FreeBSD86C89ABF-2D91-11E9-BF3E-A4BADB2F4699FreeBSD -- File description reference count leak
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
15.9%
Problem Description:
FreeBSD 12.0 attempts to handle the case where the
receiving process does not provide a sufficiently large
buffer for an incoming control message containing rights.
In particular, to avoid leaking the corresponding descriptors
into the receiving process’ descriptor table, the kernel
handles the truncation case by closing descriptors referenced
by the discarded message.
The code which performs this operation failed to release
a reference obtained on the file corresponding to a received
right. This bug can be used to cause the reference counter
to wrap around and free the file structure.
Impact:
A local user can exploit the bug to gain root privileges
or escape from a jail.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | freebsd-kernel | = 12.0 | UNKNOWN |
| FreeBSD | any | noarch | freebsd-kernel | < 12.0_3 | UNKNOWN |
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
15.9%