On FreeBSD five vulnerabilities, including issues that could potentially lead to kernel-level data overwriting when sending certain network packets or allow a local user to escalate their privileges. The vulnerabilities are fixed in updates 12.1-RELEASE-p5 and 11.3-RELEASE-p9.
The most dangerous vulnerability () is caused by a lack of proper packet size checking in the libalias library when parsing protocol-specific headers. The libalias library is used in the ipfw packet filter for address translation and includes standard functions for replacing addresses in IP packets and parsing protocols. The vulnerability allows, by sending a specially designed network packet, to read or write data in the kernel memory area (when using the NAT implementation in the kernel) or process
natd (when using the userspace implementation of NAT). The issue does not affect NAT configurations built using pf and ipf packet filters, or ipfw configurations that do not use NAT.
Other vulnerabilities:
- - another remotely exploited vulnerability in libalias, associated with incorrect calculation of the length of packets in the FTP handler. The problem is limited to leaking the contents of a few bytes of data from the kernel memory area or the natd process.
- - a vulnerability in the cryptodev module, caused by accessing an already freed memory area (use-after-free), and allowing an unprivileged process to overwrite arbitrary sections of kernel memory. As a workaround for blocking the vulnerability, it is recommended to unload the cryptodev module with the "kldunload cryptodev" command if it has been loaded (by default, cryptodev is not loaded). The cryptodev module provides user-space applications with access to the /dev/crypto interface to access cryptographic hardware acceleration mechanisms (/dev/crypto is not used in AES-NI and OpenSSL).
- - the second vulnerability in cryptodev, which allows an unprivileged user to initiate a kernel crash by sending a request to perform a cryptographic operation with an incorrect MAC. The problem is caused by the lack of checking the size of the MAC key when allocating a buffer to store it (the buffer was created based on the user-supplied size data, without checking the actual size).
- - A vulnerability in the implementation of the Stream Control Transmission Protocol (SCTP) protocol caused by incorrect verification of the shared key used by the SCTP-AUTH extension to authenticate SCTP sequences. A local application can renew the key via the Socket API, at the same time terminating the SCTP connection, which will lead to accessing an already freed memory area (use-after-free).
Source: opennet.ru