Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.
The issue is a buffer overflow vulnerability (CVE-2014-8611) affecting the “__sflush()” function in the operating system’s standard I/O library (stdio). The flaw can be leveraged to cause a heap buffer overflow, which could lead to data corruption or arbitrary code execution with the privileges of the calling program.
Adrian Chadd, senior kernel engineer at Norse, and Alfred Perlstein, director of appliance and kernel at Norse, discovered the security hole during the development process of the company’s product line. Chadd and Perlstein also created a patch for the bug, which they sent to the FreeBSD community.
No workaround is available for the vulnerability so FreeBSD users are advised to apply the patch. They can do so by updating the operating system, or through a binary or source code patch.
“Norse appreciates the diligence of our development team, and the assistance of the FreeBSD security team with this process of responsible disclosure,” said Tim O’Brien, director of security threat intelligence for Norse. “Norse is committed to responsible disclosure, and supporting open source software. This is a great example of developers working with and improving an open source project, with full support of their employer. This directly influences our common objective of a safer Internet for everyone.”
FreeBSD was one of the many Unix-like operating systems affected by a vulnerability in the tnftp FTP client that could have been exploited to execute arbitrary commands. The existence of the flaw was reported in late October and FreeBSD released a patch a few days later.