FreeBSD jail, xen, and .pam_login_access security fixes released

FreeBSD jail, xen, and .pam_login_access security fixes released
All supported versions of FreeBSD are affected by various security bugs that need to be applied ASAP. If the process is privileged, it may escape jail and gain full access to the FreeBSD system. Similarly, when using Xen, a malicious or buggy frontend driver may be able to cause resource leaks. Let us see what and how to fix these security vulnerabilities on FreeBSD.

FreeBSD version 10/11/12 and 13 have a new jail, Xen, and .pam_login_access security-related problems. The excellent news is fixed are released. Let us see the details.

FreeBSD jail, xen, and .pam_login_access security fixes released

The configuration in login.access file may not be applied on FreeBSD. In other words, pam config permitting login access to users even when the system is configured to deny it.

Race condition in jail

A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail’s devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.

Gaining full access outside jail

A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.

Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host domain)

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding back-end driver.

How to apply fix on FreeBSD

We need to upgrade our vulnerable system to a supported FreeBSD stable or release and security branch dated after the correction date and reboot the system.

Find FreeBSD Version and Patch Level Number

Run:
$ uname -mrs
$ freebsd-version

12.2-RELEASE-p3

Apply FreeBSD jail, xen, and .pam_login_access security fixes

If your systems running a RELEASE version of FreeBSD, type:
$ sudo freebsd-update fetch
Session:

Password:
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 17 patches.....10... done.
Applying patches... done.
Fetching 1 files...  done.
The following files will be removed as part of updating to
12.2-RELEASE-p4:
/etc/ssl/certs/2c543cd1.0
/etc/ssl/certs/2e4eed3c.0
/etc/ssl/certs/480720ec.0
/etc/ssl/certs/7d0b38bd.0
.....
..
....
/usr/share/man/man2/jail.2.gz
/usr/share/man/man2/jail_attach.2.gz
/usr/share/man/man2/jail_get.2.gz
/usr/share/man/man2/jail_remove.2.gz
/usr/share/man/man2/jail_set.2.gz

Reboot the FreeBSD box, run:
$ sudo reboot
OR
$ sudo shutdown -r +30min "Rebooting FreeBSD production box for a security update. Please save all work."

Verification

After reboot verify FreeBSD version:
$ feebsd-verion
Sample outputs from patched systems:

12.2-RELEASE-p4

See how to applying security updates using pkg/freebsd-update on FreeBSD for more information.

Summing up

Fixing these bugs and security issues under FreeBSD is essential. I patched all my FreeBSD 12.x boxes. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit the FreeBSD website.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 2 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • Sciprojgal Feb 27, 2021 @ 10:54

    I have FreeBSD server running at AWS but rebooting will take down my server for 5 mints. Is there is a way to apply these without rebooting my FreeBSD 12 EC2 server? Please respond.

    • 🐧 Vivek Gite Feb 27, 2021 @ 10:56

      No. You need to reboot the FreeBSD 12 server. There is no other method.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum