SB2017090901 - Multiple vulnerabilities in NetBSD

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Privilege escalation (CVE-ID: N/A)

The vulnerability allows a local user to escalate privileges on graphics console.

The vulnerability exists due to a boundary error within WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls. A local user with access to /dev/ttyE* (is logged in) can read and write arbitrary data to kernel memory.

Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.

2) Denial of service (CVE-ID: N/A)

The vulnerability allows a local user to trigger kernal panic.

The vulnerability exists due to a missing check in the trap handler. Under certain circumstances, userland can legitimately make the kernel generate a stack fault when executing 'iret'. However, in the trap handler, the appropriate check was missing, and this fault could lead to a panic.

Successful exploitation of the vulnerability may allow an attacker to perform denial of service (DoS) attack.

3) Privilege escalation (CVE-ID: N/A)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition. The same call gate existed on i386 and amd64 that allowed binaries from previous releases to perform syscalls. However, call gates do not automatically disable interrupts when entering the target function. Therefore, there was a condition where the kernel would be executed with userland registers loaded and interrupts enabled, which breaks a certain number of assumptions in the i386 and amd64 implementations. On i386 this can lead to a panic, and on amd64 to a privilege escalation.

4) Privilege escalation (CVE-ID: N/A)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to missing check in the Linux compatibility layer could allow userland to exploit the Intel Sysret Vulnerability on amd64. A missing check in the trap frame could allow userland to have the kernel execute 'sysret' with a fully-controllable %rip, thereby allowing the exploitation of the Intel Sysret Vulnerability (https://www.cybersecurity-help.cz/vdb/SB2012071201).

Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.

5) Privilege escalation (CVE-ID: N/A)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Vnode reference leak in the openat system call. When calling the openat system call using a file descriptor that does not name a directory as the starting point for path lookup, a reference to the underlying vnode is taken temporarily and then not released when the error is discovered. Performing such a call often enough results in overflowing the internal reference count and corrupting the kernel heap.

Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.

Remediation

Install update from vendor's website.

References

• http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc
• http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc
• http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-006.txt.asc