CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 2CVE-2020-24863
https://notcve.org/view.php?id=CVE-2020-24863
A memory corruption vulnerability was found in the kernel function kern_getfsstat in MidnightBSD before 1.2.7 and 1.3 through 2020-08-19, and FreeBSD through 11.4, that allows an attacker to trigger an invalid free and crash the system via a crafted size value in conjunction with an invalid mode. Se encontró una vulnerabilidad de corrupción de memoria en la función del kernel kern_getfsstat en MidnightBSD versiones anteriores a 1.2.7 y versiones 1.3 hasta el19-08-2020, y FreeBSD versiones hasta 11.4, que permite a un atacante desencadenar una liberación no válida y bloquear el sistema por medio de un valor de tamaño diseñado en conjunto con un modo no válido • http://www.midnightbsd.org/security/adv/MIDNIGHTBSD-SA-20:01.txt https://github.com/MidnightBSD/src/blob/1691c07ff4f27b97220a5d65e217341e477f4014/sys/kern/vfs_syscalls.c https://www.freebsd.org/security/advisories/FreeBSD-EN-20:18.getfsstat.asc https://www.midnightbsd.org/notes • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 21EXPL: 0CVE-2020-7459
https://notcve.org/view.php?id=CVE-2020-7459
In FreeBSD 12.1-STABLE before r362166, 12.1-RELEASE before p8, 11.4-STABLE before r362167, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, missing length validation code common to mulitple USB network drivers allows a malicious USB device to write beyond the end of an allocated network packet buffer. En FreeBSD versiones 12.1-ESTABLE anteriores a r362166, versiones 12.1-RELEASE anteriores a p8, versiones 11.4-ESTABLE anteriores a r362167, versiones 11.4-RELEASE anteriores a de p2 y versiones 11.3-RELEASE anteriores a p12, una falta de código de comprobación de longitud común en los controladores de red USB múltiples permite a un dispositivo USB malicioso escribir más allá del final de un búfer de paquetes de red asignado • https://security.FreeBSD.org/advisories/FreeBSD-SA-20:21.usb_net.asc https://security.netapp.com/advisory/ntap-20200821-0005 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 21EXPL: 0CVE-2020-7460 – FreeBSD Kernel sendmsg System Call Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-7460
In FreeBSD 12.1-STABLE before r363918, 12.1-RELEASE before p8, 11.4-STABLE before r363919, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, the sendmsg system call in the compat32 subsystem on 64-bit platforms has a time-of-check to time-of-use vulnerability allowing a mailcious userspace program to modify control message headers after they were validation. En FreeBSD versiones 12.1-ESTABLE anteriores a r363918, versiones 12.1-RELEASE anteriores a p8, versiones 11.4-ESTABLE anteriores a r363919, versiones 11.4-RELEASE anteriores a p2 y versiones 11.3-RELEASE anteriores a p12, la llamada al sistema sendmsg en el subsistema compat32 en plataformas de 64 bits presenta una vulnerabilidad de tipo time-of-check to time-of-use permitiendo a un programa de espacio de usuario malicioso modificar encabezados de mensajes de control después de que fueron comprobados This vulnerability allows local attackers to escalate privileges on affected installations of FreeBSD Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of arguments to the sendmsg system call. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. • https://security.FreeBSD.org/advisories/FreeBSD-SA-20:23.sendmsg.asc https://security.netapp.com/advisory/ntap-20200821-0005 https://www.zerodayinitiative.com/advisories/ZDI-20-949 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-7458
https://notcve.org/view.php?id=CVE-2020-7458
In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of the heap allocated stack possibly leading to arbitrary code execution. En FreeBSD versiones 12.1-STABLE anteriores a r362281, versiones 11.4-STABLE anteriores a r362281 y versiones 11.4-RELEASE anteriores a p1, los valores largos en la variable de entorno PATH controlada por el usuario causan que la función posix_spawnp escriba más allá del final de la región stack asignada a la región heap de la memoria, conllevando posiblemente a una ejecución de código arbitrario • https://security.FreeBSD.org/advisories/FreeBSD-SA-20:18.posix_spawnp.asc https://security.netapp.com/advisory/ntap-20200724-0002 • CWE-787: Out-of-bounds Write •
CVSS: 8.1EPSS: 39%CPEs: 21EXPL: 1CVE-2020-7457 – FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation
https://notcve.org/view.php?id=CVE-2020-7457
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution. En FreeBSD versiones 12.1-ESTABLE anteriores a r359565, versiones 12.1-RELEASE anteriores a p7, versiones 11.4-ESTABLE anteriores a r362975, versiones 11.4-RELEASE anteriores a p1 y 11.3-RELEASE anteriores a p11, una falta de sincronización en el manejador del conjunto de opciones del socket IPV6_2292PKTOPTIONS contenía una condición de carrera que permitía una aplicación maliciosa para modificar la memoria después de ser liberada, resultando posiblemente en una ejecución de código • http://packetstormsecurity.com/files/158695/FreeBSD-ip6_setpktopt-Use-After-Free-Privilege-Escalation.html https://security.FreeBSD.org/advisories/FreeBSD-SA-20:20.ipv6.asc https://security.netapp.com/advisory/ntap-20200724-0002 https://hackerone.com/reports/826026 https://bsdsec.net/articles/freebsd-announce-freebsd-security-advisory-freebsd-sa-20-20-ipv6 https://www.freebsd.org/security/patches/SA-20:20/ipv6.patch https://github.com/freebsd/freebsd/blob/master/sys/netinet6/ip6_var.h https:/&# • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free CWE-662: Improper Synchronization •