The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon,  7 Jun 2004 23:06:13 +0200 (CEST)
From: FreeBSD Security Advisories <security-advisories@freebsd.org.>
To: Bugtraq <bugtraq@securityfocus.com.>
Subject: FreeBSD Security Advisory FreeBSD-SA-04:12.jailroute

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


FreeBSD-SA-04:12.jailroute Security Advisory The FreeBSD Project Topic: Jailed processes can manipulate host routing tables Category: core Module: kernel Announced: 2004-06-07 Credits: Pawel Malachowski Affects: All FreeBSD 4.x releases prior to 4.10-RELEASE Corrected: 2004-04-06 20:11:53 UTC (RELENG_4) 2004-06-07 17:44:44 UTC (RELENG_4_9, 4.9-RELEASE-p10) 2004-06-07 17:42:42 UTC (RELENG_4_8, 4.8-RELEASE-p23) CVE Name: CAN-2004-0125 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>;. I. Background The jail(2) system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The FreeBSD kernel maintains internal routing tables for the purpose of determining which interface should be used to transmit packets. These routing tables can be manipulated by user processes running with superuser privileges by sending messages over a routing socket. II. Problem Description A programming error resulting in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process. III. Impact Jailed processes running with superuser privileges could modify host routing tables. This could result in a variety of consequences including packets being sent via an incorrect network interface and packets being discarded entirely. IV. Workaround No workaround is available. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.10-RELEASE, or to the RELENG_4_8 or RELENG_4_9 security branch dated after the correction date. OR 2) Patch your present system: The following patch has been verified to apply to the FreeBSD 4.8 and 4.9 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html>; and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/net/rtsock.c 1.44.2.13 RELENG_4_9 src/UPDATING 1.73.2.89.2.11 src/sys/conf/newvers.sh 1.44.2.32.2.11 src/sys/net/rtsock.c 1.44.2.11.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.26 src/sys/conf/newvers.sh 1.44.2.29.2.24 src/sys/net/rtsock.c 1.44.2.11.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAxNfYFdaIBMps37IRAiU4AJ91d4MhEjkRL0PBddb/tuZoUsgh5QCgmRhN Xfy0St57y/HuS9TuQ2akEYI= =Tucm -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру