Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.
FreeBSD is a Unix-like operating system used to power servers, desktops and embedded platforms. According to the advisory from Core Security, several vulnerabilities were spotted in the FreeBSD kernel code that implements the vt console driver previously known as Newcons as well as the code the implements Stream Control Transmission Protocol [SCTP] sockets. These issues could enable a local, unprivileged attacker to crash the system, disclose kernel memory containing sensitive information and execute arbitrary code with super user privileges.
The FreeBSD Project issued fixes for the issues that are available to users who upgrade to FreeBSD 10.1-RELENG or one of the following reasons: stable/10, 10.1-STABLE releng/10.1, 10.1-RELEASE-p5 releng/10.0, 10.0-RELEASE-p17 stable/9, 9.3-STABLE releng/9.3, 9.3-RELEASE-p9 stable/8, 8.4-STABLE releng/8.4 and 8.4-RELEASE-p23.
The first vulnerability is a sign conversion error in the vt console when handling the VT_WAITACTIVE ioctl message. The issue can be used by a local unprivileged attacker to make the kernel access an array outside of its boundaries, according to Core Security.
“This sign conversion error will make possible for a local attacker to bypass the subsequent boundary check that tries to ensure that i is not greater than VT_MAXWINDOWS before using it as an index to access the vd->vd_windows array,” the advisory notes. “This flaw can be leveraged by a local attacker to make the kernel access the vd->vd_windows array outside of its boundaries.”
The second bug is a memory corruption issue.
“The FreeBSD kernel is prone to a memory corruption vulnerability when setting the SCTP_SS_VALUE SCTP socket option via the setsockopt system call,” according to the Core Security advisory. “This vulnerability can be leveraged by a local unprivileged attacker to corrupt kernel memory with an arbitrary 16-bit value.”
The final issue is a kernel memory disclosure and corruption issue. According to an advisory released by the FreeBSD Project, the SCTP protocol provides reliable, flow-controlled, two-way transmission of data.
“It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions,” the Project notes. “SCTP allows the user to choose between multiple scheduling algorithms to optimize the sending behavior of SCTP in scenarios with different requirements.”
“Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory,” the FreeBSD advisory continues.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
