FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- nmount(2) local arbitrary code execution

Affected systems
6.3 < FreeBSD < 6.3_4
7.0 < FreeBSD < 7.0_4

Details

VuXML ID 7dbb7197-7b68-11dd-80ba-000bcdf0a03b
Discovery 2008-09-03
Entry 2008-09-05

Problem Description:

Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking.

Impact:

If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel.

Workaround:

It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command:

# sysctl vfs.usermount=0

References

CVE Name CVE-2008-3531
FreeBSD Advisory SA-08:08.nmount