Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FreeBSD Patches Kernel Security Vulnerabilities

Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.

Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.

FreeBSD is a Unix-like operating system used to power servers, desktops and embedded platforms. According to the advisory from Core Security, several vulnerabilities were spotted in the FreeBSD kernel code that implements the vt console driver previously known as Newcons as well as the code the implements Stream Control Transmission Protocol [SCTP] sockets. These issues could enable a local, unprivileged attacker to crash the system, disclose kernel memory containing sensitive information and execute arbitrary code with super user privileges.

The FreeBSD Project issued fixes for the issues that are available to users who upgrade to FreeBSD 10.1-RELENG or one of the following reasons: stable/10, 10.1-STABLE releng/10.1, 10.1-RELEASE-p5 releng/10.0, 10.0-RELEASE-p17 stable/9, 9.3-STABLE releng/9.3, 9.3-RELEASE-p9 stable/8, 8.4-STABLE releng/8.4 and 8.4-RELEASE-p23.

The first vulnerability is a sign conversion error in the vt console when handling the VT_WAITACTIVE ioctl message. The issue can be used by a local unprivileged attacker to make the kernel access an array outside of its boundaries, according to Core Security.

“This sign conversion error will make possible for a local attacker to bypass the subsequent boundary check that tries to ensure that i is not greater than VT_MAXWINDOWS before using it as an index to access the vd->vd_windows array,” the advisory notes. “This flaw can be leveraged by a local attacker to make the kernel access the vd->vd_windows array outside of its boundaries.”

The second bug is a memory corruption issue.

“The FreeBSD kernel is prone to a memory corruption vulnerability when setting the SCTP_SS_VALUE SCTP socket option via the setsockopt system call,” according to the Core Security advisory. “This vulnerability can be leveraged by a local unprivileged attacker to corrupt kernel memory with an arbitrary 16-bit value.”

The final issue is a kernel memory disclosure and corruption issue. According to an advisory released by the FreeBSD Project, the SCTP protocol provides reliable, flow-controlled, two-way transmission of data.

Advertisement. Scroll to continue reading.

“It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions,” the Project notes. “SCTP allows the user to choose between multiple scheduling algorithms to optimize the sending behavior of SCTP in scenarios with different requirements.”

“Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory,” the FreeBSD advisory continues.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.