Programming issue allows attacker to execute arbitrary code

Dec 12, 2014 10:50 GMT  ·  By

A vulnerability in the open source FreeBSD operating system has been fixed recently, mitigating the risk of arbitrary code being executed by a potential attacker.

The glitch was discovered by the security researchers at Norse, a company focused on gathering live attack intelligence, and it was reported privately to the FreeBSD security team.

An advisory was issued on Wednesday, informing that version 10.1 of the operating system was affected and that a new release became available.

Tracked as CVE-2014-8611, the vulnerability is a programming error in the standard I/O (stdio) library's “__sflush()” function; it allows modifying the internal state of the buffered stream, “even when no ‘write’ actually occurred in a case where a ‘write(2)’ system call returns an error.”

Under certain conditions, the problem could lead to a heap buffer overflow, which may be used for data corruption or for running arbitrary code under the privilege level of the calling program.

There is no workaround available for the issue, but Adrian Chadd and Alfred Perlstein, researchers at Norse, have created a patch and submitted it to the FreeBSD community for release.

“Norse is committed to responsible disclosure, and supporting open source software, and this is a great example of developers working with and improving an open source project, with full support of their employer,” said Tim O’Brien, Director of Security Threat Intelligence for Norse.

FreeBSD is widely used on servers, desktops and embedded platforms (web appliances, routers, time servers, wireless access points).

The only solution is to apply the provided patch either through the built-in update system or manually. The steps for the different approach selected by the client are available in the advisory.