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

IP ID randomization was not enabled by default and the randomization
algorithms were not strong enough.

Technical Details
=================

1. IPv4 and IPv6 fragment ids were not randomly generated by default. 
   Furthermore the randomization algorithms were not strong enough.
2. The TCP ISS random generation had an information leak.
3. The IPv6 flow label generation algorithm was not strong enough.

Solutions and Workarounds
=========================

Update the kernel to a fixed version and reboot.

There are pre-built binaries for all architectures and NetBSD versions at:

    https://nycdn.netbsd.org/pub/NetBSD-daily/

For example you can find the standard GENERIC kernel for NetBSD-9/amd64 at:

    https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/kernel/netbsd-GENERIC.gz

The following revisions fix the issues:

src/sys/netinet/in_var.h                        1.99,1.102
src/sys/netinet/ip6.h				1.30
src/sys/netinet/ip_input.c			1.400
src/sys/netinet/tcp_subr.c			1.285,1.286
src/sys/netinet/tcp_timer.c                     1.96
src/sys/netinet6/ip6_id.c			1.20
src/sys/netinet6/ip6_var.h			1.88

The fixed source may be obtained from the NetBSD CVS repository. The
following instructions briefly summarise how to upgrade your kernel.
In these instructions, replace:

	ARCH	 with your architecture (from uname -m), and
	KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P sys/netinet sys/netinet6
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

	https://www.NetBSD.org/docs/guide/en/chap-kernel.html

Thanks To
=========

Amit Klein for reporting these vulnerabilities and Taylor R. Campbell
for fixing them.

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2021-001.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2021, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJgTNu4AAoJEIkmHhf170n/bA4QAMIqhK0umvnNgu4tKLt1iL+j
plFWJpRmEgFX5DlALvsXrMZtlm3SnQ6OzwjSCmgRRbADtzTBB3t2Jeba1SjOMVa0
OQRtGi3QuD6uc40XnVYZT7kEJL8tgPBkdUBmVFFhVG27Vhyufvs5wa8QvmqWeNBs
rPS0KKB0vonAolChiaxHNIiv5ep0Xgjq9UY1otAf2r84m/lVgT3h+oQBWckN27lz
lG/GzfOm9f1JHQiwqX2dEhKU/XVcoorEcI3RMqYOyKsmnZ/YdUKMt2+12c2OGpX9
4D6YyJPMmDU8fdunCoLn5HngRTddo2sUsOcDcabsw1GCb5CEVfgxV8/G7nypYglI
8tBwTIfVAy7It5F25zsatH7+Im+yGtnAzila1Ape1eJ8NCfOlOhzIA6yc70J2GUK
KiAuVnTzLuRPKsDjgWvBO6RmQc+pDme+Jrgb2Q1i7cTagW2pv9rUluN6GQn/Pmv2
8Djc+r5fHwJH3NjNmItUGbdGk3IjOI7fCEb/Lf1FJFftW3M29NpYzPswlV/auoOM
A07pcHJ2zvR/KAnV3URfZOpba2LgjNeyF4eQ4CADg6/j42Jsz0ujBsv95Ts40lZo
vBL5lTGCJO0xiYYLayQaPQtf/rw76qfA5tj3FacIhuHb9rJAgi3Pch2iJbAKN7tP
b00faeTSn2gmx3yFdTRA
=KCmd
-----END PGP SIGNATURE-----