Multiple vulnerabilities in FreeBSD

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51108

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25582

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local privileged user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeBSD: 11.0 - 13.0

External links

http://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51107

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25581

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper management of internal resources within the jail_remove(2) system call implementation. A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible.  If the process is privileged, it may be able to escape the jail and gain full access to the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeBSD: 11.0 - 13.0

External links

http://www.freebsd.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU51106

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25580

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to regression in login.access(5) rule processor, which triggered the rules to be failed in certain cases and deny access rules can be ignored. An attacker can bypass defined access policy and gain unauthorized access to the system, even when the system is configured to deny it.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FreeBSD: 11.0 - 13.0

External links

http://www.freebsd.org/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.