128 lines
4.7 KiB
Text
128 lines
4.7 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:06.if_ixl_ioctl Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Insufficient ixl(4) ioctl(2) privilege checking
|
|
|
|
Category: core
|
|
Module: ixl(4)
|
|
Announced: 2020-03-19
|
|
Credits: Ilja Van Sprundel
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2020-01-10 18:31:59 UTC (stable/12, 12.1-STABLE)
|
|
2020-03-19 16:49:32 UTC (releng/12.1, 12.1-RELEASE-p3)
|
|
CVE Name: CVE-2019-15877
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The primary interface used for network driver configuration is ioctl(2).
|
|
Several ioctl(2) commands are reserved for driver-specific purposes. For
|
|
instance, a driver may use one of these ioctls to implement an interface for
|
|
updating device firmware.
|
|
|
|
II. Problem Description
|
|
|
|
The driver-specific ioctl(2) command handlers in ixl(4) failed to check
|
|
whether the caller has sufficient privileges to perform the corresponding
|
|
operation.
|
|
|
|
III. Impact
|
|
|
|
The ixl(4) handler permits unprivileged users to trigger updates to the
|
|
device's non-volatile memory (NVM).
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available. Systems that do not contain devices driven by
|
|
ixl(4) are unaffected.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:06/if_ixl_ioctl.patch.asc
|
|
# gpg --verify if_ixl_ioctl.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r356606
|
|
releng/12.1/ r359140
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15877>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:06.if_ixl_ioctl.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cIyvg/+Myq/m3iP2V8tluOVxVmXOEn9qULYfSEM8thr7N+EZpepK45KMkVeBMp5
|
|
gGvd8XEbZyS1RSu+Knr3+yU+jQTFeVg/52QJ8fcTbH5r+5fcO0eJw9I0hwoJBAM+
|
|
Fp7mTtON6PUCIlaXcwmFQfQ4l1iPee2qCsn7ia02dBFZXvHq6fT6tplSagtJj8Fd
|
|
xOBvnlf8obrvC+TswIKydCREaGAIRKTa0yMzh0Ml435gmCYMrGTe2NtjNKM9sgw8
|
|
N0Y5QHuV59kiM3mYc5I7uLux1wUIlO6rdZ2lOsbuWNcW40q9IE1Gve9kjhmha8Ls
|
|
h7BW3VPLM8gxwrgJNygxSRtremDYfQZNoeONqRKd0C2H5EVT4vZfPRI4VxziNGU7
|
|
US0VJwm7x/bET/zbVS5YIsGwqyn9kVjBRpv+eRN4CNmEoZugB/ZJn7lRhZ9cdsTG
|
|
fDM/ULk7UMPrap8ltr0hcYvLYzOmsR1K+oxqmWLzO2+FpnoUrAmWaInptbBuOaSj
|
|
tbmRc97wpR7LJcrmAo3rHvHdbwzY9jsQk1X1Y4LAKAr114S36m3HqwX5mhv91/ZR
|
|
oXOiDYCvFlf8BBQo5BMFDlSfft1Nd8iwAEumHmo+hFFs/yVwJlwwyt2tVwpT3V3Z
|
|
py6szSTnDzjslb/JGYI8ujpHNuJrfdWRmJUrXzqreKbiYA5pWGo=
|
|
=MmYl
|
|
-----END PGP SIGNATURE-----
|