FreeBSD Patches Code Execution, Memory Corruption Bugs

FreeBSD has patched a handful of vulnerabilities in its kernel code that could have enabled an attacker to crash the system, execute arbitrary code, or disclose sensitive kernel memory.

Developers behind the operating system FreeBSD patched a handful of vulnerabilities in its kernel code yesterday that could have enabled an attacker to crash the system, execute arbitrary code, or disclose sensitive kernel memory.

FreeBSD patched the bugs fairly quickly. Francisco Falcon, a member of Core Security’s Exploit Writing Team (EWT) dug up the vulnerabilities roughly 13 days ago, disclosed them with developers in the FreeBSD community, and the fixes were pushed live yesterday.

The first bug, a sign conversion vulnerability, was found in code that directly affects FreeBSD’s vt console driver, formerly known as Newcons. The vt console driver triggers a few things: Unicode support, character support, font maps and modern graphics capabilities to name a few. An attacker could “make the kernel access an array outside of its boundaries,” essentially bypassing the boundary check, according to an advisory that Core published yesterday.

The second bug, a memory corruption vulnerability, affects code that’s responsible for Stream Control Transmission Protocol (SCTP) sockets, protocol that helps facilitate data communication between two endpoints. To exploit this one an attacker would have to perform a system call with a random 16-bit value and in turn, they’d corrupt kernel memory.

The last bug, a kernel memory disclosure vulnerability, also affects SCTP sockets and is quite similar to the second bug. Basically if an attacker performed a system call they’d be able to read 16-bit values pertaining to the kernel memory space. As the issue is so similar to the second, FreeBSD opted to file to them under the same CVE, CVE-2014-0998.

In going through its mail archive FreeBSD actually discovered that Google had previously reported one of the SCTP socket issues but missed it the first time around. On FreeBSD’s advisory Clément Lecigne, the Swiss researcher with Google who first reported the vulnerability is credited with discovering the bug, along with Falcon.

Core gets much deeper into the vulnerabilities complete with proof of concept code for all three vulnerabilities in a technical advisory it published on Tuesday while FreeBSD has posted its own advisories.

FreeBSD is encouraging users to update to the latest stable release, FreeBSD 10.10RELENG, as all versions prior to 10.1-RELEASE are vulnerable.

Suggested articles