#VU8200 Privilege escalation in NetBSD
Vulnerability identifier: #VU8200
Vulnerability risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-20
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
NetBSD
Operating systems & Components /
Operating system
Vendor: NetBSD Foundation, Inc
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to missing check in the Linux compatibility layer could allow userland to exploit the Intel Sysret Vulnerability on amd64. A missing check in the trap frame could allow userland to have the kernel execute 'sysret' with a fully-controllable %rip, thereby allowing the exploitation of the Intel Sysret Vulnerability (https://www.cybersecurity-help.cz/vdb/SB2012071201).
Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.
Mitigation
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1
---- ---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.288 1.272.4.2 1.272.6.2 1.272.10.2
sys/arch/i386/i386/locore.S
1.146 1.112.4.1 1.112.6.1 1.112.10.1
sys/arch/i386/i386/machdep.c
1.783 1.752.4.1 1.752.8.1 1.752.12.1
sys/arch/amd64/amd64/trap.c
1.96 1.78.4.3 1.78.6.3 1.78.10.3
sys/arch/amd64/amd64/locore.S
1.124 1.76.2.2 1.76.4.2 1.76.8.2
sys/arch/amd64/amd64/machdep.c
1.254 1.211.2.1 1.211.6.1 1.211.10.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.51 1.48.4.1 1.48.8.1 1.48.4.1
FILE netbsd-6 netbsd-6-0 netbsd-6-1
---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.262.8.2 1.262.12.2 1.262.14.2
sys/arch/i386/i386/locore.S
1.95.10.4 1.95.10.2.4.1 1.95.10.3.2.1
sys/arch/i386/i386/machdep.c
1.717.2.8 1.717.2.7.4.1 1.717.2.7.6.1
sys/arch/amd64/amd64/trap.c
1.69.2.3 1.69.2.1.4.2 1.69.2.1.6.2
sys/arch/amd64/amd64/locore.S
1.66.2.2 1.66.2.1.4.1 1.66.2.1.6.1
sys/arch/amd64/amd64/machdep.c
1.175.2.9 1.175.2.7.2.2 1.175.2.8.2.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.39.6.1 1.39.10.1 1.39.12.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c
# cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S
# cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/locore.S
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c
# cvs update -d -P -r VERSION sys/compat/linux/arch/amd64/linux_machdep.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
Vulnerable software versions
NetBSD: 6.0 - 7.0.2
External links
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
