7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.3%
The FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec() on a setuid program. This vulnerability can allow a local attacker to execute arbitrary code as root.
The unix fork() function’s purpose is to create a new process from an existing process. The new process is called the child process, and the existing process is called the parent. When a process forks, it inherits the parent’s signal handling settings. The unix exec() function’s purpose is to replace the current process image with a new process image. After this has occured, the kernel should clear the signal handlers because they are no longer valid. Because the FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec(), an attacker can execute arbitrary code as root.
An local attacker may be able to execute arbitrary code as root.
Apply a patch from your vendor or upgrade your operating system to FreeBSD 4.3-STABLE.
943633
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 02, 2001 Updated: September 14, 2001
Affected
Please see <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.v1.1.asc>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23943633 Feedback>).
Updated: October 04, 2001
Not Affected
We did check both unicos and unicos/mk and cray is not vulnerable. On an exec() system call, all registered signals are reset to their defaults.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23943633 Feedback>).
Notified: September 14, 2001 Updated: September 21, 2001
Not Affected
HP is not vulnerable. Our source code shows that we reset registers, any caught signals, etc., to the default (sig_dfl) on exec. Only pending signals and siginfos, but not the disposition to receive queued signals, are preserved across an exec.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23943633 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT Coordination Center thanks Georgi Guninski for discovering this vulnerability and the FreeBSD project for providing a patch to address the vulnerability.
This document was written by Ian A. Finlay.
CVE IDs: | CVE-2001-1180 |
---|---|
Severity Metric: | 29.25 Date Public: |