#VU8197 Privilege escalation in NetBSD

Cybersecurity Help s.r.o.

Published: 2017-09-09

Vulnerability identifier: #VU8197

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
NetBSD
Operating systems & Components / Operating system

Vendor: NetBSD Foundation, Inc

Description

The vulnerability allows a local user to escalate privileges on graphics console.

The vulnerability exists due to a boundary error within WSDISPLAYIO_GETCMAP and WSDISPLAYIO_PUTCMAP ioctls. A local user with access to /dev/ttyE* (is logged in) can read and write arbitrary data to kernel memory.

Successful exploitation of the vulnerability may allow an attacker to gain root access to the affected system.

Mitigation
Update the kernel with one built from source past the fix date.
There are no workarounds besides the obvious not allowing untrusted users
at the console.

Affected source files fix versions
+++++++++++++++++++++++++++++++++++++ HEAD ++ -8 ++++++++++++++++++++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.16   1.15.10.1
sys/arch/pmax/ibus/pm.c               1.13   1.12.22.1
sys/dev/hpc/bivideo.c                 1.34   1.33.30.1
sys/dev/ic/sti.c                      1.19   1.18.20.1
++++++++++++++++++++++++++++++++++++++ -7 +++++++ -7-1 +++++ -7-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.13.4.2   1.13.4.1.6.1 1.13.4.1.2.1
sys/arch/pmax/ibus/pm.c               1.12.4.1   1.12.16.1 1.12.8.1
sys/dev/hpc/bivideo.c                 1.33.12.1 1.33.24.1 1.33.16.1
sys/dev/ic/sti.c                      1.18.2.1   1.18.14.1 1.18.6.1
++++++++++++++++++++++++++++++++++++++ -6 +++++++ -6-1 +++++ -6-0 +++++++++
sys/arch/ews4800mips/sbd/fb_sbdio.c   1.12.2.1   1.12.16.1 1.12.8.1
sys/arch/pmax/ibus/pm.c               1.11.2.1   1.11.16.1 1.11.8.1
sys/dev/hpc/bivideo.c                 1.32.14.1 1.32.22.1 1.32.20.1
sys/dev/ic/sti.c                      1.16.8.2   1.16.22.1 1.16.14.1

Vulnerable software versions

NetBSD: 6.0 - 7.0.2

External links
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2017-004.txt.asc

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in NetBSD