#VU42344 Information disclosure in FreeBSD - CVE-2013-6832

Cybersecurity Help s.r.o.

Published: 2013-11-21 | Updated: 2020-08-10

Vulnerability identifier: #VU42344

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-6832

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeBSD
Operating systems & Components / Operating system

Vendor: FreeBSD Foundation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The nand_ioctl function in sys/dev/nand/nand_geom.c in the nand driver in the kernel in FreeBSD 10 and earlier does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted ioctl call.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FreeBSD: 0.4_1 - 9.2

External links
https://archives.neohapsis.com/archives/fulldisclosure/2013-11/0106.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in FreeBSD