#VU42345 Input validation error in FreeBSD - CVE-2013-6833

Cybersecurity Help s.r.o.

Published: 2013-11-21 | Updated: 2020-08-10

Vulnerability identifier: #VU42345

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-6833

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeBSD
Operating systems & Components / Operating system

Vendor: FreeBSD Foundation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The qls_eioctl function in sys/dev/qlxge/qls_ioctl.c in the kernel in FreeBSD 10 and earlier does not validate a certain size parameter, which allows local users to obtain sensitive information from kernel memory via a crafted ioctl call.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FreeBSD: 0.4_1 - 9.2

External links
https://archives.neohapsis.com/archives/fulldisclosure/2013-11/0107.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in FreeBSD