The BSD libc library was updated recently to address a buffer overflow vulnerability that could have allowed an attacker to execute arbitrary code.
The library is part of the POSIX library, which is used in BSD operating systems, like FreeBSD, NetBSD, OpenBSD. The libc library is also used in Apple’s OS X operating system.
According to Garret Wassermann, a vulnerability analyst at Carnegie Mellon’s Software Engineering Institute CERT/CC who disclosed the vulnerability yesterday, only a handful of implementations that use the library have publicly applied the fix.
The issue stems from problem with the obuf variable in the link_ntoa() function in linkaddr.c. Because of improper bounds checking, an attacker could have been able to read or write from memory.
While researchers claim it could be possible to exploit the vulnerability and execute code, they claim it wouldn’t be easy. FreeBSD developers told CERT/CC that apps that use link_ntoa() don’t use it in an exploitable way. CERT/CC reviewed the vulnerability and claims its unaware of a functional proof of concept.
“The full impact and severity depends on the method of exploit and how the library is used by applications,” Wassermann wrote Tuesday, adding that the high CVSS score given to the vulnerability (9.3) is really more of a “worst-case scenario” score and reflects the potential an attacker could execute arbitrary code with root permissions.
In its own advisory, FreeBSD developers sound less concerned with the issue but are still encouraging users to update.
“Due to very limited use of the function in the existing applications, and limited length of the overflow, exploitation of the vulnerability does not seem feasible. None of the utilities and daemons in the base system are known to be vulnerable. However, careful review of third party software that may use the function was not performed,” the advisory reads.
FreeBSD users are encouraged to download one of the following updated patch levels to fix the issue:
- 9.3-RELEASE-p51
- 10.1-RELEASE-p43
- 10.2-RELEASE-p26
- 10.3-RELEASE-p13
- 11.0-RELEASE-p4
While the libc module has been updated by BSD to resolve the issue, it’s unclear how many vendors have updated to incorporate the fix. The library figures into several fringe desktop operating system projects that based on FreeBSD, like DragonFlyBSD, HardenedBSD, and DesktopBSD.
Jeremy Reed, who serves on the board of directors of the NetBSD Foundation, confirmed to Threatpost Wednesday that the vulnerability has been fixed in the current development version of the OS.
Developers with HardenedBSD also addressed the buffer overflow on Tuesday when it released code for a stable version of its operating system – 10-STABLE v46.20 – on GitHub. Conversely, there’s no record of the bug on DragonFly’s bug tracker and it appears DesktopBSD hasn’t been updated since September 2015.
Neither Apple, nor Juniper Networks, which uses libc in its FreeBSD-based network operating system Junos, immediately returned a request for comment on Wednesday.
A much nastier vulnerability – one that did open machines to remote code execution – plagued a different C library implementation, the GNU C library a/k/a glibc, in January. That flaw, also a buffer overflow, albeit a stack-based version, put Linux machines at risk of remote code execution if hit with a malicious DNS response. Glibc, which defines system calls and other functions for Linux systems, was also impacted by the a serious buffer overflow in 2015. Through that vulnerability, nicknamed GHOST, an attacker could have made an application calls and executed arbitrary code with the permissions of the user running the application.