-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:12.jailroute Security Advisory The FreeBSD Project Topic: Jailed processes can manipulate host routing tables Category: core Module: kernel Announced: 2004-06-07 Credits: Pawel Malachowski Affects: FreeBSD 4.8-RELEASE FreeBSD 4.9-RELEASE Corrected: 2004-04-06 20:11:53 UTC (RELENG_4) 2004-06-07 17:44:44 UTC (RELENG_4_9, 4.9-RELEASE-p10) 2004-06-07 17:42:42 UTC (RELENG_4_8, 4.8-RELEASE-p23) CVE Name: CAN-2004-0125 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The FreeBSD kernel maintains internal routing tables for the purpose of determining which interface should be used to transmit packets. These routing tables can be manipulated by user processes running with superuser privileges by sending messages over a routing socket. II. Problem Description A programming error resulting in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process. III. Impact Jailed processes running with superuser privileges could modify host routing tables. This could result in a variety of consequences including packets being sent via an incorrect network interface and packets being discarded entirely. IV. Workaround No workaround is available. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.10-RELEASE, or to the RELENG_4_8 or RELENG_4_9 security branch dated after the correction date. OR 2) Patch your present system: The following patch has been verified to apply to the FreeBSD 4.8 and 4.9 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:12/jailroute.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/net/rtsock.c 1.44.2.13 RELENG_4_9 src/UPDATING 1.73.2.89.2.11 src/sys/conf/newvers.sh 1.44.2.32.2.11 src/sys/net/rtsock.c 1.44.2.11.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.26 src/sys/conf/newvers.sh 1.44.2.29.2.24 src/sys/net/rtsock.c 1.44.2.11.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAxNyTFdaIBMps37IRAkTtAJ9LL92gdrIr3drFL7+EzgIz3Tp3EQCgl3XM FySjBz6+a74mtEX89hLRcBI= =dWI/ -----END PGP SIGNATURE-----