On the ftpd server shipped with FreeBSD A critical vulnerability (CVE-2020-7468) could allow users restricted to their home directory using the ftpchroot option to gain full root access to the system.
The problem is caused by a combination of a bug in the implementation of the user isolation mechanism using the chroot call (if the process of changing the uid or performing chroot and chdir failed, a non-fatal error was generated that did not terminate the session) and granting the authenticated FTP user rights sufficient to bypass the root path restriction in the file system. The vulnerability does not manifest itself when accessing the FTP server in anonymous mode or when the user is fully logged in without ftpchroot. The issue is fixed in the 12.1-RELEASE-p10, 11.4-RELEASE-p4 and 11.3-RELEASE-p14 updates.
Additionally, three more vulnerabilities have been fixed in 12.1-RELEASE-p10, 11.4-RELEASE-p4 and 11.3-RELEASE-p14:
- β a vulnerability in the Bhyve hypervisor that allows the guest environment to write information to the memory area of ββthe host environment and gain full access to the host system. The problem is caused by the lack of restrictions on access to processor instructions that work with physical host addresses, and only appears on systems with AMD CPUs.
- A vulnerability in the Bhyve hypervisor that allows a root attacker inside Bhyve-isolated environments to execute code at the kernel level. The problem is caused by the lack of proper restriction of access to VMCS (Virtual Machine Control Structure) structures on systems with Intel CPUs and VMCB (Virtual
Machine Control Block) on systems with AMD CPUs. - - a vulnerability in the ure driver (USB Ethernet Realtek RTL8152 and RTL8153), which allows sending large frames (greater than 2048) to spoof packets from other hosts or to perform packet substitution to other VLANs.
Source: opennet.ru