CVE-2005-1399
CVSS4.6
发布时间 :2005-05-06 00:00:00
修订时间 :2008-09-05 16:49:02
NMCOPS    

[原文]FreeBSD 4.6 to 4.11 and 5.x to 5.4 uses insecure default permissions for the /dev/iir device, which allows local users to execute restricted ioctl calls to read or modify data on hardware that is controlled by the iir driver.


[CNNVD]FreeBSD IIR驱动错误权限漏洞(CNNVD-200505-931)

        FreeBSD就是一种运行在Intel平台上,可以自由使用的Unix系统。
        FreeBSD系统的某些设备驱动程序访问控制实现上存在漏洞,攻击者可能利用来非法获取内存信息。
        iir(4)驱动支持Intel集成的RAID控制器和ICP Vortex RAID控制器。/dev/iir设备节点的默认权限允许本地非特权用户打打开设备并执行ioctl调用,这样攻击者就可以向iir(4)驱动支持的硬件发送命令,导致数据破坏并可能泄漏数据。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:4.11FreeBSD 4.11
cpe:/o:freebsd:freebsd:5.4FreeBSD 5.4
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1399
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1399
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-931
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:06.iir.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-05:06

- 漏洞信息

FreeBSD IIR驱动错误权限漏洞
中危 设计错误
2005-05-06 00:00:00 2005-10-20 00:00:00
本地  
        FreeBSD就是一种运行在Intel平台上,可以自由使用的Unix系统。
        FreeBSD系统的某些设备驱动程序访问控制实现上存在漏洞,攻击者可能利用来非法获取内存信息。
        iir(4)驱动支持Intel集成的RAID控制器和ICP Vortex RAID控制器。/dev/iir设备节点的默认权限允许本地非特权用户打打开设备并执行ioctl调用,这样攻击者就可以向iir(4)驱动支持的硬件发送命令,导致数据破坏并可能泄漏数据。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:07.ldt.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt4.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt4.patch.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt5.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt5.patch.asc

- 漏洞信息 (F39100)

FreeBSD-SA-05-06.iir.txt (PacketStormID:F39100)
2005-08-07 00:00:00
 
advisory,local
freebsd
CVE-2005-1399
[点击下载]

FreeBSD Security Advisory FreeBSD-SA-05:06 - The default permissions on the /dev/iir device node allow unprivileged local users to open the device and execute ioctl calls. Unprivileged local users can send commands to the hardware supported by the iir(4) driver, allowing destruction of data and possible disclosure of data.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:06.iir                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Incorrect permissions on /dev/iir

Category:       core
Module:         sys_dev
Announced:      2005-05-06
Credits:        Christian S.J. Peron
Affects:        All FreeBSD 4.x releases since 4.6-RELEASE
                All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected:      2005-05-06 02:33:46 UTC (RELENG_5, 5.4-STABLE)
                2005-05-06 02:34:18 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-05-06 02:34:01 UTC (RELENG_5_3, 5.3-RELEASE-p11)
                2005-05-06 02:32:54 UTC (RELENG_4, 4.11-STABLE)
                2005-05-06 02:33:28 UTC (RELENG_4_11, 4.11-RELEASE-p5)
                2005-05-06 02:33:12 UTC (RELENG_4_10, 4.10-RELEASE-p10)
CVE Name:       CAN-2005-1399

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The iir(4) driver provides support for the Intel Integrated RAID
controllers and ICP Vortex RAID controllers.

II.  Problem Description

The default permissions on the /dev/iir device node allow unprivileged
local users to open the device and execute ioctl calls.

III. Impact

Unprivileged local users can send commands to the hardware supported by
the iir(4) driver, allowing destruction of data and possible disclosure
of data.

IV.  Workaround

Systems without hardware supported by the iir(4) driver are not affected
by this issue.  On systems which are affected, as a workaround, the
permissions on /dev/iir can be changed manually.

As root, execute the following command:

# chmod 0600 /dev/iir*

On 5.x, the following commands are also needed to ensure that the
correct permissions are used after rebooting.

# echo 'perm iir* 0600' >> /etc/devfs.conf
# echo 'devfs_enable="YES"' >> /etc/rc.conf

If the administrator has created additional device nodes, or mounted
additional instances of devfs(5) elsewhere in the file system name
space, attention should be paid to ensure that either the iir device
node is not visible in those name spaces, or is similarly protected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after
the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/dev/iir/iir_ctrl.c                                      1.2.2.5
RELENG_4_11
  src/UPDATING                                              1.73.2.91.2.6
  src/sys/conf/newvers.sh                                   1.44.2.39.2.9
  src/sys/dev/iir/iir_ctrl.c                                 1.2.2.4.12.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.11
  src/sys/conf/newvers.sh                                  1.44.2.34.2.12
  src/sys/dev/iir/iir_ctrl.c                                 1.2.2.4.10.1
RELENG_5
  src/sys/dev/iir/iir_ctrl.c                                     1.15.2.2
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.5
  src/sys/dev/iir/iir_ctrl.c                                 1.15.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.14
  src/sys/conf/newvers.sh                                  1.62.2.15.2.16
  src/sys/dev/iir/iir_ctrl.c                                     1.15.4.1
- -------------------------------------------------------------------------

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:06.iir.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD4DBQFCetz4FdaIBMps37IRAvyMAJjeLAyi4DGQGV3J5Ay+zzt5z4awAKCQ2Z9f
Hh/14bkUQqNXbUTAXEUBrw==
=HFZ7
-----END PGP SIGNATURE-----
    

- 漏洞信息

16090
FreeBSD /dev/iir Permission Weakness Privilege Escalation
Local Access Required Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when default permissions allow a malicious user to open a /dev/iir device node and execute ioctl calls. By sending commands to iir(4) driver hardware via ioctl calls, a local user can destroy or possibly disclose data. This flaw may lead to a loss of confidentiality, integrity and/or availability.

- 时间线

2005-05-06 Unknow
2005-05-06 Unknow

- 解决方案

Upgrade to version 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions. It is also possible to correct the flaw by implementing the following workarounds: As root, execute the following command: # chmod 0600 /dev/iir* On 5.x, the following commands are also needed to ensure that the correct permissions are used after rebooting. # echo 'perm iir* 0600' >> /etc/devfs.conf # echo 'devfs_enable="YES"' >> /etc/rc.conf

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD IIR(4) Driver Incorrect Permissions Vulnerability
Design Error 13525
No Yes
2005-05-06 12:00:00 2009-07-12 02:06:00
Discovery is credited to Christian S.J. Peron.

- 受影响的程序版本

FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE

- 漏洞讨论

FreeBSD iir(4) driver is prone to an incorrect permissions vulnerability.

A local unprivileged attacker can gain access to a device and carry out ioctl calls. This can allow local attackers to delete or disclose potentially sensitive data.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released advisory FreeBSD-SA-05:06.iir including patches to address this issue in FreeBSD 4.10, 4.11, and 5.3 systems. Please see the referenced advisory for more information.


FreeBSD FreeBSD 4.10 -RELEASE-p8

FreeBSD FreeBSD 4.10 -RELEASE

FreeBSD FreeBSD 4.10 -RELENG

FreeBSD FreeBSD 4.10

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD FreeBSD 4.11 -RELENG

FreeBSD FreeBSD 4.11 -STABLE

FreeBSD FreeBSD 5.3

FreeBSD FreeBSD 5.3 -RELEASE

FreeBSD FreeBSD 5.3 -RELENG

FreeBSD FreeBSD 5.3 -STABLE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站