Releases: zeek/zeek
v2.6.4
This is a security patch release to address a potential Denial of Service vulnerability:
-
The NTLM analyzer did not properly handle AV Pair sequences
that were either empty or unterminated, resulting in invalid
memory access or heap buffer over-read. The NTLM analyzer
is enabled by default and used in the analysis of SMB,
DCE/RPC, and GSSAPI protocols.Thanks to Chris Hinshaw for reporting the issue.
v2.6.3
This is a security patch release to address potential Denial of Service
vulnerabilities:
-
Null pointer dereference in the RPC analysis code. RPC analyzers
(e.g. MOUNT or NFS) are not enabled in the default configuration. -
Signed integer overflow in BinPAC-generated parser code. The result
of this is Undefined Behavior with respect to the array bounds
checking conditions that BinPAC generates, so it's unpredictable
what an optimizing compiler may actually do under the assumption
that signed integer overlows should never happen. The specific
symptom which lead to finding this issue was with the PE analyzer
causing out-of-memory crashes due to large allocations that were
otherwise prevented when the array bounds checking logic was changed
to prevent any possible signed integer overlow.
v2.6.2
This is a security patch release to address potential Denial of
Service vulnerabilities:
-
Integer type mismatches in BinPAC-generated parser code and Bro
analyzer code may allow for crafted packet data to cause
unintentional code paths in the analysis logic to be taken due to
unsafe integer conversions causing the parser and analysis logic
to each expect different fields to have been parsed. One such
example, reported by Maksim Shudrak, causes the Kerberos analyzer
to dereference a null pointer. CVE-2019-12175 was assigned for
this issue. -
The Kerberos parser allows for several fields to be left
uninitialized, but they were not marked with an &optional attribute
and several usages lacked existence checks. Crafted packet data
could potentially cause an attempt to access such uninitialized
fields, generate a runtime error/exception, and leak memory.
Existence checks and &optional attributes have been added to the
relevent Kerberos fields. -
BinPAC-generated protocol parsers commonly contain fields whose
length is derived from other packet input, and for those that allow
for incremental parsing, BinPAC did not impose a limit on how
large such a field could grow, allowing for remotely-controlled
packet data to cause growth of BinPAC's flowbuffer bounded only
by the numeric limit of an unsigned 64-bit integer, leading
to memory exhaustion. There is now a generalized limit for
how large flowbuffers are allowed to grow, tunable by setting
"BinPAC::flowbuffer_capacity_max".
v2.6.1
Bro 2.6.1 updates the embedded SQLite to version 3.26.0 to address the
"Magellan" remote code execution vulnerability. The stock Bro
configuration/scripts don't use SQLite by default, but custom user
scripts/packages may.
This release also updates Broker to v1.1.2, which includes a minor bug
fix in its Python bindings and improved support for building it as a
static library.
v2.6
New Functionality
-
Bro has switched to using the new Broker library for all its
communication. Broker's API has been completely redesigned (compared
to the version in 2.5), and much of its implementation has been
redone. There's a new script-level "broker" framework that
supersedes the old "communication" framework, which is now
deprecated. All scripts that ship with Bro have been ported to use
Broker. BroControl has likewise been ported to use Broker.For more about the new Broker framework, see
https://www.bro.org/sphinx-git/frameworks/broker.html. There's also
a guide there for porting existing Bro scripts to Broker. For more
about Broker itself, including its API for external applications,
see https://bro-broker.readthedocs.io/en/stableWhen using BroControl, the function of proxies has changed with
Broker. If you are upgrading and have configured more than one proxy
currenty, we recommend going back down to a single proxy node now.
That should be fine unless you are using custom scripts doing
significant data distribution through the new cluster framework.A side effect of the switch to using Broker is that each Bro node now runs
as a single process instead of two. Also, the number of file descriptors
being polled in Bro's main event loop has been reduced (1 per worker
versus 5). This should increase the number of workers one can
use before reaching the common 1024 file descriptor limitation of
"select()". -
Bro now has new "is" and "as" script operators for dynamic
type-checking and casting.-
"v as T" casts a value v into a value of type T, assuming that's
possible (if not, it triggers a runtime error). -
"v is T" returns a boolean indicating whether value v can be
casted into type T (i.e., if true then "v as T" will succeed).
This casting supports three cases currently: (1) a value of
declared type "any" can be casted to its actual underlying type;
(2) Broker values can be casted to their corresponding script
types; and (3) all values can be casted to their declared types
(i.e., a no-op).Example for "any"::
# cat a.bro function check(a: any) { local s: string = "default"; if ( a is string ) s = (a as string); print fmt("s=%s", s); } event bro_init() { check("Foo"); check(1); } # bro a.bro s=Foo s=default
-
-
The existing "switch" statement got extended to now also support switching by
type rather than value. The new syntax supports two type-based versions
of "case":-
"case type T: ...": Take branch if operand can be casted to type T.
-
"case type T as x: ... ": Take branch if operand can be casted
to type T, and make the casted value available through ID "x".
Multiple types can be listed per branch, separated by commas.
However, one cannot mix cases with expressions and types inside a
single switch statement.Example::
function switch_one(v: any) { switch (v) { case type string: print "It's a string!"; break; case type count as c: print "It's a count!", c; break; case type bool, type addr: print "It's a bool or address!"; break; default: print "Something else!"; break; } }
-
-
Bro now comes with a new "configuration framework" that allows
updating script options dynamically at runtime. This functionality
consists of three larger pieces working together:-
Option variables: The new "option" keyword allows variables to be
declared as runtime options. Such variables cannot be changed
using normal assignments. Instead, they can be changed using the
new function "Config::set_value". This function will automatically
apply the change to all nodes in a cluster. Note that options can also
be changed using the new function "Option::set", but this function will
not send the change to any other nodes, so Config::set_value should
typically be used instead of Option::set.Various redef-able constants in the standard Bro scripts have
been converted to runtime options. This change will not affect any
user scripts because the initial value of runtime options can still be
redefined with a "redef" declaration. Example::option testvar = "old value"; redef testvar = "new value";
It is possible to "subscribe" to an option through
"Option::set_change_handler", which will trigger a handler callback
when an option changes. Change handlers can optionally modify
values before they are applied by returning the desired value, or
reject updates by returning the old value. Priorities can be
specified if there are several handlers for one option.Example script::
option testbool: bool = T; function option_changed(ID: string, new_value: bool): bool { print fmt("Value of %s changed from %s to %s", ID, testbool, new_value); return new_value; } event bro_init() { print "Old value", testbool; Option::set_change_handler("testbool", option_changed); Option::set("testbool", F); print "New value", testbool; }
-
Script-level configuration framework: The new script framework
base/framework/config facilitates reading in new option values
from external files at runtime. The format for these files looks
like this::[option name][tab/spaces][new variable value]
Configuration files to read can be specified by adding them to
"Config::config_files".Usage example::
redef Config::config_files += { "/path/to/config.dat" }; module TestConfig; export { option testbool: bool = F; }
The specified file will now be monitored continuously for changes, so
that writing "TestConfig::testbool T" into/path/to/config.dat
will
automatically update the option's value accordingly.The configuration framework creates a
config.log
that shows all
value changes that took place. -
Config reader: Internally, the configuration framework uses a new
type of input reader to read such configuration files into Bro.
The reader uses the option name to look up the type that variable
has, converts the read value to the correct type, and then updates
the option's value. Example script use::type Idx: record { option_name: string; }; type Val: record { option_val: string; }; global currconfig: table[string] of string = table(); event InputConfig::new_value(name: string, source: string, id: string, value: any) { print id, value; } event bro_init() { Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]); }
-
-
Support for OCSP and Signed Certificate Timestamp. This adds the
following events and BIFs:-
Events:
- ocsp_request
- ocsp_request_certificate
- ocsp_response_status
- ocsp_response_bytes
- ocsp_response_certificate
- ocsp_extension
- x509_ocsp_ext_signed_certificate_timestamp
- ssl_extension_signed_certificate_timestamp
-
Functions:
- sct_verify
- x509_subject_name_hash
- x509_issuer_name_hash
- x509_spki_hash
-
-
The SSL scripts provide a new hook "ssl_finishing(c: connection)"
to trigger actions after the handshake has concluded. -
New functionality has been added to the TLS parser, adding several
events. These events mostly extract information from the server and client
key exchange messages. The new events are:- ssl_ecdh_server_params
- ssl_dh_server_params
- ssl_server_signature
- ssl_ecdh_client_params
- ssl_dh_client_params
- ssl_rsa_client_pms
Since "ssl_ecdh_server_params" contains more information than the old
"ssl_server_curve" event, "ssl_server_curve" is now marked as deprecated. -
The "ssl_application_data" event was retired and replaced with
"ssl_plaintext_data". -
Some SSL events were changed and now provide additional data. These events
are:- ssl_client_hello
- ssl_server_hello
- ssl_encrypted_data
If you use these events, you can make your scripts work on old and new
versions of Bro by wrapping the event definition in an "@if", for example::@if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) )
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
@else
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
@endif -
Functions for retrieving files by their ID have been added:
- Files::file_exists
- Files::lookup_File
-
New functions in the logging API:
- Log::get_filter_names
- Log::enable_stream
-
HTTP now recognizes and skips upgraded/websocket connections. A new event,
"http_connection_upgrade", is raised in such cases. -
A new hook, HTTP::sqli_policy, may be used to whitelist...