Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0480 Insufficient environment sanitization in jail(8) 27 May 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jail Publisher: FreeBSD Operating System: FreeBSD Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2010-2022 Original Bulletin: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-10:04.jail.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:04.jail Security Advisory The FreeBSD Project Topic: Insufficient environment sanitization in jail(8) Category: core Module: jail Announced: 2010-05-27 Credits: Aaron D. Gifford Affects: FreeBSD 8.0 Corrected: 2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE) 2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3) CVE Name: CVE-2010-2022 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. By design, neither the chroot(2) nor the jail(2) system call modify existing open file descriptors of the calling process, in order to allow programmers to make fine grained access control and privilege separation. The jail(8) utility creates a new jail or modifies an existing jail, optionally imprisoning the current process (and future descendants) inside it. II. Problem Description The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants. III. Impact Access to arbitrary files may be possible if an attacker managed to obtain the descriptor of the current working directory before the jail call. Such descriptor would be inherited by all descendants of the first process that starts the jail, unless an intermediate process changes the current working directory inside the jail. By default, the FreeBSD /etc/rc.d/jail script, which can be enabled using the jail_* rc.conf(5) variables, is not affected by this issue. This is due to the default jail flags ("-l -U root") used to start a jail as these flags will result in jail(8) performing a chdir(2) call. If the rc.conf(5) variables jail_flags or jail_<jname>_flags has been set, and do not include '-l -U root', the jails are affected by the vulnerability. IV. Workaround Include the "-l -U root" arguments to the jail(8) command when starting the jail. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 8-STABLE, or to the RELENG_8_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch # fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/jail # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - ------------------------------------------------------------------------- RELENG_8 src/usr.sbin/jail/jail.c 1.33.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.6 src/sys/conf/newvers.sh 1.83.2.6.2.6 src/usr.sbin/jail/jail.c 1.33.2.1.2.2 - - ------------------------------------------------------------------------- Subversion: Branch/path Revision - - ------------------------------------------------------------------------- stable/8/ r208586 releng/8.0/ r208586 - - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2022 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkv95RAACgkQFdaIBMps37ImPgCfRS7pcslVSb89JluACMlg8ZBa PmAAn0jq693qHOXK+Z2ljpQdc+EpTTja =9o7h - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFL/flR/iFOrG6YcBERAkXqAJ9kJ5Td2yV67t1wDl9hbsNoES1ZeACfRvOl Tz6El1opsgypYBjUQ3N5vxc= =jFkW -----END PGP SIGNATURE-----