FreeBSD : xorg server -- Multiple vulnerabilities (7467c611-b490-11ee-b903-001fc69cd6dc)

critical Nessus Plugin ID 189105

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7467c611-b490-11ee-b903-001fc69cd6dc advisory.

- The X.Org project reports: Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used. If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under- allocation in the DeliverStateNotifyEvent function. The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info.
If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow. The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.
(CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://lists.x.org/archives/xorg/2024-January/061525.html

http://www.nessus.org/u?3eaf1fee

Plugin Details

Severity: Critical

ID: 189105

File Name: freebsd_pkg_7467c611b49011eeb903001fc69cd6dc.nasl

Version: 1.1

Type: local

Published: 1/17/2024

Updated: 1/29/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-6816

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:xorg-nextserver, p-cpe:/a:freebsd:freebsd:xephyr, p-cpe:/a:freebsd:freebsd:xorg-server, p-cpe:/a:freebsd:freebsd:xwayland, p-cpe:/a:freebsd:freebsd:xorg-vfbserver, cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:xwayland-devel

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 1/16/2024

Vulnerability Publication Date: 1/16/2024

Reference Information

CVE: CVE-2023-6816, CVE-2024-0229, CVE-2024-21885, CVE-2024-21886