Main Vulnerability Database SB2014111306

SB2014111306 - Information disclosure in FreeBSD

Published: November 13, 2014 Updated: August 9, 2020

Security Bulletin ID SB2014111306

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2014-8476)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The setlogin function in FreeBSD 8.4 through 10.1-RC4 does not initialize the buffer used to store the login name, which allows local users to obtain sensitive information from kernel memory via a call to getlogin, which returns the entire buffer.

Remediation

Install update from vendor's website.

References

http://secunia.com/advisories/61118
http://secunia.com/advisories/62218
http://www.debian.org/security/2014/dsa-3070
https://www.freebsd.org/security/advisories/FreeBSD-SA-14%3A25.setlogin.asc