Researchers at Core Security Technologies issued an advisory today on three vulnerabilities in affecting the FreeBSD operating system.
FreeBSD is a Unix-like operating system used to power servers, desktops and embedded platforms. According to the advisory from Core Security, several vulnerabilities were spotted in the FreeBSD kernel code that implements the vt console driver previously known as Newcons as well as the code the implements Stream Control Transmission Protocol [SCTP] sockets. These issues could enable a local, unprivileged attacker to crash the system, disclose kernel memory containing sensitive information and execute arbitrary code with super user privileges.
The FreeBSD Project issued fixes for the issues that are available to users who upgrade to FreeBSD 10.1-RELENG or one of the following reasons: stable/10, 10.1-STABLE releng/10.1, 10.1-RELEASE-p5 releng/10.0, 10.0-RELEASE-p17 stable/9, 9.3-STABLE releng/9.3, 9.3-RELEASE-p9 stable/8, 8.4-STABLE releng/8.4 and 8.4-RELEASE-p23.
The first vulnerability is a sign conversion error in the vt console when handling the VT_WAITACTIVE ioctl message. The issue can be used by a local unprivileged attacker to make the kernel access an array outside of its boundaries, according to Core Security.
“This sign conversion error will make possible for a local attacker to bypass the subsequent boundary check that tries to ensure that i is not greater than VT_MAXWINDOWS before using it as an index to access the vd->vd_windows array,” the advisory notes. “This flaw can be leveraged by a local attacker to make the kernel access the vd->vd_windows array outside of its boundaries.”
The second bug is a memory corruption issue.
“The FreeBSD kernel is prone to a memory corruption vulnerability when setting the SCTP_SS_VALUE SCTP socket option via the setsockopt system call,” according to the Core Security advisory. “This vulnerability can be leveraged by a local unprivileged attacker to corrupt kernel memory with an arbitrary 16-bit value.”
The final issue is a kernel memory disclosure and corruption issue. According to an advisory released by the FreeBSD Project, the SCTP protocol provides reliable, flow-controlled, two-way transmission of data.
“It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions,” the Project notes. “SCTP allows the user to choose between multiple scheduling algorithms to optimize the sending behavior of SCTP in scenarios with different requirements.”
“Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory,” the FreeBSD advisory continues.