Allele Security Alert
ASA-2019-00405
Identifier(s)
ASA-2019-00405, CVE-2019-5602, FreeBSD-SA-19:11.cd_ioctl
Title
Privilege escalation in cd driver
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD
Fixed version(s)
2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE)
2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11)
Proof of concept
Yes
Description
The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls.
These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default.
To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device.
A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device.
Technical details
Unknown
Workaround
Unknown
Credits
Alex Fortune
Reference(s)
Privilege escalation in cd(4) driver
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc
[base] Revision 349628
https://svnweb.freebsd.org/base?view=revision&revision=r349628
[base] Revision 349625
https://svnweb.freebsd.org/base?view=revision&revision=r349625
[base] Revision 349629
https://svnweb.freebsd.org/base?view=revision&revision=r349629
Exploiting a No-Name FreeBSD Kernel Vulnerability
https://www.synacktiv.com/posts/exploit/exploiting-a-no-name-freebsd-kernel-vulnerability.html
CVE-2019-5602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602
CVE-2019-5602
https://nvd.nist.gov/vuln/detail/CVE-2019-5602
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 26, 2019