FreeBSD libkvm could leak sensitive file descriptors and disclose kernel memory

bsd-libkvm-descriptor-leak (10109) The risk level is classified as MediumMedium Risk

Description:

FreeBSDcould allow a local attacker to gain sensitive information, caused by a vulnerability in the kvm(3) library (libkvm). A local attacker could use the asmon, ascpu, bubblemon, wmmon, or wmnet2 FreeBSD Ports Collection application to start other applications and cause these applications to leak /dev/mem and /dev/kmem file descriptors. These applications could then be used by an attacker to read kernel memory, which would allow the attacker to obtain sensitive information. This information could be used to launch further attacks against the affected system and possibly be leveraged to obtain root privileges.

Platforms Affected:

  • FreeBSD, FreeBSD 4.0
  • FreeBSD, FreeBSD 4.1
  • FreeBSD, FreeBSD 4.2
  • FreeBSD, FreeBSD 4.3
  • FreeBSD, FreeBSD 4.4
  • FreeBSD, FreeBSD 4.5
  • FreeBSD, FreeBSD 4.6
  • FreeBSD, FreeBSD 4.6.1
  • FreeBSD, FreeBSD 4.6.2

Remedy:

For FreeBSD:
Upgrade to the latest version of FreeBSD (4.6-STABLE or later) or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated later than 2002-09-13, as listed in FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm. See References.

—OR—

Apply the appropriate patch for your system, as listed in FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm. See References.

As a workaround, remove the setgid bit on the affected applications.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Obtain Information

References:

  • FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm, Applications using libkvm may leak sensitive descriptors at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:39.libkvm.asc.
  • iDEFENSE Security Advisory 09.16.2002 , FreeBSD Ports libkvm Security Vulnerabilities at http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0115.html. (From Neohapsis archive)
  • BID-5714: BubbleMon Kernel Memory File Descriptor Leakage Vulnerability
  • BID-5716: ASCPU Kernel Memory File Descriptor Leakage Vulnerability
  • BID-5718: WMMon Memory Character File Open File Descriptor Read Vulnerability
  • BID-5719: WMNet2 Kernel Memory File Descriptor Leakage Vulnerability
  • BID-572: ToxSoft NextFTP Buffer Overflow Vulnerability
  • BID-5720: ASMon Kernel Memory File Descriptor Leakage Vulnerability
  • CVE-2002-1125: FreeBSD port programs that use libkvm for FreeBSD 4.6.2-RELEASE and earlier, including (1) asmon, (2) ascpu, (3) bubblemon, (4) wmmon, and (5) wmnet2, leave open file descriptors for /dev/mem and /dev/kmem, which allows local users to read kernel memory.

Reported:

Sep 16, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page