Multiple vulnerabilities in NetBSD
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | N/A |
| CWE-ID | CWE-119 CWE-20 CWE-362 CWE-122 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
NetBSD Operating systems & Components / Operating system |
| Vendor | NetBSD Foundation, Inc |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU8197
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on graphics console.
The vulnerability exists due to a boundary error within WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls. A local user with access to /dev/ttyE* (is logged in) can read and write arbitrary data to kernel memory.
Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.
MitigationUpdate the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.
Affected source files fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.16 1.15.10.1
sys/arch/pmax/ibus/pm.c 1.13 1.12.22.1
sys/dev/hpc/bivideo.c 1.34 1.33.30.1
sys/dev/ic/sti.c 1.19 1.18.20.1
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.13.4.2 1.13.4.1.6.1 1.13.4.1.2.1
sys/arch/pmax/ibus/pm.c 1.12.4.1 1.12.16.1 1.12.8.1
sys/dev/hpc/bivideo.c 1.33.12.1 1.33.24.1 1.33.16.1
sys/dev/ic/sti.c 1.18.2.1 1.18.14.1 1.18.6.1
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c 1.12.2.1 1.12.16.1 1.12.8.1
sys/arch/pmax/ibus/pm.c 1.11.2.1 1.11.16.1 1.11.8.1
sys/dev/hpc/bivideo.c 1.32.14.1 1.32.22.1 1.32.20.1
sys/dev/ic/sti.c 1.16.8.2 1.16.22.1 1.16.14.1
NetBSD: 6.0 - 7.0.2
External linkshttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Denial of service
EUVDB-ID: #VU8198
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to trigger kernal panic.
The vulnerability exists due to a missing check in the trap handler. Under certain circumstances, userland can legitimately make the kernel generate a stack fault when executing 'iret'. However, in the trap handler, the appropriate check was missing, and this fault could lead to a panic.
Successful exploitation of the vulnerability may allow an attacker to perform denial of service (DoS) attack.
Mitigation
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1
---- ---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.288 1.272.4.2 1.272.6.2 1.272.10.2
sys/arch/i386/i386/locore.S
1.146 1.112.4.1 1.112.6.1 1.112.10.1
sys/arch/i386/i386/machdep.c
1.783 1.752.4.1 1.752.8.1 1.752.12.1
sys/arch/amd64/amd64/trap.c
1.96 1.78.4.3 1.78.6.3 1.78.10.3
sys/arch/amd64/amd64/locore.S
1.124 1.76.2.2 1.76.4.2 1.76.8.2
sys/arch/amd64/amd64/machdep.c
1.254 1.211.2.1 1.211.6.1 1.211.10.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.51 1.48.4.1 1.48.8.1 1.48.4.1
FILE netbsd-6 netbsd-6-0 netbsd-6-1
---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.262.8.2 1.262.12.2 1.262.14.2
sys/arch/i386/i386/locore.S
1.95.10.4 1.95.10.2.4.1 1.95.10.3.2.1
sys/arch/i386/i386/machdep.c
1.717.2.8 1.717.2.7.4.1 1.717.2.7.6.1
sys/arch/amd64/amd64/trap.c
1.69.2.3 1.69.2.1.4.2 1.69.2.1.6.2
sys/arch/amd64/amd64/locore.S
1.66.2.2 1.66.2.1.4.1 1.66.2.1.6.1
sys/arch/amd64/amd64/machdep.c
1.175.2.9 1.175.2.7.2.2 1.175.2.8.2.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.39.6.1 1.39.10.1 1.39.12.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c
# cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S
# cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/locore.S
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c
# cvs update -d -P -r VERSION sys/compat/linux/arch/amd64/linux_machdep.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
NetBSD: 6.0 - 7.0.2
External linkshttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Privilege escalation
EUVDB-ID: #VU8199
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. The same call gate existed on i386 and amd64 that allowed binaries from previous releases to perform syscalls. However, call gates do not automatically disable interrupts when entering the target function. Therefore, there was a condition where the kernel would be executed with userland registers loaded and interrupts enabled, which breaks a certain number of assumptions in the i386 and amd64 implementations. On i386 this can lead to a panic, and on amd64 to a privilege escalation.
Mitigation
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1
---- ---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.288 1.272.4.2 1.272.6.2 1.272.10.2
sys/arch/i386/i386/locore.S
1.146 1.112.4.1 1.112.6.1 1.112.10.1
sys/arch/i386/i386/machdep.c
1.783 1.752.4.1 1.752.8.1 1.752.12.1
sys/arch/amd64/amd64/trap.c
1.96 1.78.4.3 1.78.6.3 1.78.10.3
sys/arch/amd64/amd64/locore.S
1.124 1.76.2.2 1.76.4.2 1.76.8.2
sys/arch/amd64/amd64/machdep.c
1.254 1.211.2.1 1.211.6.1 1.211.10.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.51 1.48.4.1 1.48.8.1 1.48.4.1
FILE netbsd-6 netbsd-6-0 netbsd-6-1
---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.262.8.2 1.262.12.2 1.262.14.2
sys/arch/i386/i386/locore.S
1.95.10.4 1.95.10.2.4.1 1.95.10.3.2.1
sys/arch/i386/i386/machdep.c
1.717.2.8 1.717.2.7.4.1 1.717.2.7.6.1
sys/arch/amd64/amd64/trap.c
1.69.2.3 1.69.2.1.4.2 1.69.2.1.6.2
sys/arch/amd64/amd64/locore.S
1.66.2.2 1.66.2.1.4.1 1.66.2.1.6.1
sys/arch/amd64/amd64/machdep.c
1.175.2.9 1.175.2.7.2.2 1.175.2.8.2.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.39.6.1 1.39.10.1 1.39.12.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c
# cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S
# cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/locore.S
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c
# cvs update -d -P -r VERSION sys/compat/linux/arch/amd64/linux_machdep.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
NetBSD: 6.0 - 7.0.2
External linkshttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Privilege escalation
EUVDB-ID: #VU8200
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to missing check in the Linux compatibility layer could allow userland to exploit the Intel Sysret Vulnerability on amd64. A missing check in the trap frame could allow userland to have the kernel execute 'sysret' with a fully-controllable %rip, thereby allowing the exploitation of the Intel Sysret Vulnerability (https://www.cybersecurity-help.cz/vdb/SB2012071201).
Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.
Mitigation
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-7 netbsd-7-0 netbsd-7-1
---- ---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.288 1.272.4.2 1.272.6.2 1.272.10.2
sys/arch/i386/i386/locore.S
1.146 1.112.4.1 1.112.6.1 1.112.10.1
sys/arch/i386/i386/machdep.c
1.783 1.752.4.1 1.752.8.1 1.752.12.1
sys/arch/amd64/amd64/trap.c
1.96 1.78.4.3 1.78.6.3 1.78.10.3
sys/arch/amd64/amd64/locore.S
1.124 1.76.2.2 1.76.4.2 1.76.8.2
sys/arch/amd64/amd64/machdep.c
1.254 1.211.2.1 1.211.6.1 1.211.10.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.51 1.48.4.1 1.48.8.1 1.48.4.1
FILE netbsd-6 netbsd-6-0 netbsd-6-1
---- -------- ---------- ----------
sys/arch/i386/i386/trap.c
1.262.8.2 1.262.12.2 1.262.14.2
sys/arch/i386/i386/locore.S
1.95.10.4 1.95.10.2.4.1 1.95.10.3.2.1
sys/arch/i386/i386/machdep.c
1.717.2.8 1.717.2.7.4.1 1.717.2.7.6.1
sys/arch/amd64/amd64/trap.c
1.69.2.3 1.69.2.1.4.2 1.69.2.1.6.2
sys/arch/amd64/amd64/locore.S
1.66.2.2 1.66.2.1.4.1 1.66.2.1.6.1
sys/arch/amd64/amd64/machdep.c
1.175.2.9 1.175.2.7.2.2 1.175.2.8.2.1
sys/compat/linux/arch/amd64/linux_machdep.c
1.39.6.1 1.39.10.1 1.39.12.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c
# cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S
# cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/locore.S
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c
# cvs update -d -P -r VERSION sys/compat/linux/arch/amd64/linux_machdep.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
NetBSD: 6.0 - 7.0.2
External linkshttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Privilege escalation
EUVDB-ID: #VU8201
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Vnode reference leak in the openat system call. When calling the openat system call using a file descriptor that does not name a directory as the starting point for path lookup, a reference to the underlying vnode is taken temporarily and then not released when the error is discovered. Performing such a call often enough results in overflowing the internal reference count and corrupting the kernel heap.
Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.
MitigationThe fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-8 netbsd-7 netbsd-7-1 netbsd-7-0
---- ---- -------- -------- ---------- ----------
sys/kern/vfs_lookup.c
1.208 1.207.2.1 1.201.4.1 1.201.12.1 1.201.8.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/kern/vfs_lookup.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
NetBSD: 6.0 - 7.0.2
External linkshttp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-006.txt.asc
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
