Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD Kernel Memory Initialization Flaws Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1030539
SecurityTracker URL:
CVE Reference:   CVE-2014-3952, CVE-2014-3953   (Links to External Site)
Date:  Jul 9 2014
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.4, 9.1, 9.2, 9.3, 10.0
Description:   Two vulnerabilities were reported in FreeBSD. A local user can obtain portions of kernel memory.

A local user can execute arbitrary commands on the target system with elevated privileges.

Control message buffers are not properly initialized [CVE-2014-3952].

Several SCTP messages (i.e., SCTP_SNDRCV, SCTP_EXTRCV, and SCTP_RCVINFO) are not properly initialized [CVE-2014-3953].

A local user can exploit these flaws to obtain portions of kernel memory.

Michael Tuexen reported this vulnerability.

Impact:   A local user can obtain portions of kernel memory.
Solution:   The vendor has issued a fix.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error

Message History:   None.

 Source Message Contents

Subject:  FreeBSD Security Advisory FreeBSD-SA-14:17.kmem

Hash: SHA512

FreeBSD-SA-14:17.kmem                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Kernel memory disclosure in control messages and SCTP

Category:       core
Module:         kern, sctp
Announced:      2014-07-08
Credits:        Michael Tuexen
Affects:        All supported versions of FreeBSD.
Corrected:      2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE)
                2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7)
                2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2)
                2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2)
                2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10)
                2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17)
                2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE)
                2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14)
CVE Name:       CVE-2014-3952, CVE-2014-3953

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:>.

I.   Background

The control message API is used to construct ancillary data objects for
use in control messages sent and received across sockets and passed via
the recvmsg(2) and sendmsg(2) system calls.

II.  Problem Description

Buffer between control message header and data may not be completely
initialized before being copied to userland. [CVE-2014-3952]

Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit
padding that may not be completely initialized before being copied to
userland.  In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE,
returning data structure that may not be completely initialized before
being copied to userland.  [CVE-2014-3953]

III. Impact

An unprivileged local process may be able to retrieve portion of kernel

For the generic control message, the process may be able to retrieve a
maximum of 4 bytes of kernel memory.

For SCTP, the process may be able to retrieve 2 bytes of kernel memory
for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
bytes for SCTP_EXTRCV.  If the local process is permitted to receive
SCTP notification, a maximum of 112 bytes of kernel memory may be
returned to userland.

This information might be directly useful, or it might be leveraged to
obtain elevated privileges in some way.  For example, a terminal buffer
might include a user-entered password.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.0]
# fetch
# fetch
# gpg --verify kmem.patch.asc

[FreeBSD 8.4, 9.2 and 9.3-RC]
# fetch
# fetch
# gpg --verify kmem.patch.asc

[FreeBSD 9.1]
# fetch
# fetch
# gpg --verify kmem.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

3) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r268432
releng/8.4/                                                       r268435
stable/9/                                                         r268432
releng/9.1/                                                       r268434
releng/9.2/                                                       r268434
releng/9.3/                                                       r268433
stable/10/                                                        r268432
releng/10.0/                                                      r268434
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References


The latest revision of this advisory is available at
Version: GnuPG v2

_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC