FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- netgraph / bluetooth privilege escalation

Affected systems
6.3 < FreeBSD < 6.3_7
6.4 < FreeBSD < 6.4_1
7.0 < FreeBSD < 7.0_7

Details

VuXML ID c702944a-db0f-11dd-aa56-000bcdf0a03b
Discovery 2008-12-23
Entry 2009-01-05

Problem Description:

Some function pointers for netgraph and bluetooth sockets are not properly initialized.

Impact:

A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail.

Workaround:

No workaround is available, but systems without local untrusted users are not vulnerable. Furthermore, systems are not vulnerable if they have neither the ng_socket nor ng_bluetooth kernel modules loaded or compiled into the kernel.

Systems with the security.jail.socket_unixiproute_only sysctl set to 1 (the default) are only vulnerable if they have local untrusted users outside of jails.

If the command

# kldstat -v | grep ng_

produces no output, the system is not vulnerable.

References

FreeBSD Advisory SA-08:13.protosw