From security-advisories@freebsd.org Wed Jul 20 19:16:11 2005 From: FreeBSD Security Advisories To: Bugtraq Date: Wed, 20 Jul 2005 13:54:26 GMT Subject: FreeBSD Security Advisory FreeBSD-SA-05:17.devfs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:17.devfs Security Advisory The FreeBSD Project Topic: devfs ruleset bypass Category: core Module: devfs Announced: 2005-07-20 Credits: Robert Watson Affects: All FreeBSD 5.x releases Corrected: 2005-07-20 13:35:44 UTC (RELENG_5, 5.4-STABLE) 2005-07-20 13:36:32 UTC (RELENG_5_4, 5.4-RELEASE-p5) 2005-07-20 13:37:27 UTC (RELENG_5_3, 5.3-RELEASE-p19) CVE Name: CAN-2005-2218 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The device file system, or devfs(5), provides access to kernel's device namespace in the global file system namespace. This includes access to to system devices such as storage devices, kernel and system memory devices, BPF devices, and serial port devices. Devfs is is generally mounted as /dev. Devfs rulesets allow an administrator to hide certain device nodes; this is most commonly applied to a devfs mounted for use inside a jail, in order to make devices inaccessible to processes within that jail. II. Problem Description Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions. III. Impact Jailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access can lead to information leakage and privilege escalation. IV. Workaround Unmount device file systems mounted inside jails. Note that certain device nodes, such as /dev/null, may be required for some software to function correctly. This can be done by executing the following command as root: umount -A -t devfs Also, remove or comment out any lines in fstab(5) that reference `devfs' and has a mount point within a jail, so that they will not be re-mounted at next reboot. Some device file systems might be busy, including the host's main /dev file system, and processes accessing these must be shut down before the device file system can be unmounted. The hosts main device file system, mounted as /dev, should not be unmounted since it is required for normal system operation. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4, or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/fs/devfs/devfs_vnops.c 1.73.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.14 src/sys/conf/newvers.sh 1.62.2.18.2.10 src/sys/fs/devfs/devfs_vnops.c 1.73.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.22 src/sys/conf/newvers.sh 1.62.2.15.2.24 src/sys/fs/devfs/devfs_vnops.c 1.73.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2218 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:17.devfs.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC3lYgFdaIBMps37IRAldmAJ458s06z3gkHNjn04R2Rq8XXwRKiQCffeJP m9n3bmuoX0WJvckcdR8EhU4= =2iFe -----END PGP SIGNATURE-----