FreeBSD : FreeBSD -- Kernel memory disclosure in control messages and SCTP (7240de58-6007-11e6-a6c3-14dae9d210b8)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Buffer between control message header and data may not be completely
initialized before being copied to userland. [CVE-2014-3952]

Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have
implicit padding that may not be completely initialized before being
copied to userland. In addition, three SCTP notifications,
SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and
SCTP_AUTHENTICATION_EVENT, have padding in the returning data
structure that may not be completely initialized before being copied
to userland. [CVE-2014-3953] Impact : An unprivileged local process
may be able to retrieve portion of kernel memory.

For the generic control message, the process may be able to retrieve a
maximum of 4 bytes of kernel memory.

For SCTP, the process may be able to retrieve 2 bytes of kernel memory
for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76
bytes for SCTP_EXTRCV. If the local process is permitted to receive
SCTP notification, a maximum of 112 bytes of kernel memory may be
returned to userland.

This information might be directly useful, or it might be leveraged to
obtain elevated privileges in some way. For example, a terminal buffer
might include a user-entered password.

See also :

http://www.nessus.org/u?a27906e2

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 92906 ()

Bugtraq ID: 68466
68467

CVE ID: CVE-2014-3952
CVE-2014-3953

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now