Connect with us

Hi, what are you looking for?



Buffer Overflow Vulnerability Found in FreeBSD

Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.

Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.

The issue is a buffer overflow vulnerability (CVE-2014-8611) affecting the “__sflush()” function in the operating system’s standard I/O library (stdio). The flaw can be leveraged to cause a heap buffer overflow, which could lead to data corruption or arbitrary code execution with the privileges of the calling program.

Vulnerability found in FreeBSD“The standard I/O library provides a simple and efficient buffered stream I/O interface. The library writes buffered data when it is full or when the application explicitly request so by calling the fflush(3) function,” the FreeBSD Project wrote in a security advisory. “A programming error in the standard I/O library’s __sflush() function could erroneously adjust the buffered stream’s internal state even when no write actually occurred in the case when write(2) system call returns an error.”

Adrian Chadd, senior kernel engineer at Norse, and Alfred Perlstein, director of appliance and kernel at Norse, discovered the security hole during the development process of the company’s product line. Chadd and Perlstein also created a patch for the bug, which they sent to the FreeBSD community.

No workaround is available for the vulnerability so FreeBSD users are advised to apply the patch. They can do so by updating the operating system, or through a binary or source code patch.

“Norse appreciates the diligence of our development team, and the assistance of the FreeBSD security team with this process of responsible disclosure,” said Tim O’Brien, director of security threat intelligence for Norse. “Norse is committed to responsible disclosure, and supporting open source software. This is a great example of developers working with and improving an open source project, with full support of their employer. This directly influences our common objective of a safer Internet for everyone.”

FreeBSD was one of the many Unix-like operating systems affected by a vulnerability in the tnftp FTP client that could have been exploited to execute arbitrary commands. The existence of the flaw was reported in late October and FreeBSD released a patch a few days later.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.