Permissions, Privileges, and Access Controls in FreeBSD - CVE-2020-25580

 

Permissions, Privileges, and Access Controls in FreeBSD - CVE-2020-25580

Published: March 2, 2021


Vulnerability identifier: #VU51106
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-25580
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FreeBSD Foundation
Affected software:
FreeBSD

Detailed vulnerability description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to regression in login.access(5) rule processor, which triggered the rules to be failed in certain cases and deny access rules can be ignored. An attacker can bypass defined access policy and gain unauthorized access to the system, even when the system is configured to deny it.


How to mitigate CVE-2020-25580

Install updates from vendor's website.

Sources