Skip to content

Releases: zeek/zeek

v2.6.4

29 Aug 00:08
Compare
Choose a tag to compare

This is a security patch release to address a potential Denial of Service vulnerability:

  • The NTLM analyzer did not properly handle AV Pair sequences
    that were either empty or unterminated, resulting in invalid
    memory access or heap buffer over-read. The NTLM analyzer
    is enabled by default and used in the analysis of SMB,
    DCE/RPC, and GSSAPI protocols.

    Thanks to Chris Hinshaw for reporting the issue.

v2.6.3

09 Aug 00:41
Compare
Choose a tag to compare

This is a security patch release to address potential Denial of Service
vulnerabilities:

  • Null pointer dereference in the RPC analysis code. RPC analyzers
    (e.g. MOUNT or NFS) are not enabled in the default configuration.

  • Signed integer overflow in BinPAC-generated parser code. The result
    of this is Undefined Behavior with respect to the array bounds
    checking conditions that BinPAC generates, so it's unpredictable
    what an optimizing compiler may actually do under the assumption
    that signed integer overlows should never happen. The specific
    symptom which lead to finding this issue was with the PE analyzer
    causing out-of-memory crashes due to large allocations that were
    otherwise prevented when the array bounds checking logic was changed
    to prevent any possible signed integer overlow.

v2.6.2

30 May 16:23
Compare
Choose a tag to compare

This is a security patch release to address potential Denial of
Service vulnerabilities:

  • Integer type mismatches in BinPAC-generated parser code and Bro
    analyzer code may allow for crafted packet data to cause
    unintentional code paths in the analysis logic to be taken due to
    unsafe integer conversions causing the parser and analysis logic
    to each expect different fields to have been parsed. One such
    example, reported by Maksim Shudrak, causes the Kerberos analyzer
    to dereference a null pointer. CVE-2019-12175 was assigned for
    this issue.

  • The Kerberos parser allows for several fields to be left
    uninitialized, but they were not marked with an &optional attribute
    and several usages lacked existence checks. Crafted packet data
    could potentially cause an attempt to access such uninitialized
    fields, generate a runtime error/exception, and leak memory.
    Existence checks and &optional attributes have been added to the
    relevent Kerberos fields.

  • BinPAC-generated protocol parsers commonly contain fields whose
    length is derived from other packet input, and for those that allow
    for incremental parsing, BinPAC did not impose a limit on how
    large such a field could grow, allowing for remotely-controlled
    packet data to cause growth of BinPAC's flowbuffer bounded only
    by the numeric limit of an unsigned 64-bit integer, leading
    to memory exhaustion. There is now a generalized limit for
    how large flowbuffers are allowed to grow, tunable by setting
    "BinPAC::flowbuffer_capacity_max".

v2.6.1

04 Feb 16:14
Compare
Choose a tag to compare

Bro 2.6.1 updates the embedded SQLite to version 3.26.0 to address the
"Magellan" remote code execution vulnerability. The stock Bro
configuration/scripts don't use SQLite by default, but custom user
scripts/packages may.

This release also updates Broker to v1.1.2, which includes a minor bug
fix in its Python bindings and improved support for building it as a
static library.

v2.6

08 Jul 23:06
Compare
Choose a tag to compare

New Functionality

  • Bro has switched to using the new Broker library for all its
    communication. Broker's API has been completely redesigned (compared
    to the version in 2.5), and much of its implementation has been
    redone. There's a new script-level "broker" framework that
    supersedes the old "communication" framework, which is now
    deprecated. All scripts that ship with Bro have been ported to use
    Broker. BroControl has likewise been ported to use Broker.

    For more about the new Broker framework, see
    https://www.bro.org/sphinx-git/frameworks/broker.html. There's also
    a guide there for porting existing Bro scripts to Broker. For more
    about Broker itself, including its API for external applications,
    see https://bro-broker.readthedocs.io/en/stable

    When using BroControl, the function of proxies has changed with
    Broker. If you are upgrading and have configured more than one proxy
    currenty, we recommend going back down to a single proxy node now.
    That should be fine unless you are using custom scripts doing
    significant data distribution through the new cluster framework.

    A side effect of the switch to using Broker is that each Bro node now runs
    as a single process instead of two. Also, the number of file descriptors
    being polled in Bro's main event loop has been reduced (1 per worker
    versus 5). This should increase the number of workers one can
    use before reaching the common 1024 file descriptor limitation of
    "select()".

  • Bro now has new "is" and "as" script operators for dynamic
    type-checking and casting.

    • "v as T" casts a value v into a value of type T, assuming that's
      possible (if not, it triggers a runtime error).

    • "v is T" returns a boolean indicating whether value v can be
      casted into type T (i.e., if true then "v as T" will succeed).

    This casting supports three cases currently: (1) a value of
    declared type "any" can be casted to its actual underlying type;
    (2) Broker values can be casted to their corresponding script
    types; and (3) all values can be casted to their declared types
    (i.e., a no-op).

    Example for "any"::

      # cat a.bro
      function check(a: any)
          {
          local s: string = "default";
    
          if ( a is string )
              s = (a as string);
    
          print fmt("s=%s", s);
          }
    
      event bro_init()
          {
          check("Foo");
          check(1);
          }
    
      # bro a.bro
      s=Foo
      s=default
    
  • The existing "switch" statement got extended to now also support switching by
    type rather than value. The new syntax supports two type-based versions
    of "case":

    • "case type T: ...": Take branch if operand can be casted to type T.

    • "case type T as x: ... ": Take branch if operand can be casted
      to type T, and make the casted value available through ID "x".

    Multiple types can be listed per branch, separated by commas.
    However, one cannot mix cases with expressions and types inside a
    single switch statement.

    Example::

      function switch_one(v: any)
          {
          switch (v) {
          case type string:
                  print "It's a string!";
                  break;
    
          case type count as c:
                  print "It's a count!", c;
                  break;
    
          case type bool, type addr:
                  print "It's a bool or address!";
                  break;
    
          default:
                  print "Something else!";
                  break;
          }
          }
    
  • Bro now comes with a new "configuration framework" that allows
    updating script options dynamically at runtime. This functionality
    consists of three larger pieces working together:

    • Option variables: The new "option" keyword allows variables to be
      declared as runtime options. Such variables cannot be changed
      using normal assignments. Instead, they can be changed using the
      new function "Config::set_value". This function will automatically
      apply the change to all nodes in a cluster. Note that options can also
      be changed using the new function "Option::set", but this function will
      not send the change to any other nodes, so Config::set_value should
      typically be used instead of Option::set.

      Various redef-able constants in the standard Bro scripts have
      been converted to runtime options. This change will not affect any
      user scripts because the initial value of runtime options can still be
      redefined with a "redef" declaration. Example::

      option testvar = "old value";
      redef testvar = "new value";
      

      It is possible to "subscribe" to an option through
      "Option::set_change_handler", which will trigger a handler callback
      when an option changes. Change handlers can optionally modify
      values before they are applied by returning the desired value, or
      reject updates by returning the old value. Priorities can be
      specified if there are several handlers for one option.

      Example script::

      option testbool: bool = T;
      
      function option_changed(ID: string, new_value: bool): bool
          {
          print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
          return new_value;
          }
      
      event bro_init()
          {
          print "Old value", testbool;
          Option::set_change_handler("testbool", option_changed);
          Option::set("testbool", F);
          print "New value", testbool;
          }
      
    • Script-level configuration framework: The new script framework
      base/framework/config facilitates reading in new option values
      from external files at runtime. The format for these files looks
      like this::

      [option name][tab/spaces][new variable value]
      

      Configuration files to read can be specified by adding them to
      "Config::config_files".

      Usage example::

      redef Config::config_files += { "/path/to/config.dat" };
      
      module TestConfig;
      
      export {
          option testbool: bool = F;
      }
      

      The specified file will now be monitored continuously for changes, so
      that writing "TestConfig::testbool T" into /path/to/config.dat will
      automatically update the option's value accordingly.

      The configuration framework creates a config.log that shows all
      value changes that took place.

    • Config reader: Internally, the configuration framework uses a new
      type of input reader to read such configuration files into Bro.
      The reader uses the option name to look up the type that variable
      has, converts the read value to the correct type, and then updates
      the option's value. Example script use::

      type Idx: record {
          option_name: string;
      };
      
      type Val: record {
          option_val: string;
      };
      
      global currconfig: table[string] of string = table();
      
      event InputConfig::new_value(name: string, source: string, id: string, value: any)
          {
          print id, value;
          }
      
      event bro_init()
          {
          Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
          }
      
  • Support for OCSP and Signed Certificate Timestamp. This adds the
    following events and BIFs:

    • Events:

      • ocsp_request
      • ocsp_request_certificate
      • ocsp_response_status
      • ocsp_response_bytes
      • ocsp_response_certificate
      • ocsp_extension
      • x509_ocsp_ext_signed_certificate_timestamp
      • ssl_extension_signed_certificate_timestamp
    • Functions:

      • sct_verify
      • x509_subject_name_hash
      • x509_issuer_name_hash
      • x509_spki_hash
  • The SSL scripts provide a new hook "ssl_finishing(c: connection)"
    to trigger actions after the handshake has concluded.

  • New functionality has been added to the TLS parser, adding several
    events. These events mostly extract information from the server and client
    key exchange messages. The new events are:

    • ssl_ecdh_server_params
    • ssl_dh_server_params
    • ssl_server_signature
    • ssl_ecdh_client_params
    • ssl_dh_client_params
    • ssl_rsa_client_pms

    Since "ssl_ecdh_server_params" contains more information than the old
    "ssl_server_curve" event, "ssl_server_curve" is now marked as deprecated.

  • The "ssl_application_data" event was retired and replaced with
    "ssl_plaintext_data".

  • Some SSL events were changed and now provide additional data. These events
    are:

    • ssl_client_hello
    • ssl_server_hello
    • ssl_encrypted_data

    If you use these events, you can make your scripts work on old and new
    versions of Bro by wrapping the event definition in an "@if", for example::

    @if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) )
    event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
    @else
    event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
    @endif

  • Functions for retrieving files by their ID have been added:

    • Files::file_exists
    • Files::lookup_File
  • New functions in the logging API:

    • Log::get_filter_names
    • Log::enable_stream
  • HTTP now recognizes and skips upgraded/websocket connections. A new event,
    "http_connection_upgrade", is raised in such cases.

  • A new hook, HTTP::sqli_policy, may be used to whitelist...

Read more