Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
A fix for a vulnerability in the libnv library, released in early September, identified a logical error that prevented the vulnerability from being properly addressed and the system remained vulnerable to attack. The libnv library is developed by the FreeBSD project and is used in the kernel and in applications from the base system to process key/value lists and to organize data transfer during interprocess communication. The library is based on the nvlist algorithm used in the OpenZFS project, but FreeBSD has its own implementation, so the vulnerability does not affect OpenZFS.
The vulnerability is caused by an integer overflow resulting in a buffer allocation smaller than the buffered data block. The bug can potentially be exploited to escalate privileges by overwriting memory regions in the kernel and system processes, for example, libnv is used in libcasper when interacting between privileged and non-privileged code. A correct fix for the vulnerability (CVE-2024-45287) is proposed in updates 14.1-RELEASE-p5, 14.0-RELEASE-p11, 13.4-RELEASE-p1 and 13.3-RELEASE-p7, as well as in the form of a patch.
FreeBSD also addresses a vulnerability (CVE-2024-41721) in the bhyve hypervisor that could potentially allow code execution in a process running on the host system (usually rooted, but isolated by a Capsicum-based sandbox) when manipulating within the guest. The vulnerability is present in the XHCI USB adapter emulation code and is caused by insufficient buffer bounds checking, which could lead to data being read from an out-of-buffer area, as well as potentially being able to be written to an arbitrary area of the process's memory. The attack can be carried out if privileged processes can be run on the guest system. The vulnerability was fixed in FreeBSD 14.1-RELEASE-p5, 14.0-RELEASE-p11, 13.4-RELEASE-p1, and 13.3-RELEASE-p7.
In addition, we can note the publication of working prototypes of exploits and descriptions of exploitation methods for previously identified vulnerabilities in the Linux kernel CVE-2024-26808 and CVE-2024-1085. The issues have been fixed in kernel updates 5.10.210, 5.15.149, 6.1.76, 6.6.15, 6.7.3 and 6.8, and have already been fixed in major distributions (Debian, Ubuntu, RHEL, SUSE, Fedora). The vulnerabilities are caused by accessing an already freed memory area in the nft_chain_filter and nft_setelem_catchall_deactivate functions in the netfilter subsystem and allow code to be executed as root. The attack requires access to nftables, which can be obtained with CAP_NET_ADMIN rights in any user namespace or network namespace, such as in isolated containers.
The exploits were prepared by members of the KernelCTF (Kernel Capture the Flag) initiative, under which Google pays rewards for identifying vulnerabilities in the Linux kernel. Initially, the problems were considered as one of many passable potential vulnerabilities in the kernel - for example, in the June update of the 5.10 kernel package in Debian, in addition to CVE-2024-26808, another 345 (!) potential vulnerabilities were fixed. Every week, several dozen new vulnerabilities are identified in the kernel that were not previously identified as security issues (for example, last week, 68 vulnerabilities were flagged).
The vulnerability is caused by an integer overflow resulting in a buffer allocation smaller than the buffered data block. The bug can potentially be exploited to escalate privileges by overwriting memory regions in the kernel and system processes, for example, libnv is used in libcasper when interacting between privileged and non-privileged code. A correct fix for the vulnerability (CVE-2024-45287) is proposed in updates 14.1-RELEASE-p5, 14.0-RELEASE-p11, 13.4-RELEASE-p1 and 13.3-RELEASE-p7, as well as in the form of a patch.
FreeBSD also addresses a vulnerability (CVE-2024-41721) in the bhyve hypervisor that could potentially allow code execution in a process running on the host system (usually rooted, but isolated by a Capsicum-based sandbox) when manipulating within the guest. The vulnerability is present in the XHCI USB adapter emulation code and is caused by insufficient buffer bounds checking, which could lead to data being read from an out-of-buffer area, as well as potentially being able to be written to an arbitrary area of the process's memory. The attack can be carried out if privileged processes can be run on the guest system. The vulnerability was fixed in FreeBSD 14.1-RELEASE-p5, 14.0-RELEASE-p11, 13.4-RELEASE-p1, and 13.3-RELEASE-p7.
In addition, we can note the publication of working prototypes of exploits and descriptions of exploitation methods for previously identified vulnerabilities in the Linux kernel CVE-2024-26808 and CVE-2024-1085. The issues have been fixed in kernel updates 5.10.210, 5.15.149, 6.1.76, 6.6.15, 6.7.3 and 6.8, and have already been fixed in major distributions (Debian, Ubuntu, RHEL, SUSE, Fedora). The vulnerabilities are caused by accessing an already freed memory area in the nft_chain_filter and nft_setelem_catchall_deactivate functions in the netfilter subsystem and allow code to be executed as root. The attack requires access to nftables, which can be obtained with CAP_NET_ADMIN rights in any user namespace or network namespace, such as in isolated containers.
The exploits were prepared by members of the KernelCTF (Kernel Capture the Flag) initiative, under which Google pays rewards for identifying vulnerabilities in the Linux kernel. Initially, the problems were considered as one of many passable potential vulnerabilities in the kernel - for example, in the June update of the 5.10 kernel package in Debian, in addition to CVE-2024-26808, another 345 (!) potential vulnerabilities were fixed. Every week, several dozen new vulnerabilities are identified in the kernel that were not previously identified as security issues (for example, last week, 68 vulnerabilities were flagged).
