In FreeBSD 12.0-STABLE before r350222, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350223, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, rights transmitted over a domain socket did not properly release a reference on transmission error allowing a malicious user to cause the reference counter to wrap, forcing a free event. This could allow a malicious local user to gain root privileges or escape from a jail.
Weakness
The product does not release or incorrectly releases a resource before it is made available for re-use.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 11.0 (including) | 11.0 (including) |
| Freebsd | Freebsd | 11.2 (including) | 11.2 (including) |
| Freebsd | Freebsd | 11.3 (including) | 11.3 (including) |
| Freebsd | Freebsd | 12.0 (including) | 12.0 (including) |
Potential Mitigations
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/125.html
- https://cwe.mitre.org/data/definitions/130.html
- https://cwe.mitre.org/data/definitions/131.html
- https://cwe.mitre.org/data/definitions/494.html
- https://cwe.mitre.org/data/definitions/495.html
- https://cwe.mitre.org/data/definitions/496.html
- https://cwe.mitre.org/data/definitions/666.html
References
- http://packetstormsecurity.com/files/153755/FreeBSD-Security-Advisory-FreeBSD-SA-19-17.fd.html
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc
- https://security.netapp.com/advisory/ntap-20190814-0003/
- http://packetstormsecurity.com/files/153755/FreeBSD-Security-Advisory-FreeBSD-SA-19-17.fd.html
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc
- https://security.netapp.com/advisory/ntap-20190814-0003/