📖 ~4 min read • Source: NetBSD advisory NetBSD-SA-2023-004
Upstream summary: /proc/N/environ was world-readable, enabling anyone to read other processes' environments even across privilege boundaries. This can expose secrets, since the process environment is often used to hold things like secret access keys.
Table of contents
Symptom & Impact
On NetBSD 10.0 hosts that have procfs installed from pkgsrc, operators report behaviour consistent with the NetBSD advisory NetBSD-SA-2023-004 entry: pkg_admin audit flags the installed package as vulnerable, services launched from /etc/rc.d that link against procfs may misbehave or refuse to start after an upgrade, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service restart cycle to a full availability incident when procfs sits on the serving path of an NetBSD server.
Environment & Reproduction
Reproduction targets NetBSD 10.0. Confirm release, kernel, and installed package state:
uname -a
cat /etc/release
sysctl kern.version
sysctl kern.osrelease
pkg_info -e procfs && pkg_info procfs | head -20
pkgin list | wc -lTrigger the workflow that exposes procfs — vulnerability — patch and remediation guide while collecting:
tail -200 /var/log/messages
tail -200 /var/log/authlog
dmesg | tail -200
# pkgsrc transaction log (location varies; check both):
tail -200 /var/db/pkgin/pkg_install-err.log 2>/dev/null
tail -200 /var/log/pkgsrc.log 2>/dev/nullRoot Cause Analysis
Root cause is tracked at NetBSD advisory NetBSD-SA-2023-004. NetBSD pkgsrc-security maintains the pkg-vulnerabilities feed consumed by pkg_admin audit; hosts running a pre-fix build of procfs remain exposed. Correlate audit output with system logs and kernel state to identify the change that introduced the failure mode:
sudo pkg_admin fetch-pkg-vulnerabilities # refresh the audit feed first
sudo pkg_admin audit-pkg procfs # per-package audit
sudo pkg_admin audit # full-system audit
tail -500 /var/log/messages
sysctl kern.lastpid kern.osreldate
# Verify the running base kernel matches the on-disk image:
cksum -a sha256 /netbsdQuick Triage
Run these checks on NetBSD 10.0 to confirm the failure mode and the current state of procfs:
pkgin search ^procfs$ # confirm pkgin can see it
pkgin show-deps procfs # forward dependencies
pkgin show-rev-deps procfs # reverse dependencies
sudo pkg_admin audit-pkg procfs # audit just this package
tail -100 /var/log/messages
tail -100 /var/log/authlog
dmesg | tail -100
# If procfs ships an rc.d script (script name may differ, e.g.
# bind→named, php→php_fpm, apache→apache), check it:
grep -l procfs /etc/rc.d/* 2>/dev/null
service -e 2>/dev/null | grep -i procfs
# Firewall posture (npf is default in NetBSD 10; ipf still available):
npfctl show 2>/dev/null || ipfstat -hin 2>/dev/nullStep-by-Step Diagnosis
-
Refresh the pkgsrc audit feed and run a full system audit.
sudo pkg_admin fetch-pkg-vulnerabilities sudo pkg_admin audit -
Tail live logs while reproducing the issue.
tail -F /var/log/messages tail -F /var/log/authlog dmesg | tail -200 -
Inspect firewall rules — NetBSD 10 defaults to
npf, older deployments may still runipf.npfctl rule "block-in" list 2>/dev/null npfctl show 2>/dev/null ipfstat -hin 2>/dev/null ipfstat -nio 2>/dev/null -
Confirm enabled services in
/etc/rc.confand current daemon state.grep -E '=YES' /etc/rc.conf service -e 2>/dev/null | grep -i procfs sudo service <rc-script-name> status -
Verify the on-disk integrity of the package files for
procfs.pkg_admin check procfs pkg_info -L procfs | xargs -I{} cksum -a sha256 {} 2>/dev/null | head -
Correlate findings with the NetBSD source CVS log and NetBSD advisory NetBSD-SA-2023-004 to pin the change that introduced procfs — vulnerability — patch and remediation guide.
Solution – Primary Fix
Refresh the pkgsrc package index and upgrade procfs (and its dependants) through NetBSD advisory NetBSD-SA-2023-004:
sudo pkgin update
sudo pkgin upgrade procfs # single package
sudo pkgin full-upgrade # whole-system pkgsrc upgrade
sudo pkg_admin fetch-pkg-vulnerabilities
sudo pkg_admin audit-pkg procfs # confirm no remaining audit entry
# If procfs ships an rc.d service, restart it (the rc-script name may differ from pkg name):
# sudo service <rc-script-name> restartFor administrators who build from a local pkgsrc tree:
# Refresh the tree (CVS) or pull a fresh tarball:
cd /usr/pkgsrc && sudo cvs -q update -dP
cd /usr/pkgsrc/<category>/procfs && sudo make replace clean
# Or rebuild + binary package output:
cd /usr/pkgsrc/<category>/procfs && sudo make package-installFor base-system fixes, NetBSD does not ship binary syspatches like OpenBSD. Rebuild from source (CVS or release tarball) or move to a newer build:
# Option A: in-place upgrade via the sysupgrade pkgsrc tool:
sudo pkgin install sysupgrade
sudo sysupgrade auto https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/
# Option B: rebuild from the source tree:
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U tools
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U distribution
cd /usr/src && sudo ./build.sh -O /var/obj -T /var/tools -U install=/
# Option C: fetch a HEAD/release tarball and extract base.tgz over /:
cd /var/tmp && ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/base.tgz
cd / && sudo tar xzpf /var/tmp/base.tgzReboot only if the upgrade replaced the kernel (/netbsd) or shared libraries used by long-running daemons.
Need help rolling this patch across a NetBSD fleet? Our IT Solutions & Services team supports NetBSD server fleets and pkgsrc-on-other-OS deployments with audit-packages automation. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary fix is not viable, choose from these alternatives:
-
Pin the package on its current version while staging a coordinated rollout. pkgsrc has no first-class “lock” so document and reinstall from a saved binary:
pkg_info -X procfs > /root/procfs.pin.txt # Save the current .tgz from /usr/pkgsrc/packages/All/procfs-<ver>.tgz # Refuse pkgin upgrades for this package by removing it from the upgrade plan: sudo pkgin -y avoid procfs 2>/dev/null || true -
Roll
procfsback to a known-good binary package:# 1. List versions available from the configured pkgin repo: pkgin search ^procfs$ # 2. Force-install a specific .tgz from a saved build: sudo pkg_add -f /usr/pkgsrc/packages/All/procfs-<older-version>.tgz # 3. Or point pkgin at the previous quarterly branch via /usr/pkg/etc/pkgin/repositories.conf -
Switch the pkgin repository between branches by editing
/usr/pkg/etc/pkgin/repositories.conf:# /usr/pkg/etc/pkgin/repositories.conf https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All # Then: sudo pkgin update sudo pkgin upgrade procfs -
Build from source against a different pkgsrc branch (quarterly vs. HEAD):
cd /usr && sudo cvs -d :pserver:[email protected]:/cvsroot checkout -P pkgsrc cd /usr/pkgsrc/<category>/procfs && sudo make replace clean clean-depends -
Sandbox the affected service with stricter firewall rules until a fix is verified —
npf.confexample:# /etc/npf.conf block in on $ext_if proto tcp to port procfs_port # Reload the ruleset: sudo npfctl reload sudo npfctl show -
Replace the service with a vendored static build for the interval between exposure detection and full rollout.
Verification & Acceptance Criteria
All of these should pass after the fix:
pkg_info procfs # shows the expected fixed version
sudo pkg_admin audit-pkg procfs # no audit hit for this package
sudo pkg_admin audit # no audit hits anywhere
tail -50 /var/log/messages # no new errors after upgrade
tail -50 /var/log/authlog # no auth anomalies
# If procfs ships an rc.d service, confirm it is running:
# sudo service <rc-script-name> status
# Verify base kernel integrity if the upgrade touched /netbsd:
cksum -a sha256 /netbsdThe original reproduction for procfs — vulnerability — patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
pkg_info -X > /root/pkg-pre.txt
cp -a /etc/rc.conf /etc/rc.conf.pre-patch
# Snapshot the root filesystem if you are on ZFS:
sudo zfs snapshot rpool/ROOT/netbsd@pre-procfs-patch 2>/dev/null || trueTo revert if the upgrade is bad:
# Reinstall the previously saved binary package:
sudo pkg_add -f /usr/pkgsrc/packages/All/procfs-<previous-version>.tgz
# Or roll back via pkgin if a previous version is still in the repo:
sudo pkgin install procfs-<previous-version>
# Restore rc.conf if it was edited:
sudo cp /etc/rc.conf.pre-patch /etc/rc.conf
# Rollback ZFS snapshot (only if you took one above):
sudo zfs rollback rpool/ROOT/netbsd@pre-procfs-patch 2>/dev/null || trueFor a base-system / kernel regression, boot the previous kernel from the loader prompt (press 5 at the boot menu, then boot netbsd.old).
Prevention & Hardening
Reduce the chance of this recurring on NetBSD 10.0 hosts running procfs:
-
Schedule a daily pkgsrc audit via cron:
# /etc/daily.local pkg_admin fetch-pkg-vulnerabilities pkg_admin audit | mail -E -s 'pkgsrc audit' root -
Subscribe to
netbsd-announceandpkgsrc-securityat mail-index.NetBSD.org and watch the NetBSD Security Advisories index. -
Mirror pkgsrc binary packages locally so production hosts pull from a vetted feed:
# Bulk-build a private pkgsrc repo (one-time): cd /usr/pkgsrc/pkgtools/pbulk && sudo make install clean sudo pbulk-build -c /usr/pbulk/etc/pbulk.conf # Then publish /usr/pbulk/packages/ behind nginx or rsync. -
Keep
sysupgradeinstalled and dry-run it before scheduled windows:sudo pkgin install sysupgrade sudo sysupgrade -n auto https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/ -
Harden the firewall with
npfdefault-deny and reload after edits:# /etc/npf.conf $ext_if = "wm0" group default { block all pass in final on $ext_if proto tcp to port { ssh } pass out final all }sudo npfctl reload sudo npfctl start -
Monitor file integrity with the NetBSD-shipped
veriexecsubsystem or withmtree:# mtree baseline of critical config dirs: sudo mtree -c -K sha256digest -p /etc > /var/db/etc.mtree sudo mtree -c -K sha256digest -p /usr/pkg/etc > /var/db/usr-pkg-etc.mtree # Verify later: sudo mtree -p /etc < /var/db/etc.mtree # veriexec (kernel-enforced): sudo veriexecgen -o /etc/signatures sudo veriexecctl load /etc/signatures -
Verify NetBSD signed sets when applying base-system updates — the project publishes detached signatures alongside
base.tgzon nycdn.NetBSD.org:# Fetch set + signature, then verify before extracting: ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/base.tgz ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/netbsd-10/latest/amd64/binary/sets/SHA512 grep base.tgz SHA512 | cksum -a sha512 -c -
Related Errors & Cross-Refs
Issues that commonly surface alongside procfs — vulnerability — patch and remediation guide: mismatched kern.osrelease after a partial userland upgrade, stale shared-library references after a pkgsrc replace, drifted npf rules, and out-of-date pkg-vulnerabilities feeds. Useful triage:
uname -a
sysctl kern.osrelease kern.osreldate
sudo pkg_admin audit
sudo npfctl showView all netbsd-10-0 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: NetBSD advisory NetBSD-SA-2023-004. Useful manual pages on NetBSD 10.0:
man pkgin
man pkg_admin
man pkg_info
man rc.conf
man rc.d
man service
man npfctl
man npf.conf
man ipf
man sysupgrade
man veriexecOther resources: the NetBSD Guide, the NetBSD Security Advisories index, the pkgsrc Guide, and the per-package DESCR + MESSAGE files under /usr/pkgsrc/<category>/procfs/ for notes implicated in procfs — vulnerability — patch and remediation guide.
