FreeBSD : FreeBSD-kernel -- SMAP bypass (d1ac6a6a-bea8-11eb-b87a-901b0ef719ab)

high Nessus Plugin ID 150002

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode. Impact : This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?cc11c69a

Plugin Details

Severity: High

ID: 150002

File Name: freebsd_pkg_d1ac6a6abea811ebb87a901b0ef719ab.nasl

Version: 1.4

Type: local

Published: 5/27/2021

Updated: 12/28/2023

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2021-29628

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:freebsd, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/27/2021

Vulnerability Publication Date: 5/27/2021

Reference Information

CVE: CVE-2021-29628

FreeBSD: SA-21:11.smap