Archive for the 'FreeBSD Security Advisories' Category

FreeBSD Errata: Deadlock in ULE scheduler

A problem has been identified with the FreeBSD 7 series ULE Scheduler :

FreeBSD has two schedulers: the classic 4BSD scheduler and a newer, more SMP-aware scheduler called ULE. The 4BSD scheduler was the default scheduler until FreeBSD 7.0. Starting with FreeBSD 7.1 the default scheduler is ULE.

The scheduler is responsible for allocating CPU time to threads and assigning threads to CPUs. Runnable threads (i.e. threads which arenot waiting for a blocking operation, such as an I/O operation, memory allocation or lock acquisition, to complete) are assigned to a CPU and placed in that CPU’s run queue. Each thread and each CPU’s run queue is protected by a separate lock.

II. Problem Description

When a thread is reassigned from one CPU to another, the scheduler first acquires the thread’s lock, then releases the source CPU’s run queue lock. The scheduler then acquires the target CPU’s run queue lock and holds the lock while it adds the thread to the queue and signals the target CPU. Finally it reacquires the source CPU’s run queue lock before unlocking the thread. A thread on the target CPU, having been notified of the reassigned thread’s arrival on the target CPU’s run queue, will then acquire the thread’s lock before switching it in.

Read the whole errata

For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://security.freebsd.org

FreeBSD 7.x & 8.x Root Exploit Patched!

A security bug in the latest version of FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher discovered.

The flaw is present in FreeBSD 8.0 and is known to affect versions 7.1 and 7.2.

“A short time ago a “local root” exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.

Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues — in short, use at your own risk (even more than usual).” (source)

More information and the patch can be found here.

The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables.

II. Problem Description

When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.

III. Impact

An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user.

FreeBSD FIFO resource leak

Researches Chitti Nimmagadda and Dorr H. Clark of Santa Clara University seem to have discovered and reported a bug in usr/src/sys/fs/fifofs/fifo_vnops.c of FreeBSD 8.0-STABLE release as reported on the FreeBSD bugs mailinglist.

We believe we have identified a significant resource leak present in 6.x, 7.x, and 8.x. We believe this is a regression versus FreeBSD 4.x which appears to do the Right Thing ™.

We have a test program (see below) which will run the system out of sockets by repeated exercise of the failing code path in the kernel.

Our proposed fix is applied to the file usr/src/sys/fs/fifofs/fifo_vnops.c

If interested in (FreeBSD) code, have a look here for more info.

FreeBSD Security Advisories (devfs, pipe, null)

The FreeBSD Security Team has issued the following security warnings:

FreeBSD-SA-09:14.devfs – Devfs / VFS NULL pointer race condition
FreeBSD-SA-09:13.pipe – kqueue pipe race conditions
FreeBSD-EN-09:05.null – No zero mapping feature

For background info, problem description, impact, workaround and solutions, have a look at the individual advisory pages.

FreeBSD Security Advisory (bind)

The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:12.bind – BIND named(8) dynamic update message remote DoS

For background info, problem description, impact, workaround and solution, have a look at the advisory page: bind

FreeBSD Security Advisories (ntp, ipv6, pipe)

The FreeBSD Security Team has issued the following security warnings:

For background info, problem description, impact, workaround and solutions, have a look at the individual advisory pages.

FreeBSD Security Advisories (openssl, libc)

The FreeBSD Security Team has issued the following security warnings:

  1. FreeBSD-SA-09:08.openssl  - Remotely exploitable crash in OpenSSL
  2. FreeBSD-SA-09:07.libc - Information leak in db(3)

For background info, problem description, impact, workaround and solution, have a look at the individual advisory pages: openssl | libc

FreeBSD Security Advisory (ktimer)

The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:06.ktimer – Local privilege escalation

I. Background

In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero.

II. Problem Description

An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked.

III. Impact

An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to “become root”), to escape from a jail, or to bypass security mechanisms
in other ways.

IV. Workaround

No workaround is available, but systems without untrusted local users are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date.

For instructions on how to patch your system click here.

FreeBSD Security Advisory (telnetd)

The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:05.telnetd – telnetd code execution vulnerability

I Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can b enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol allows a connecting client to specify environment variables which should be set in any created login session; this is used, for example, to specify terminal settings.

II. Problem Description

In order to prevent environment variable based attacks, telnetd(8) “scrubs” its environment; however, recent changes in FreeBSD’s environment-handling code rendered telnetd’s scrubbing inoperative, thereby allowing potentially harmful environment variables to be set.

For a workaround, solution and patch etc go here

FreeBSD Security Advisories (bind & ntpd)

The FreeBSD Security Team has issued 2 security warnings:

FreeBSD-SA-09:04.bind – BIND DNSSEC incorrect checks for malformed signatures
FreeBSD-SA-09:03.ntpd - ntpd cryptographic signature bypass