SB2018112804 - Multiple vulnerabilities in FreeBSD

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018112804

SB2018112804 - Multiple vulnerabilities in FreeBSD

Published: November 28, 2018 Updated: November 30, 2018

Security Bulletin ID SB2018112804
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2018-17157)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when processing malicious input. A remote unauthenticated attacker can trick the victim into loading specially crafted network file system (NFS) content that can trigger a flaw in the FreeBSD NFS server code and cause the target system to crash or potentially execute arbitrary code.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Improper input validation (CVE-ID: CVE-2018-17158)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when processing malicious input. A remote unauthenticated attacker can trick the victim into loading specially crafted network file system (NFS) content that can trigger a flaw in the FreeBSD NFS server code and cause the target system to crash or potentially execute arbitrary code.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Improper input validation (CVE-ID: CVE-2018-17159)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when processing malicious input. A remote unauthenticated attacker can trick the victim into loading specially crafted network file system (NFS) content that can trigger a flaw in the FreeBSD NFS server code and cause the target system to crash or potentially execute arbitrary code.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Improper input validation (CVE-ID: CVE-2018-17156)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to incorrect accounting for padding on 64-bit platforms. A remote unauthenticated attacker can trigger buffer underwrite when constructing an ICMP reply packet when using a non-standard value for the net.inet.icmp.quotelen sysctl and cause the target system to crash.


Remediation

Install update from vendor's website.

References