J-Security Center

Title: Multiple BSD Vendor FireWire IOCTL Local Integer Overflow Vulnerability

Severity: MODERATE

Description:

Multiple BSD operating systems are prone to a local integer-overflow vulnerability. This issue affects the FireWire subsystem.

Specifically, the 'fw_ioctl()' function in the 'fwdev.c' source file in these operating systems fails to properly bounds-check a signed-integer length value prior to its use in a 'copyout()' function call. This allows attackers to trigger an operation that results in excessive kernel memory being copied to a user-space program.

An attacker can exploit this vulnerability to gain access to potentially sensitive kernel memory. Information harvested by exploiting this issue will aid in further attacks.

TrustedBSD, FreeBSD, NetBSD, and DragonFly BSD are all vulnerable to this issue. Specific version information is not currently available.

Update: FreeBSD and possibly other operating systems reportedly allow only members of the 'operators' group and the superuser to issue IOCTL commands against FireWire devices.

Affected Products:

  • DragonFlyBSD DragonFlyBSD 1.0.0
  • DragonFlyBSD DragonFlyBSD 1.1.0
  • DragonFlyBSD DragonFlyBSD 1.2.0
  • FreeBSD FreeBSD -current
  • FreeBSD FreeBSD 1.1.5 .1
  • FreeBSD FreeBSD 2.0.0
  • FreeBSD FreeBSD 2.0.5
  • FreeBSD FreeBSD 2.1.0
  • FreeBSD FreeBSD 2.1.0 x
  • FreeBSD FreeBSD 2.1.5
  • FreeBSD FreeBSD 2.1.6
  • FreeBSD FreeBSD 2.1.6 .1
  • FreeBSD FreeBSD 2.1.7 .1
  • FreeBSD FreeBSD 2.2.0
  • FreeBSD FreeBSD 2.2.0 x
  • FreeBSD FreeBSD 2.2.2
  • FreeBSD FreeBSD 2.2.3
  • FreeBSD FreeBSD 2.2.4
  • FreeBSD FreeBSD 2.2.5
  • FreeBSD FreeBSD 2.2.6
  • FreeBSD FreeBSD 2.2.8
  • FreeBSD FreeBSD 2.x
  • FreeBSD FreeBSD 3.0.0
  • FreeBSD FreeBSD 3.0.0 -RELENG
  • FreeBSD FreeBSD 3.1.0
  • FreeBSD FreeBSD 3.1.0 x
  • FreeBSD FreeBSD 3.2.0
  • FreeBSD FreeBSD 3.2.0 x
  • FreeBSD FreeBSD 3.3.0
  • FreeBSD FreeBSD 3.3.0 x
  • FreeBSD FreeBSD 3.4.0
  • FreeBSD FreeBSD 3.4.0 x
  • FreeBSD FreeBSD 3.5.0
  • FreeBSD FreeBSD 3.5.0 -STABLE
  • FreeBSD FreeBSD 3.5.0 -STABLEpre050201
  • FreeBSD FreeBSD 3.5.0 -STABLEpre122300
  • FreeBSD FreeBSD 3.5.0 x
  • FreeBSD FreeBSD 3.5.1
  • FreeBSD FreeBSD 3.5.1 -RELEASE
  • FreeBSD FreeBSD 3.5.1 -STABLE
  • FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
  • FreeBSD FreeBSD 3.x
  • FreeBSD FreeBSD 4.0.0
  • FreeBSD FreeBSD 4.0.0 -RELENG
  • FreeBSD FreeBSD 4.0.0 .x
  • FreeBSD FreeBSD 4.0.0 alpha
  • FreeBSD FreeBSD 4.1.0
  • FreeBSD FreeBSD 4.1.1
  • FreeBSD FreeBSD 4.1.1 -RELEASE
  • FreeBSD FreeBSD 4.1.1 -STABLE
  • FreeBSD FreeBSD 4.10-PRERELEASE
  • FreeBSD FreeBSD 4.10.0
  • FreeBSD FreeBSD 4.10.0 -RELEASE
  • FreeBSD FreeBSD 4.10.0 -RELEASE-p8
  • FreeBSD FreeBSD 4.10.0 -RELENG
  • FreeBSD FreeBSD 4.11.0 -RELEASE
  • FreeBSD FreeBSD 4.11.0 -RELEASE-p20
  • FreeBSD FreeBSD 4.11.0 -RELEASE-p3
  • FreeBSD FreeBSD 4.11.0 -RELENG
  • FreeBSD FreeBSD 4.11.0 -STABLE
  • FreeBSD FreeBSD 4.2.0
  • FreeBSD FreeBSD 4.2.0 -RELEASE
  • FreeBSD FreeBSD 4.2.0 -STABLE
  • FreeBSD FreeBSD 4.2.0 -STABLEpre050201
  • FreeBSD FreeBSD 4.2.0 -STABLEpre122300
  • FreeBSD FreeBSD 4.3.0
  • FreeBSD FreeBSD 4.3.0 -RELEASE
  • FreeBSD FreeBSD 4.3.0 -RELEASE-p38
  • FreeBSD FreeBSD 4.3.0 -RELENG
  • FreeBSD FreeBSD 4.3.0 -STABLE
  • FreeBSD FreeBSD 4.4.0
  • FreeBSD FreeBSD 4.4.0 -RELEASE-p42
  • FreeBSD FreeBSD 4.4.0 -RELENG
  • FreeBSD FreeBSD 4.4.0 -RELENG
  • FreeBSD FreeBSD 4.4.0 -STABLE
  • FreeBSD FreeBSD 4.5.0
  • FreeBSD FreeBSD 4.5.0 -RELEASE
  • FreeBSD FreeBSD 4.5.0 -RELEASE-p32
  • FreeBSD FreeBSD 4.5.0 -RELENG
  • FreeBSD FreeBSD 4.5.0 -STABLE
  • FreeBSD FreeBSD 4.5.0 -STABLEpre2002-03-07
  • FreeBSD FreeBSD 4.6.0
  • FreeBSD FreeBSD 4.6.0 -RELEASE
  • FreeBSD FreeBSD 4.6.0 -RELEASE-p20
  • FreeBSD FreeBSD 4.6.0 -RELENG
  • FreeBSD FreeBSD 4.6.0 -STABLE
  • FreeBSD FreeBSD 4.6.2
  • FreeBSD FreeBSD 4.7.0
  • FreeBSD FreeBSD 4.7.0 -RELEASE
  • FreeBSD FreeBSD 4.7.0 -RELEASE-p17
  • FreeBSD FreeBSD 4.7.0 -RELENG
  • FreeBSD FreeBSD 4.7.0 -STABLE
  • FreeBSD FreeBSD 4.8.0
  • FreeBSD FreeBSD 4.8.0 -PRERELEASE
  • FreeBSD FreeBSD 4.8.0 -RELEASE-p7
  • FreeBSD FreeBSD 4.8.0 -RELENG
  • FreeBSD FreeBSD 4.9.0
  • FreeBSD FreeBSD 4.9.0 -PRERELEASE
  • FreeBSD FreeBSD 4.9.0 -RELENG
  • FreeBSD FreeBSD 5.0.0
  • FreeBSD FreeBSD 5.0.0 -RELEASE-p14
  • FreeBSD FreeBSD 5.0.0 -RELENG
  • FreeBSD FreeBSD 5.0.0 alpha
  • FreeBSD FreeBSD 5.1.0
  • FreeBSD FreeBSD 5.1.0 -RELEASE
  • FreeBSD FreeBSD 5.1.0 -RELEASE-p5
  • FreeBSD FreeBSD 5.1.0 -RELEASE/Alpha
  • FreeBSD FreeBSD 5.1.0 -RELENG
  • FreeBSD FreeBSD 5.2.0
  • FreeBSD FreeBSD 5.2.0 -RELEASE
  • FreeBSD FreeBSD 5.2.0 -RELENG
  • FreeBSD FreeBSD 5.2.1 -RELEASE
  • FreeBSD FreeBSD 5.3.0
  • FreeBSD FreeBSD 5.3.0 -RELEASE
  • FreeBSD FreeBSD 5.3.0 -RELENG
  • FreeBSD FreeBSD 5.3.0 -STABLE
  • FreeBSD FreeBSD 5.4-STABLE
  • FreeBSD FreeBSD 5.4.0 -PRERELEASE
  • FreeBSD FreeBSD 5.4.0 -RELEASE
  • FreeBSD FreeBSD 5.4.0 -RELENG
  • FreeBSD FreeBSD 5.5.0 -RELEASE
  • FreeBSD FreeBSD 5.5.0 -STABLE
  • FreeBSD FreeBSD 6.0 -RELEASE-p5
  • FreeBSD FreeBSD 6.0.0 -RELEASE
  • FreeBSD FreeBSD 6.0.0 -STABLE
  • FreeBSD FreeBSD 6.1 -RELEASE
  • FreeBSD FreeBSD 6.1 -RELEASE-p10
  • FreeBSD FreeBSD 6.1 -STABLE
  • MidnightBSD MidnightBSD 0.1
  • NetBSD NetBSD 4,0_Beta
  • NetBSD NetBSD 4.0
  • NetBSD NetBSD Current
  • TrustedBSD TrustedBSD

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.