A problem has been identified with the FreeBSD 7 series ULE Scheduler :
FreeBSD has two schedulers: the classic 4BSD scheduler and a newer, more SMP-aware scheduler called ULE. The 4BSD scheduler was the default scheduler until FreeBSD 7.0. Starting with FreeBSD 7.1 the default scheduler is ULE.
The scheduler is responsible for allocating CPU time to threads and assigning threads to CPUs. Runnable threads (i.e. threads which arenot waiting for a blocking operation, such as an I/O operation, memory allocation or lock acquisition, to complete) are assigned to a CPU and placed in that CPU’s run queue. Each thread and each CPU’s run queue is protected by a separate lock.
II. Problem Description
When a thread is reassigned from one CPU to another, the scheduler first acquires the thread’s lock, then releases the source CPU’s run queue lock. The scheduler then acquires the target CPU’s run queue lock and holds the lock while it adds the thread to the queue and signals the target CPU. Finally it reacquires the source CPU’s run queue lock before unlocking the thread. A thread on the target CPU, having been notified of the reassigned thread’s arrival on the target CPU’s run queue, will then acquire the thread’s lock before switching it in.
Read the whole errata
For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://security.freebsd.org
A security bug in the latest version of FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher discovered.
The flaw is present in FreeBSD 8.0 and is known to affect versions 7.1 and 7.2.
“A short time ago a “local root” exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.
Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues — in short, use at your own risk (even more than usual).” (source)
More information and the patch can be found here.
The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables.
II. Problem Description
When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.
III. Impact
An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user.
Researches Chitti Nimmagadda and Dorr H. Clark of Santa Clara University seem to have discovered and reported a bug in usr/src/sys/fs/fifofs/fifo_vnops.c of FreeBSD 8.0-STABLE release as reported on the FreeBSD bugs mailinglist.
We believe we have identified a significant resource leak present in 6.x, 7.x, and 8.x. We believe this is a regression versus FreeBSD 4.x which appears to do the Right Thing ™.
We have a test program (see below) which will run the system out of sockets by repeated exercise of the failing code path in the kernel.
Our proposed fix is applied to the file usr/src/sys/fs/fifofs/fifo_vnops.c
If interested in (FreeBSD) code, have a look here for more info.
The FreeBSD Security Team has issued the following security warnings:
FreeBSD-SA-09:14.devfs – Devfs / VFS NULL pointer race condition
FreeBSD-SA-09:13.pipe – kqueue pipe race conditions
FreeBSD-EN-09:05.null – No zero mapping feature
For background info, problem description, impact, workaround and solutions, have a look at the individual advisory pages.
The FreeBSD Security Team has issued the following security warning:
FreeBSD-SA-09:12.bind – BIND named(8) dynamic update message remote DoS
For background info, problem description, impact, workaround and solution, have a look at the advisory page: bind
The FreeBSD Security Team has issued the following security warnings:
For background info, problem description, impact, workaround and solutions, have a look at the individual advisory pages.
The FreeBSD Security Team has issued the following security warnings:
- FreeBSD-SA-09:08.openssl - Remotely exploitable crash in OpenSSL
- FreeBSD-SA-09:07.libc - Information leak in db(3)
For background info, problem description, impact, workaround and solution, have a look at the individual advisory pages: openssl | libc
The FreeBSD Security Team has issued the following security warning:
FreeBSD-SA-09:06.ktimer – Local privilege escalation
I. Background
In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero.
II. Problem Description
An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked.
III. Impact
An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to “become root”), to escape from a jail, or to bypass security mechanisms
in other ways.
IV. Workaround
No workaround is available, but systems without untrusted local users are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date.
For instructions on how to patch your system click here.
The FreeBSD Security Team has issued the following security warning:
FreeBSD-SA-09:05.telnetd – telnetd code execution vulnerability
I Background
The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can b enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon.
The TELNET protocol allows a connecting client to specify environment variables which should be set in any created login session; this is used, for example, to specify terminal settings.
II. Problem Description
In order to prevent environment variable based attacks, telnetd(8) “scrubs” its environment; however, recent changes in FreeBSD’s environment-handling code rendered telnetd’s scrubbing inoperative, thereby allowing potentially harmful environment variables to be set.
For a workaround, solution and patch etc go here
The FreeBSD Security Team has issued 2 security warnings:
FreeBSD-SA-09:04.bind – BIND DNSSEC incorrect checks for malformed signatures
FreeBSD-SA-09:03.ntpd - ntpd cryptographic signature bypass
Recent Comments