All supported versions of FreeBSD are affected by various security bugs that need to be applied ASAP. If the process is privileged, it may escape jail and gain full access to the FreeBSD system. Similarly, when using Xen, a malicious or buggy frontend driver may be able to cause resource leaks. Let us see what and how to fix these security vulnerabilities on FreeBSD.
FreeBSD version 10/11/12 and 13 have a new jail, Xen, and .pam_login_access security-related problems. The excellent news is fixed are released. Let us see the details.
FreeBSD jail, xen, and .pam_login_access security fixes released
The configuration in login.access file may not be applied on FreeBSD. In other words, pam config permitting login access to users even when the system is configured to deny it.
Race condition in jail
A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail’s devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.
Gaining full access outside jail
A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.
Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host domain)
A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding back-end driver.
How to apply fix on FreeBSD
We need to upgrade our vulnerable system to a supported FreeBSD stable or release and security branch dated after the correction date and reboot the system.
$ uname -mrs
Apply FreeBSD jail, xen, and .pam_login_access security fixes
If your systems running a RELEASE version of FreeBSD, type:
$ sudo freebsd-update fetch
Password: src component not installed, skipped Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 12.2-RELEASE from update1.freebsd.org... done. Fetching metadata index... done. Fetching 2 metadata patches.. done. Applying metadata patches... done. Inspecting system... done. Preparing to download files... done. Fetching 17 patches.....10... done. Applying patches... done. Fetching 1 files... done. The following files will be removed as part of updating to 12.2-RELEASE-p4: /etc/ssl/certs/2c543cd1.0 /etc/ssl/certs/2e4eed3c.0 /etc/ssl/certs/480720ec.0 /etc/ssl/certs/7d0b38bd.0 ..... .. .... /usr/share/man/man2/jail.2.gz /usr/share/man/man2/jail_attach.2.gz /usr/share/man/man2/jail_get.2.gz /usr/share/man/man2/jail_remove.2.gz /usr/share/man/man2/jail_set.2.gz
Reboot the FreeBSD box, run:
$ sudo reboot
$ sudo shutdown -r +30min "Rebooting FreeBSD production box for a security update. Please save all work."
After reboot verify FreeBSD version:
Sample outputs from patched systems:
See how to applying security updates using pkg/freebsd-update on FreeBSD for more information.
Fixing these bugs and security issues under FreeBSD is essential. I patched all my FreeBSD 12.x boxes. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit the FreeBSD website.
🐧 2 comments so far... add one ↓
|Category||List of Unix and Linux commands|
|Disk space analyzers||df • ncdu • pydf|
|File Management||cat • tree|
|Firewall||Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04|
|Network Utilities||NetHogs • dig • host • ip • nmap|
|OpenVPN||CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04|
|Package Manager||apk • apt|
|Processes Management||bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time|
|Searching||grep • whereis • which|
|User Information||groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w|
|WireGuard VPN||Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04|