Main Vulnerability Database Vulnerabilities #VU8199

Privilege escalation in NetBSD - #VU8199

Published: September 9, 2017

Vulnerability identifier: #VU8199

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-362

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: NetBSD Foundation, Inc

Affected software:
NetBSD

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition. The same call gate existed on i386 and amd64 that allowed binaries from previous releases to perform syscalls. However, call gates do not automatically disable interrupts when entering the target function. Therefore, there was a condition where the kernel would be executed with userland registers loaded and interrupts enabled, which breaks a certain number of assumptions in the i386 and amd64 implementations. On i386 this can lead to a panic, and on amd64 to a privilege escalation.

Remediation

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:

ARCH     with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below

File versions containing the fixes:

FILE     HEAD     netbsd-7     netbsd-7-0     netbsd-7-1
----     ----     --------     ----------     ----------
sys/arch/i386/i386/trap.c
          1.288    1.272.4.2    1.272.6.2      1.272.10.2
sys/arch/i386/i386/locore.S
          1.146    1.112.4.1    1.112.6.1      1.112.10.1
sys/arch/i386/i386/machdep.c
          1.783    1.752.4.1    1.752.8.1      1.752.12.1
sys/arch/amd64/amd64/trap.c
          1.96     1.78.4.3     1.78.6.3       1.78.10.3
sys/arch/amd64/amd64/locore.S
          1.124    1.76.2.2     1.76.4.2       1.76.8.2
sys/arch/amd64/amd64/machdep.c
          1.254    1.211.2.1    1.211.6.1      1.211.10.1
sys/compat/linux/arch/amd64/linux_machdep.c
          1.51     1.48.4.1     1.48.8.1       1.48.4.1

FILE              netbsd-6     netbsd-6-0     netbsd-6-1
----              --------     ----------     ----------
sys/arch/i386/i386/trap.c
                   1.262.8.2    1.262.12.2     1.262.14.2
sys/arch/i386/i386/locore.S
                   1.95.10.4    1.95.10.2.4.1 1.95.10.3.2.1
sys/arch/i386/i386/machdep.c
                   1.717.2.8    1.717.2.7.4.1 1.717.2.7.6.1
sys/arch/amd64/amd64/trap.c
                   1.69.2.3     1.69.2.1.4.2   1.69.2.1.6.2
sys/arch/amd64/amd64/locore.S
                   1.66.2.2     1.66.2.1.4.1   1.66.2.1.6.1
sys/arch/amd64/amd64/machdep.c
                   1.175.2.9    1.175.2.7.2.2 1.175.2.8.2.1
sys/compat/linux/arch/amd64/linux_machdep.c
                   1.39.6.1     1.39.10.1      1.39.12.1

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P -r VERSION sys/arch/i386/i386/trap.c
# cvs update -d -P -r VERSION sys/arch/i386/i386/locore.S
# cvs update -d -P -r VERSION sys/arch/i386/i386/machdep.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/trap.c
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/locore.S
# cvs update -d -P -r VERSION sys/arch/amd64/amd64/machdep.c
# cvs update -d -P -r VERSION sys/compat/linux/arch/amd64/linux_machdep.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now

Sources

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-005.txt.asc

Privilege escalation in NetBSD - #VU8199

Detailed vulnerability description

Remediation

Sources

Please verify you're human