Security and NetBSD
Security issues in NetBSD are handled by three groups: the Security Team, the Security Alert Team, and the Security Officer. These groups investigate, document and update code in response to newly reported security issues.
The NetBSD source tree contains several millions of lines of code written by many different people and organizations with varying styles and quality. Given the rate of change and the amount of human resources available, it is not possible to manually verify every line of code for correctness. To compensate for that the NetBSD Foundation utilizes modern tools and techniques to automatically detect and manually correct bugs as soon as they appear.
Specifically, the NetBSD source tree is periodically analyzed by two separate code scanners to maintain and improve code quality: Coverity - a commercial code scanner, and Brainy - a private code scanner developed by a NetBSD developer.
Several security features are available in NetBSD, including IPsec, a homegrown firewall (NPF), a file integrity system (Veriexec), a kernel authorization framework (kauth(9)), disk encryption (CGD), among others.
In terms of exploit mitigations, NetBSD supports a good number of modern features: W^X (in both userland and the kernel), Userland ASLR, Kernel ASLR, SMEP, SMAP, and a variety of other internal kernel bug detection features. Support for these mitigations sometimes depends on the capabilities of the hardware.
Some advanced internal bug detection features are enabled only during the development process, because they are too costly from a performance point of view. This allows for good quality insurance during development, and at the same time avoids performance overhead in the stable releases.
Other classic secure network services are available, such as SSH (OpenSSH) and Kerberos 5 (Heimdal). All services default to their most secure settings, and no services are enabled by default for new installations.
To report a security problem in NetBSD, please contact the
Security Alert Team:
<security-alert@NetBSD.org>
.
Sensitive information should be encrypted using PGP with the Security Officer's PGP key. If you have problem downloading the key via https from the CDN, try http from our ftp server or even old fashioned ftp.
When serious security problems in NetBSD are discovered and corrected, we issue a security advisory, describing the problem and containing a pointer to the fix. These are announced to our netbsd-announce mailing list and our security-announce mailing list as well as to various other mailing lists and websites. In addition, they are archived on this site as well as provided as an RSS feed.
Security issues are fixed as soon as possible, and the fixes are propagated to the stable branches as fast as possible. However, when a vulnerability is found during a code audit, or when several other issues are likely to be spotted and fixed in the near future, the security team may delay the release of a Security Advisory, so that one unique, comprehensive Security Advisory covering several vulnerabilities can be issued. Communication with vendors and other distributions shipping the same code may also cause these delays.
Advisories for NetBSD releases that are no longer supported can be found in the release archive.
- NetBSD-SA2024-002 OpenSSH CVE-2024-6387 `regreSSHion'
- NetBSD-SA2024-001 Inadequate validation of user-supplied hostname in utmp_update(8)
- NetBSD-SA2023-007 multiple vulnerabilities in ftpd(8)
- NetBSD-SA2023-006 KDC-spoofing in pam_krb5
- NetBSD-SA2023-005 su(1) bypass via pam_ksu(8)
- NetBSD-SA2023-004 procfs environ exposure
- NetBSD-SA2023-003 Structure padding memory disclosures
See the advisory archive for a complete list.
In some cases a security issue will be discovered in NetBSD-current and then be resolved soon after. These issues are often short lived and do not impact any NetBSD releases. In these cases we don't release advisories specifically for NetBSD-current. Users running NetBSD-current are strongly advised to subscribe to the current-users mailing list, and to regularly upgrade their systems.
The NetBSD Packages Collection provides easy source or binary installation of a large number of third-party applications. Users should remember that there can often be bugs in third-party software, and some of these bugs can leave a machine vulnerable to exploitation. To cope with this, NetBSD provides an easy way to audit your installed packages for known vulnerabilities.
The NetBSD pkgsrc Security Team and package maintainers keep a list of known security vulnerabilities in packages which are (or have been) included in pkgsrc. The list is available from the NetBSD FTP site at:
This file is signed with the pkgsrc-security GPG key.
Through pkg_admin, this list can be downloaded automatically, and a security audit of all packages installed on a system can take place.
There are two parts to this workflow. The first part is running pkg_admin fetch-pkg-vulnerabilities, for downloading the list of vulnerabilities from the NetBSD FTP site. The second part is running pkg_admin audit to check if any of your installed packages are vulnerable. If a package is vulnerable, you will see output similar to the following:
Package wireshark-2.0.1 has a denial-of-service vulnerability, see https://www.wireshark.org/security/wnpa-sec-2016-04.html
Users can set up pkg_admin to download the pkg-vulnerabilities file daily, and include a package audit in the daily security script. Details on this are located in the MESSAGE file for pkg_install.
If you believe you have found a security issue for a software package in pkgsrc that is not detected by pkg_admin audit then contact the pkgsrc Security Team. You can encrypt your report using the pkgsrc-security GPG key.