Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.
The issue is a buffer overflow vulnerability (CVE-2014-8611) affecting the “__sflush()” function in the operating system’s standard I/O library (stdio). The flaw can be leveraged to cause a heap buffer overflow, which could lead to data corruption or arbitrary code execution with the privileges of the calling program.
“The standard I/O library provides a simple and efficient buffered stream I/O interface. The library writes buffered data when it is full or when the application explicitly request so by calling the fflush(3) function,” the FreeBSD Project wrote in a security advisory. “A programming error in the standard I/O library’s __sflush() function could erroneously adjust the buffered stream’s internal state even when no write actually occurred in the case when write(2) system call returns an error.”
Adrian Chadd, senior kernel engineer at Norse, and Alfred Perlstein, director of appliance and kernel at Norse, discovered the security hole during the development process of the company’s product line. Chadd and Perlstein also created a patch for the bug, which they sent to the FreeBSD community.
No workaround is available for the vulnerability so FreeBSD users are advised to apply the patch. They can do so by updating the operating system, or through a binary or source code patch.
“Norse appreciates the diligence of our development team, and the assistance of the FreeBSD security team with this process of responsible disclosure,” said Tim O’Brien, director of security threat intelligence for Norse. “Norse is committed to responsible disclosure, and supporting open source software. This is a great example of developers working with and improving an open source project, with full support of their employer. This directly influences our common objective of a safer Internet for everyone.”
FreeBSD was one of the many Unix-like operating systems affected by a vulnerability in the tnftp FTP client that could have been exploited to execute arbitrary commands. The existence of the flaw was reported in late October and FreeBSD released a patch a few days later.