Two vulnerabilities have been identified in the system of isolated jail environments developed by the FreeBSD project:
- CVE-2020-25582 is a vulnerability in the implementation of the jail_attach system call, designed to attach external processes to existing jail environments. The problem manifests itself when calling jail_attach using the jexec or killall commands, and allows a privileged process isolated inside the jail to change its root directory and gain full access to all files and directories on the system.
- CVE-2020-25581 - Race condition when deleting processes using the jail_remove system call, allows a privileged process running inside the jail to avoid being deleted when the jail shuts down and gain full access to the system via devfs when the jail is subsequently started with the same root directory, using the moment when the devfs is already mounted for jail, but the isolation rules have not yet been applied.
Additionally, a vulnerability (CVE-2020-25580) can be noted in the pam_login_access PAM module responsible for processing the login_access file, which defines the access rules for users and groups applied when logging in (by default, login via the console, sshd and telnetd is allowed). The vulnerability allows you to bypass login_access restrictions and log in despite the presence of deny rules.
The vulnerabilities were fixed in the 13.0-STABLE, 12.2-STABLE, and 11.4-STABLE branches, as well as in the FreeBSD 12.2-RELEASE-p4 and 11.4-RELEASE-p8 patches.
Source: opennet.ru