SB2016101012 - Heap-based Buffer Overflow in FreeBSD
Published: October 10, 2016 Updated: October 11, 2016
Security Bulletin ID
SB2016101012
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Heap-based Buffer Overflow (CVE-ID: N/A)
The vulnerability allows a remote anauthenticated user to execute arbitrary code or trigger DoS conditions on the target system.
The weakness is due to improper input validation by the bspatch utility. By installing or tricking the victim to upload a specially crafted patch file attackers can cause a heap overflow that may lead to system crash. Besides, a malicious user with elevated privileges can trigger arbitrary code execution on the vulnerable system.
Successful exploitation of the vulnerability allows remote attackers to compromise the system completely.
The weakness is due to improper input validation by the bspatch utility. By installing or tricking the victim to upload a specially crafted patch file attackers can cause a heap overflow that may lead to system crash. Besides, a malicious user with elevated privileges can trigger arbitrary code execution on the vulnerable system.
Successful exploitation of the vulnerability allows remote attackers to compromise the system completely.
Remediation
Install update from vendor's website.