FreeBSD Security Advisory FreeBSD-SA-08:08.nmount
Robert Watson
rwatson at FreeBSD.org
Wed Sep 3 23:14:27 UTC 2008
On Wed, 3 Sep 2008, FreeBSD Security Advisories wrote:
> The mount(2) and nmount(2) system calls are used by various utilities in the
> base system to graft a file system object on to the file system tree to a
> given mount point. It is possible to allow unprivileged users to utililize
> these system calls by setting the vfs.usermount sysctl(8) variable.
Note that as-shipped by the FreeBSD Project, vfs.usermount is *disabled* in
FreeBSD. This may not be the case in rebundled or derived systems, however.
You can check whether it is enabled using "sysctl vfs.usermount" -- if the
result is "0" then you should be fine.
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> II. Problem Description
>
> Various user defined input such as mount points, devices, and mount
> options are prepared and passed as arguments to nmount(2) into the
> kernel. Under certain error conditions, user defined data will be
> copied into a stack allocated buffer stored in the kernel without
> sufficient bounds checking.
>
> III. Impact
>
> If the system is configured to allow unprivileged users to mount file
> systems, it is possible for a local adversary to exploit this
> vulnerability and execute code in the context of the kernel.
>
> IV. Workaround
>
> It is possible to work around this issue by allowing only privileged
> users to mount file systems by running the following sysctl(8)
> command:
>
> # sysctl vfs.usermount=0
>
> V. Solution
>
> NOTE WELL: Even with this fix allowing users to mount arbitrary media
> should not be considered safe. Most of the file systems in FreeBSD
> was not built to protect safeguard against malicious devices. While
> such bugs in file systems are fixed when found, a complete audit has
> not been perfomed on the file system code.
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0
> security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 7.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch
> # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_7
> src/sys/kern/vfs_mount.c 1.265.2.10
> RELENG_7_0
> src/UPDATING 1.507.2.3.2.8
> src/sys/conf/newvers.sh 1.72.2.5.2.8
> src/sys/kern/vfs_mount.c 1.265.2.1.2.2
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (FreeBSD)
>
> iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX
> yvNI1gVmhAQ7MXOUvPoLcLk=
> =EsCn
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list