SB2022040603 - Multiple vulnerabilities in FreeBSD
Published: April 6, 2022 Updated: September 21, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2022-23084)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to a race condition in netmap. The total size of the user-provided nmreq to nmreq_copyin() function was first computed and then trusted during the copyin operation. A local user can trigger a race condition, which can lead to memory corruption and code execution. The vulnerability can be used to escape jail environment.
2) Integer overflow (CVE-ID: CVE-2022-23085)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow within the nmreq_copyin() function in netmap. A local user can trigger integer overflow and execute arbitrary code with elevated privileges. The vulnerability can be used to escape jail environment.
3) Buffer overflow (CVE-ID: CVE-2022-23087)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the e1000 network adapter implementation in bhyve(8) hypervisor. A remote attacker with access to the guest OS can send specially crafted traffic via the affected adapter, trigger memory corruption and execute arbitrary code on the hypervisor.
4) Heap-based buffer overflow (CVE-ID: CVE-2022-23086)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in mpr, mps, and mpt disk collector drivers. A local user can run a specially crafted program to trigger a heap-based buffer overflow and execute arbitrary code on the system with elevated privileges.
5) Heap-based buffer overflow (CVE-ID: CVE-2022-23088)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the 802.11 beacon handling routine in FreeBSD Wi-Fi client. A remote attacker with control over the Wi-Fi hotspot can send specially beacon crafted frames to the FreeBSD Wi-Fi client in scanning mode, trigger a heap-based buffer overflow and execute arbitrary code on the system.
6) Buffer overflow (CVE-ID: CVE-2018-25032)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when compressing data. A remote attacker can pass specially crafted input to the application, trigger memory corruption and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://www.freebsd.org/security/advisories/FreeBSD-SA-22:04.netmap.asc
- https://www.zerodayinitiative.com/advisories/ZDI-22-1291/
- https://www.zerodayinitiative.com/advisories/ZDI-22-1292/
- https://www.freebsd.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc
- https://www.freebsd.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc
- https://www.zerodayinitiative.com/advisories/ZDI-22-1293/
- https://www.zerodayinitiative.com/advisories/ZDI-22-1294/
- https://www.freebsd.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc
- https://www.zerodayinitiative.com/advisories/ZDI-22-806/
- https://www.freebsd.org/security/advisories/FreeBSD-SA-22:08.zlib.asc