Buffer Overflow Vulnerability in FreeBSD Discovered by Norse

Norse_LNorse announced today that they discovered a buffer overflow vulnerability in FreeBSD which they privately disclosed to the FreeBSD security team, who subsequently issued a security advisory with some details on the flaw and options for remedy (FreeBSD-SA-14:27.stdio).

FreeBSD is an advanced computer operating system employed to power modern servers, desktops and embedded platforms, according to the project’s organizers, who have collaborated with a large community of developers for more than thirty years.

Read the full blog with instructions on how to patch: http://blog.norsecorp.com/2014/12/10/buffer-overflow-vulnerability-in-freebsd-discovered-by-norse/

FreeBSD security advisories

FreeBSD Security AdvisortyThe FreeBSD Security Team notifies the Community of a handful of vulnerabilities that have been discovered. Please check the advisories and take the appropriate actions.

These issues either don’t affect the upcoming FreeBSD 10.0 (building was kicked off on 15 Jan) or have already been fixed.

FreeBSD Security Advisory: OpenSSH

FreeBSD Security AdvisortyThe FreeBSD Security Team has identified a memory corruption vulnerability in OpenSSH and has issued the following security advisory: FreeBSD-SA-13:14.openssh  (19/11/2013).

I. Background

OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access.

AES-GCM (Galois/Counter Mode) is a mode of operation for AES block cipher that combines the counter mode of encryption with the Galois mode of authentication which can offer throughput rates for state of the art, high speed communication channels.

OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.

II. Problem Description

A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during key exchange.

III. Impact

If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account.

For a workaround and solution, check out the security advisory: FreeBSD-SA-13:14.openssh

FreeBSD Security Advisories (sctp, ip_multicast)

software-bug-signThe FreeBSD Security Team has identified an issue in sctp and ip_multicast  and has issued the following security advisories:

The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission.

Please read and take the recommended action(s).

FreeBSD Security Advisory: mmap

software-bug-signThe FreeBSD Security Team has identified an issue in mmap and has issued the following security advisory: FreeBSD-SA-13:06.mmap (18/06/2013).

The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls.

The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process).

Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process’s address space to which the traced process itself does not have write access.

This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation.

For a solution, check out the security advisory: FreeBSD-SA-13:06.mmap

FreeBSD Security Advisory (Bind)

The FreeBSD Security Team has identified an issue in Bind and has issued the following security advisory: FreeBSD-SA-12:06.bind (22/11/2012).

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

The BIND daemon would crash when a query is made on a resource record with RDATA that exceeds 65535 bytes. The BIND daemon would lock up when a query is made on specific combinations of RDATA.

III. Impact

A remote attacker can query a resolving name server to retrieve a record whose RDATA is known to be larger than 65535 bytes, thereby causing the resolving server to crash via an assertion failure in named.

For a workaround and solution, check out the security advisory: FreeBSD-SA-12:06.bind

An attacker who is in a position to add a record with RDATA larger than 65535 bytes to an authoritative name server can cause that server to crash by later querying for that record.

The attacker can also cause the server to lock up with specific combinations of RDATA.