SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD Network ioctl(2) Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1029014
SecurityTracker URL:  http://securitytracker.com/id/1029014
CVE Reference:   CVE-2013-5691   (Links to External Site)
Date:  Sep 10 2013
Impact:   Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.3, 8.4, 9.1, 9.2
Description:   A vulnerability was reported in the FreeBSD Kernel. A local user can cause denial of service conditions. A local user may be able to obtain elevated privileges on the target system.

A local user can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request. This can be exploited to trigger a kernel panic and potentially execute arbitrary code.

Code execution has not been confirmed by the vendor.

Loganaden Velvindron and Gleb Smirnoff reported this vulnerability.

Impact:   A local user may be able to obtain elevated privileges on the target system.

A local user can cause denial of service conditions on the target system.

Solution:   The vendor has issued a fix.

The vendor's advisory is available at:

http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc

Vendor URL:  security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 28 2013 (McAfee Issues Fix for McAfee Firewall Enterprise) FreeBSD Network ioctl(2) Lets Local Users Gain Elevated Privileges
McAfee has issued a fix for McAfee Firewall Enterprise.



 Source Message Contents

Subject:  FreeBSD Security Advisory FreeBSD-SA-13:12.ifioctl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-13:12.ifioctl                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Insufficient credential checks in network ioctl(2)

Category:       core
Module:         sys_netinet6 sys_netatm
Announced:      2013-09-10
Credits:        Loganaden Velvindron
                Gleb Smirnoff
Affects:        All supported versions of FreeBSD.
Corrected:      2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE)
                2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2)
                2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2)
                2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1)
                2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7)
                2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE)
                2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4)
                2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11)
CVE Name:       CVE-2013-5691

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The ioctl(2) system call allows an application to perform device- or
protocol-specific operations through a file or socket descriptor
associated with a specific device or protocol.

The SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK
ioctl requests are used to associate a network address, broadcast
address, destination address (for point-to-point interfaces) or
netmask with an interface.  They operate on the assumption that each
interface only has one address per protocol, and are therefore of
limited use for IPv4, where interfaces may have more than one address.
They were never implemented for IPv6, where interfaces nearly always
have at least two, and in many cases three, addresses; nor were they
ever implemented for ATM.

II.  Problem Description

As is commonly the case, the IPv6 and ATM network layer ioctl request
handlers are written in such a way that an unrecognized request is
passed on unmodified to the link layer, which will either handle it or
return an error code.

Network interface drivers, however, assume that the SIOCSIFADDR,
SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been
handled at the network layer, and therefore do not perform input
validation or verify the caller's credentials.  Typical link-layer
actions for these requests may include marking the interface as "up"
and resetting the underlying hardware.

III. Impact

An unprivileged user with the ability to run arbitrary code can cause
any network interface in the system to perform the link layer actions
associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or
SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a
specially crafted address structure which causes a network interface
driver to dereference an invalid pointer.

Although this has not been confirmed, the possibility that an attacker
may be able to execute arbitrary code in kernel context can not be
ruled out.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch
# fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch.asc
# gpg --verify ifioctl.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r255445
releng/8.3/                                                       r255446
releng/8.4/                                                       r255447
stable/9/                                                         r255443
releng/9.1/                                                       r255448
releng/9.2/                                                       r255444
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5691>

The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (FreeBSD)

iEYEARECAAYFAlIu8rUACgkQFdaIBMps37ImRQCdGUcSBvK6+kAN69aGChHT6fVb
YI4AoJNveN9PSowTG0NnUkPJR9oJimZT
=xb3g
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC