140 lines
5.3 KiB
Text
140 lines
5.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-17:09.shm Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: POSIX shm allows jails to access global namespace
|
|
|
|
Category: core
|
|
Module: shm
|
|
Announced: 2017-11-15
|
|
Credits: Whitewinterwolf
|
|
Affects: FreeBSD 10.x
|
|
Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE)
|
|
2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3)
|
|
2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24)
|
|
CVE Name: CVE-2017-1087
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
POSIX shared memory objects allow realtime inter-process communication by
|
|
sharing a memory area through the use of a named path (see shm_open(2)).
|
|
|
|
This is used by some multi-process applications to share data between running
|
|
processes, such as a common cache or to implement a producer-consumer model
|
|
where several worker processes handle requests pushed by a producer process.
|
|
|
|
II. Problem Description
|
|
|
|
Named paths are globally scoped, meaning a process located in one jail can
|
|
read and modify the content of POSIX shared memory objects created by a
|
|
process in another jail or the host system.
|
|
|
|
III. Impact
|
|
|
|
A malicious user that has access to a jailed system is able to abuse shared
|
|
memory by injecting malicious content in the shared memory region. This
|
|
memory region might be executed by applications trusting the shared memory,
|
|
like Squid.
|
|
|
|
This issue could lead to a Denial of Service or local privilege escalation.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems without jails or jails not having
|
|
local users are not vulnerable.
|
|
|
|
V. Solution
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
Reboot the system for the update to take effect.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
Reboot the system for the update to take effect.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 10.4, FreeBSD 10-STABLE]
|
|
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc
|
|
# gpg --verify shm-10.patch.asc
|
|
|
|
[FreeBSD 10.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc
|
|
# gpg --verify shm-10.3.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r325783
|
|
releng/10.3/ r325873
|
|
releng/10.4/ r325874
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1087>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:09.shm.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
|
|
RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
|
|
auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5
|
|
zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij
|
|
wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl
|
|
jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0XdElW+okM+L4Q5Nt4Krm+DDp
|
|
L0fUG5tqS+a++53mNIGeGiBhomD0zZMJZ8LXe/FAACHPWA0yUMhCVrZTwzVTHhA7
|
|
g5W1prFW3WYui7x1qF2LIA+SnGFTWXRlIhlAA/1n94Jl6shHnV6guZbzLAX0zk/C
|
|
6WFydhrYhmPXd3o5uWz+oQQHXQCcHeGrNc+fmPKg/bpkyJvgfLc6YaY2gEQmfIrI
|
|
3w/xqhN8mWVVhpHsHK+Wcz44T9uGH4NlYeDYy3TJ1ECri28fbxufAzr8hgbNRDtw
|
|
B8YTijrPUSjwKBG815oO5JsOmHVCkCkIRx7nW72bHIs8ralXX563HK3RPjlFzr2G
|
|
tzk9DF2w2TUQlgzS4wbZk9lXmlgvV0vRzsz+7jcJe1K+ZgyweNg+QIVet3BvobIA
|
|
zeiRFfZuhH3ExNoJKqfZhBtOiePD0JR6JnkhvjEJm1NoHvoDOAQ=
|
|
=epmQ
|
|
-----END PGP SIGNATURE-----
|