FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- jail_attach(2) relies on the caller to change the cwd

Affected packages
12.2 <= FreeBSD-kernel < 12.2_4
11.4 <= FreeBSD-kernel < 11.4_8


VuXML ID bba850fd-770e-11eb-b87a-901b0ef719ab
Discovery 2021-02-24
Entry 2021-02-25

Problem Description:

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.


A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.


CVE Name CVE-2020-25582
FreeBSD Advisory SA-21:05.jail_chdir