Date: Thu, 4 Sep 2008 00:14:26 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount Message-ID: <alpine.BSF.1.10.0809040012580.74719@fledge.watson.org> In-Reply-To: <200809032013.m83KDDMv043940@freefall.freebsd.org> References: <200809032013.m83KDDMv043940@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 3 Sep 2008, FreeBSD Security Advisories wrote: > The mount(2) and nmount(2) system calls are used by various utilities in the > base system to graft a file system object on to the file system tree to a > given mount point. It is possible to allow unprivileged users to utililize > these system calls by setting the vfs.usermount sysctl(8) variable. Note that as-shipped by the FreeBSD Project, vfs.usermount is *disabled* in FreeBSD. This may not be the case in rebundled or derived systems, however. You can check whether it is enabled using "sysctl vfs.usermount" -- if the result is "0" then you should be fine. Robert N M Watson Computer Laboratory University of Cambridge > > II. Problem Description > > Various user defined input such as mount points, devices, and mount > options are prepared and passed as arguments to nmount(2) into the > kernel. Under certain error conditions, user defined data will be > copied into a stack allocated buffer stored in the kernel without > sufficient bounds checking. > > III. Impact > > If the system is configured to allow unprivileged users to mount file > systems, it is possible for a local adversary to exploit this > vulnerability and execute code in the context of the kernel. > > IV. Workaround > > It is possible to work around this issue by allowing only privileged > users to mount file systems by running the following sysctl(8) > command: > > # sysctl vfs.usermount=0 > > V. Solution > > NOTE WELL: Even with this fix allowing users to mount arbitrary media > should not be considered safe. Most of the file systems in FreeBSD > was not built to protect safeguard against malicious devices. While > such bugs in file systems are fixed when found, a complete audit has > not been perfomed on the file system code. > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 > security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_7 > src/sys/kern/vfs_mount.c 1.265.2.10 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.8 > src/sys/conf/newvers.sh 1.72.2.5.2.8 > src/sys/kern/vfs_mount.c 1.265.2.1.2.2 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX > yvNI1gVmhAQ7MXOUvPoLcLk= > =EsCn > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.1.10.0809040012580.74719>