FreeBSD Security Advisory - With certain inputs, iconv may write beyond the end of the output buffer. Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons.
e7a88e1043e6911b4f4a63c30931cf6dab2b72238f92b1325a7882b6e52ede1aFreeBSD Security Advisory - While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost.
85f2ffcf89eae31c9b0babd62b1d66ae80b60a35fc0e3d2f7a258259db7a0affNetflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed _"SACK Panic_," allows a remotely-triggered kernel panic on recent Linux kernels. There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective.
2842c96d7b20ef5dfb0f2ea06c76a1334026b1cbd1953a2b31793af5c8fa3ba7This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.
b7d2e9a938e3bd3e306735ac30c5547fb5873fe1a798d291f7cd437bdee37ad0FreeBSD Security Advisory - On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).
bb1bbf79007ddaee55b83d92fa13bc8a77826384109b261502a3a270db6cf311FreeBSD Security Advisory - Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations.
d9b765e8617c1094fd1b44bc80bae21176c9518147b96b6da2dc72d5f4fecdd6This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.
f1711c3320d7c4e9f80661d007057fb1b0b673f47fb51ec2968a821bc6aa8991FreeBSD Security Advisory - Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root.
71b98c82206083a2417dbe32f786c2f87d53bf1da55a9b730d6093f5565c2c24FreeBSD Security Advisory - Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server.
10bcc1748ee3a9d625fa8d7384fa8357ec3df2199059cc67ec2a7fe57ef95a19FreeBSD Security Advisory - Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory.
42a2b3589a9c3b226fa7bfec84d4bf9ef2e34c4d0777d0e1da333fc52d5d9ecbFreeBSD Security Advisory - A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops.
8b9f6df8636fcf62bb78a92076b061ee35605960add8fc0553f1a51de4f13bbfFreeBSD Security Advisory - When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key.
580871e8a4fb8190df6331da035c23fcf242dbb8f22aa1f5688ca63b0ad0891eFreeBSD Security Advisory - On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine.
cefb966a54c71660104d771e9b47f0ccf9946572b0b4b5e62764577a14a88866FreeBSD Security Advisory - One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost.
c38ebf96029330fcfe20e4546481c17410e8a927d521168e9f04bf7102d63302FreeBSD Security Advisory - A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present.
bbc335e62d9fb843edc9e54c223a5d3d9662b7778c54fc3d4e4e9662fe4d3afarldns is an open source lightweight DNS server for linux, netbsd, freebsd, and openbsd. Runs on x86 and x86_64 architectures.
3ef0107cfa51f2818c05a51cce9b22d87404ba178c87f4441cf3b73f5957e175FreeBSD Security Advisory - The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context. An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system.
436c2453ffbf42d86b402970ed7a42fbf8c2b6d77a9f356bfdc4d651e22df44fFreeBSD Security Advisory - A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.
64e40208fb8f828b69a524f8d55fae8ef0a49e50ff59ebe4b5a0f73e1dd0d4dbThis is a note from the FreeBSD team that they were notified of the issue in late December and received a briefing under NDA with the original embargo date of January 9th. Since they received relatively late notice of the issue, their ability to provide fixes is delayed.
6ca4e042704f1c11c5f3b11989e130de889f46523779b326d9cbaf056da654capfSense, a free BSD based open source firewall distribution, versions 2.2.6 and below contain a remote command execution vulnerability post authentication in the _rrd_graph_img.php page. The vulnerability occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.1.3.
356649d9c2f36292416d035a36aa1b87ba078c2559b4b41b29fff647aca29fbdFreeBSD Security Advisory - Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. Various other issues were addressed.
bb3377d0fb3c1fc7d239e5446ade3da5c43af286b662042e0a558c54cd6d4ed5FreeBSD Security Advisory - A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used.
8e8f49d170cd1b8f44a0c2998b6751ff57fcd2197169fa4e32976845bd0eaf80FreeBSD jail incompletely protects the access to the IPC primitives. The 'allow.sysvipc' setting only affects IPC queues, leaving other IPC objects unprotected, making them reachable system-wide independently of the system configuration. Versions 7.0 through 10.3 are affected. Proof of concept included.
0beaf294618c4baefabc3693cafae6df318872d746e906006697c1f46542cd94FreeBSD setrlimit stack clash proof of concept exploit.
55fb8566c8dcae52540b3d92f7a1228604de1093d9d64e40a1cebbbe5ec1f611FreeBSD FGPE stack clash proof of concept exploit.
2dddaf6810e24694581a3d0559ab7f60f9bdef61855acef6f9cdc6c393b35315
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed