Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1246
Buffer overflow in keyboard driver
18 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: atkbd
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Root Compromise -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1886
Original Bulletin:
https://security.freebsd.org/advisories/FreeBSD-SA-16:18.atkbd.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:18.atkbd Security Advisory
The FreeBSD Project
Topic: Buffer overflow in keyboard driver
Category: core
Module: atkbd
Announced: 2016-05-17
Credits: CTurt and the HardenedBSD team
Affects: All supported versions of FreeBSD.
Corrected: 2016-05-17 22:29:59 UTC (stable/10, 10.3-STABLE)
2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3)
2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17)
2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34)
2016-05-17 22:31:12 UTC (stable/9, 9.3-STABLE)
2016-05-17 22:28:36 UTC (releng/9.3, 9.3-RELEASE-p42)
CVE Name: CVE-2016-1886
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The atkbd(4) driver, together with the atkbdc(4) driver, provides access
to the AT 84 keyboard or the AT enhanced keyboard which is connected to
the AT keyboard controller. The driver is required for the console driver
syscons(4) or vt(4). The driver exposes its own ioctl(2) interface to allow
it to be configured from userland through the kbdcontrol(1) utility.
II. Problem Description
Incorrect signedness comparison in the ioctl(2) handler allows a malicious
local user to overwrite a portion of the kernel memory.
III. Impact
A local user may crash the kernel, read a portion of kernel memory and
execute arbitrary code in kernel context. The result of executing an
arbitrary kernel code is privilege escalation.
IV. Workaround
Disallow keymap changes for non-privileged users:
sysctl hw.kbd.keymap_restrict_change=4
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reboot is required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot is required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch
# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch.asc
# gpg --verify atkbd.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/9/ r300093
releng/9.3/ r300088
stable/10/ r300091
releng/10.1/ r300085
releng/10.2/ r300086
releng/10.3/ r300087
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cturt.github.io/SETFKEY.html>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1886>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:18.atkbd.asc>
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXO5z8AAoJEO1n7NZdz2rns0MQAKaUrGjGn0nkFpx/PpiM6SHv
s/Fj/z/qTXTUmimZloiQd9bkMh5wFMymozihVqoQVX2jwzPFm4Cql+Ez8ihTl9YX
s+vMgQA8mUrinebwqXHRY+bZrwbJzsvLhAepL6vrSncPBaXM37smOmVlfjyUySWZ
61L1QPhDZIYSamAMDZFx4qkdv32nWTTaE6OImQOFWY19l2tAxUMrUsTM5zSUfSas
Tq2oP4BUvI58psapMgs38UY1Bjo33E/Gd7n6FS8gUQAX1OspN1wh981oX9GHU+U1
bHY/Ihl+rqlh3Dmxp1JBP8ma2DSLXcuhrywNpE8i/dNQA4sxXXGQyuzVk24QNXbt
cnV7F3nTqBpB9evhNFuHk0Z/z2Lg4cCaId+xSJjX8eWfvfjP8q+c9SblC2LdJg6V
D0Gt0rbUNvSikCLDI/RYY1K5pWdjvtRN6ES+YO+sk2er9Uq/ZPrNj2SfNYguRkTV
Kfwut8aQW5AQ9JTr9YGFxfqEWOzgBWutE3ysWtx6bLoROY4/vUPRBrcVDOmsiiJt
QLPdf/m8VM/NH2lQoSQ44mUXvp+BdclrhM74C7GCc0RGmdEtuoC49esNKtZ+0349
Sm7Tj/3ZWfwN0x+DQnbnDUeRmI5zaU3o4VycmhFcm3eWQ+je8O8aCLKI/iPTKYO7
/OVeNnLKzp5Z7naKeHct
=6GJy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVzvIgH6ZAP0PgtI9AQLLbg//Sf/1OdJTBO58FEKoXmOC49Dzh0lG8nGu
9NQUzvez+8FkiFhy1hE/OHtqMC9rNxsT7DIg98/CFbRBWel0U3YY48u2oR5zAoqb
uMzNqlevzVm+gOtvqAt4rWRnYsrTGZEUWl56gO15I8ol79FMZSLUg0zmaA8ztJvt
BM5VIFrX/1oflQRXpolGjDQ5qhTKzbPqKZaoPdNel0vtXMHyFuTsvaerZebSobY5
rNuakkvQYE3Kecz5F6q7di9DJfeJZg3arR6Duu1eSc9XtXjaWw4Ask4GBJD+tXsR
RyzaK2hl64rg28H24uS0K3VvyQPfHdXeoVOsKaoQpDvKectSRsXiNAj0euIAQs6e
xWxkXInnXiljIgbs0kp5AVqsZHsm8/gBRNk3slpZ8nYCQPW+8RwnsHY6T0Rb10xh
AWugyy7XiN6nfl4P4g5rKEZ45Hk4nRQori6MjIw35ngCISoVti5Y7BtyCAObHFHn
XUwCDH9cnyB7HsMRd9x5XuNcw1qoKlhKg0QVyAwbEx/0TUMuUDm4yjx/ODDhNBRj
CAZMm5G+GZUwTdi4v5KxAdj9H24ekVI6k1rcjN6sgkc13fil2r9nPB7qBnpdrLUI
TU6kdyqjidOavMgFk+xjhf4juLsUYxoxqYWkRi1ppHg8f9+gQfey5/9qaT2Xb9aY
vT0+D+YjXoU=
=aTDK
-----END PGP SIGNATURE-----