Multiple Vendor BSD Semaphore IPC Denial Of Service Vulnerability
BID:1270
Info
Multiple Vendor BSD Semaphore IPC Denial Of Service Vulnerability
| Bugtraq ID: | 1270 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | May 29 2000 12:00AM |
| Updated: | May 29 2000 12:00AM |
| Credit: | First made public in NetBSD advisory NetBSD-SA2000-004, published on May 29, 2000. |
| Vulnerable: |
OpenBSD OpenBSD 2.6 OpenBSD OpenBSD 2.5 OpenBSD OpenBSD 2.4 OpenBSD OpenBSD 2.3 OpenBSD OpenBSD 2.2 OpenBSD OpenBSD 2.1 OpenBSD OpenBSD 2.0 NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.2 SPARC NetBSD NetBSD 1.4.2 arm32 NetBSD NetBSD 1.4.2 Alpha NetBSD NetBSD 1.4.1 SPARC NetBSD NetBSD 1.4.1 arm32 NetBSD NetBSD 1.4.1 Alpha FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 4.0 alpha FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.4 FreeBSD FreeBSD 3.3 FreeBSD FreeBSD 3.2 FreeBSD FreeBSD 3.1 FreeBSD FreeBSD 3.0 FreeBSD FreeBSD 2.2.8 FreeBSD FreeBSD 2.2.6 FreeBSD FreeBSD 2.2.5 FreeBSD FreeBSD 2.2.4 FreeBSD FreeBSD 2.2.3 FreeBSD FreeBSD 2.2.2 FreeBSD FreeBSD 2.2 FreeBSD FreeBSD 2.1.7 .1 FreeBSD FreeBSD 2.1.6 .1 FreeBSD FreeBSD 2.1.6 FreeBSD FreeBSD 2.1.5 FreeBSD FreeBSD 2.1 FreeBSD FreeBSD 2.0.5 FreeBSD FreeBSD 2.0 FreeBSD FreeBSD 1.1.5 .1 |
| Not Vulnerable: | |
Discussion
Multiple Vendor BSD Semaphore IPC Denial Of Service Vulnerability
386BSD-derived OSes' implementation of SysV semaphores is vulnerable to a locally exploitable denial of service attack. There exists an undocumented system call, semconfig(), which freezes the state of all semaphores on the system. Normally, this is used to generate a "snapshot" of their states but can be exploited so that all processes using semaphores cannot progress. The end result is that a local user with no special priviliges can freeze operations in processes utilizing semaphores.
From the NetBSD Advisory: "FreeBSD-SA-00:19 describes a similar, but significantly more severe problem affecting FreeBSD, and notes that NetBSD is also affected. The impact of the problem on NetBSD is much less, because NetBSD's semaphore implementation was fixed (in 1994) so that only semaphore-using processes would be blocked at exit time. "
OpenBSD (post 1994) applied the same patch as NetBSD and thus is significantly less affected than FreeBSD.
386BSD-derived OSes' implementation of SysV semaphores is vulnerable to a locally exploitable denial of service attack. There exists an undocumented system call, semconfig(), which freezes the state of all semaphores on the system. Normally, this is used to generate a "snapshot" of their states but can be exploited so that all processes using semaphores cannot progress. The end result is that a local user with no special priviliges can freeze operations in processes utilizing semaphores.
From the NetBSD Advisory: "FreeBSD-SA-00:19 describes a similar, but significantly more severe problem affecting FreeBSD, and notes that NetBSD is also affected. The impact of the problem on NetBSD is much less, because NetBSD's semaphore implementation was fixed (in 1994) so that only semaphore-using processes would be blocked at exit time. "
OpenBSD (post 1994) applied the same patch as NetBSD and thus is significantly less affected than FreeBSD.
Exploit / POC
Multiple Vendor BSD Semaphore IPC Denial Of Service Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Multiple Vendor BSD Semaphore IPC Denial Of Service Vulnerability
Solution:
A patch is available for OpenBSD at http://www.openbsd.org/errata26.html#semconfig
From the NetBSD advisory:
For NetBSD 1.4, 1.4.1, and 1.4.2:
A patch is available in
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000527-sysvsem
For NetBSD-current:
NetBSD-current since 20000527 contains all the fixes, and is not
vulnerable. Users of NetBSD-current should upgrade to a source tree
dated 20000527 or later.
----
From the FreeBSD Advisory:
Upgrade to FreeBSD 2.1.7.1-STABLE, 2.2.8-STABLE, 3.4-STABLE,
4.0-STABLE or 5.0-CURRENT after the correction date.
A patch is also available. See FreeBSD Advisory SA-00:19
Solution:
A patch is available for OpenBSD at http://www.openbsd.org/errata26.html#semconfig
From the NetBSD advisory:
For NetBSD 1.4, 1.4.1, and 1.4.2:
A patch is available in
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000527-sysvsem
For NetBSD-current:
NetBSD-current since 20000527 contains all the fixes, and is not
vulnerable. Users of NetBSD-current should upgrade to a source tree
dated 20000527 or later.
----
From the FreeBSD Advisory:
Upgrade to FreeBSD 2.1.7.1-STABLE, 2.2.8-STABLE, 3.4-STABLE,
4.0-STABLE or 5.0-CURRENT after the correction date.
A patch is also available. See FreeBSD Advisory SA-00:19