Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Buffer Overflow Vulnerability Found in FreeBSD

Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.

Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.

The issue is a buffer overflow vulnerability (CVE-2014-8611) affecting the “__sflush()” function in the operating system’s standard I/O library (stdio). The flaw can be leveraged to cause a heap buffer overflow, which could lead to data corruption or arbitrary code execution with the privileges of the calling program.

Vulnerability found in FreeBSD“The standard I/O library provides a simple and efficient buffered stream I/O interface. The library writes buffered data when it is full or when the application explicitly request so by calling the fflush(3) function,” the FreeBSD Project wrote in a security advisory. “A programming error in the standard I/O library’s __sflush() function could erroneously adjust the buffered stream’s internal state even when no write actually occurred in the case when write(2) system call returns an error.”

Adrian Chadd, senior kernel engineer at Norse, and Alfred Perlstein, director of appliance and kernel at Norse, discovered the security hole during the development process of the company’s product line. Chadd and Perlstein also created a patch for the bug, which they sent to the FreeBSD community.

No workaround is available for the vulnerability so FreeBSD users are advised to apply the patch. They can do so by updating the operating system, or through a binary or source code patch.

“Norse appreciates the diligence of our development team, and the assistance of the FreeBSD security team with this process of responsible disclosure,” said Tim O’Brien, director of security threat intelligence for Norse. “Norse is committed to responsible disclosure, and supporting open source software. This is a great example of developers working with and improving an open source project, with full support of their employer. This directly influences our common objective of a safer Internet for everyone.”

FreeBSD was one of the many Unix-like operating systems affected by a vulnerability in the tnftp FTP client that could have been exploited to execute arbitrary commands. The existence of the flaw was reported in late October and FreeBSD released a patch a few days later.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.