#VU8199 Privilege escalation in NetBSD
Vulnerability identifier: #VU8199
Vulnerability risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-362
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
NetBSD
Operating systems & Components /
Operating system
Vendor: NetBSD Foundation, Inc
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. The same call gate existed on i386 and amd64 that allowed binaries from previous releases to perform syscalls. However, call gates do not automatically disable interrupts when entering the target function. Therefore, there was a condition where the kernel would be executed with userland registers loaded and interrupts enabled, which breaks a certain number of assumptions in the i386 and amd64 implementations. On i386 this can lead to a panic, and on amd64 to a privilege escalation.
Mitigation
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1
---- ---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.288 1.272.4.2 1.272.6.2 1.272.10.2
sys/arch/i386/i386/locore.S
1.146 1.112.4.1 1.112.6.1 1.112.10.1
sys/arch/i386/i386/machdep.c
1.783 1.752.4.1 1.752.8.1 1.752.12.1
sys/arch/amd64/amd64/trap.c
1.96 1.78.4.3 1.78.6.3 1.78.10.3
sys/arch/amd64/amd64/locore.S
1.124 1.76.2.2 1.76.4.2 1.76.8.2
sys/arch/amd64/amd64/machdep.c
1.254 1.211.2.1 1.211.6.1 1.211.10.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.51 1.48.4.1 1.48.8.1 1.48.4.1
FILE netbsd-6 netbsd-6-0 netbsd-6-1
---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.262.8.2 1.262.12.2 1.262.14.2
sys/arch/i386/i386/locore.S
1.95.10.4 1.95.10.2.4.1 1.95.10.3.2.1
sys/arch/i386/i386/machdep.c
1.717.2.8 1.717.2.7.4.1 1.717.2.7.6.1
sys/arch/amd64/amd64/trap.c
1.69.2.3 1.69.2.1.4.2 1.69.2.1.6.2
sys/arch/amd64/amd64/locore.S
1.66.2.2 1.66.2.1.4.1 1.66.2.1.6.1
sys/arch/amd64/amd64/machdep.c
1.175.2.9 1.175.2.7.2.2 1.175.2.8.2.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.39.6.1 1.39.10.1 1.39.12.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c
# cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S
# cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/locore.S
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c
# cvs update -d -P -r VERSION sys/compat/linux/arch/amd64/linux_machdep.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
Vulnerable software versions
NetBSD: 6.0 - 7.0.2
External links
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
