SB2024080831 - Multiple vulnerabilities in FreeBSD

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2024-7589)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to a race condition when calling a not async-signal-safe in openssh. A remote non-authenticated attacker can send specially crafted packets to the system, trigger a race condition and execute arbitrary code as root.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-6760)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a logic error in the ktrace unility, which failed to detach when executing a setuid binary. A local user can gain access to sensitive information.

3) State Issues (CVE-ID: CVE-2024-6640)

The vulnerability allows a remote attacker to bypass pf rules.

The vulnerability exists due to improper handling of ICMPv6 packets with ID=0. If the firewall is configured to block incoming Echo requests, this rule can be bypass by sending an ICMPv6 packet with identifier value of zero.

4) Path traversal (CVE-ID: CVE-2024-6759)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing file names with path separator character (e.g. "/"). A remote user can trick the application to read or write data outside of the NFS mount.

Remediation

Install update from vendor's website.

References

• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:06.ktrace.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:05.pf.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc