Multiple vulnerabilities in NetBSD

1) Privilege escalation

EUVDB-ID: #VU11625

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to a mistake the Xen-amd64 port of NetBSD, where iopl was unintentionally set to ring3. A local attacker can gain elevated privileges and read from and write to the CPU's I/O ports.

Mitigation

Install update from vendor's website.

Vulnerable software versions

NetBSD: 6.0 - 7.1.1

External links

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-005.txt.asc

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free error

EUVDB-ID: #VU11634

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to several possible use-after-frees existed in the MPLS code. A remote attacker can trigger memory corruption and cause the system to panic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

NetBSD: 6.0 - 7.1.1

External links

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU11635

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to memory leak in the IPv6-NBR entry point. A remote attacker can trigger memory corruption and cause the kernel to run out of memory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

NetBSD: 6.0 - 7.1.1

External links

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Double free error

EUVDB-ID: #VU11636

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to double-free bug in the Pim6 (IPv6 multicast) entry point. A remote attacker can trigger memory corruption and cause the kernel to panic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

NetBSD: 6.0 - 7.1.1

External links

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU11638

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to two sysctls wrongfully allowed IPv4 source-routed packets to be accepted by the kernel. A remote attacker can send specially crafted source-routed packets and cause kernel to panic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

NetBSD: 6.0 - 7.1.1

External links

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU11639

Risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to signedness bug in NetBSD's implementation of the PF firewall. A remote attacker can send specially crafted TCP-SYN packet while PF had a configuration of the type "pass in [...] tcp [...] modulate state", trigger out-of-bounds read and cause the system to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

NetBSD: 6.0 - 7.1.1

External links

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2018-006.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.