FreeBSD security advisory relevant?
-
Hi,
we've got noticed by a customer, that they got a warning issued by the german BSI/CERT Bund (federal office for security in IT) about FreeBSD OS privilege eskalations and code executions, namely:
- CVE-2024-45287, CVE-2024-45288
- CVE-2024-41928
- CVE-2024-42416, CVE-2024-43110, CVE-2024-45063, CVE-2024-8178
- CVE-2024-43102
- CVE-2024-32668
Most of them as I see that are about bhyve components and hypervisor based so completely ignorable IMHO for pfSense/firewall usage in general. Two are a bit harder to take:
https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc
and
https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.ascare quite vague in their "Impact" formulation about what exactly is necessary to exploit those. After reading them through, I'm almost sure they aren't relevant to a firewall usage or to pfSense specifically as the "libnv" one seems like a buffer overflow but needs user involvement(?) so - no local users, no threat vector. The umtx thing read more like a DoS through kernel panic but is so vague in how it's induced, that I'd guess there has to be a local user involved again.
So my guess would be none of those are endangering pfSense, but I'd like to have a few eyes more on that in case I'm reading that wrong.
Thanks & Cheers,
\jensPS: in case someone wants the source: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2056 - sometimes you have to open the link two times, as the first one gets you to the wrong page. I know, it's strange but hey, federal gov is weird sometimes ;)
-
They will be in the 24.08 (next release) but I agree, neither of those look like problem for pfSense directly. In my opinion at least, I await higher level input.
-
@stephenw10 said in FreeBSD security advisory relevant?:
They will be in the 24.08 (next release) but I agree, neither of those look like problem for pfSense directly. In my opinion at least, I await higher level input.
It would be real important to have clarity on that matter.
As that is a BSI / federal note to patch systems with a CVSS score of >=9 that means systems in critical environments HAVE to patch in 10 days or less and that timeline is nearing fast. So if the CVEs are all irrelevant, that's fine but we'd need a statement for this that I can rely on.
Thanks!
-
Let me see what we can do here....
-
@stephenw10 and @JeGr
CVE-2024-41928 is https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc
If you're not running bhyve on pfSense (and by default you are not) this does not affect you.
CVE-2024-42416, CVE-2024-43110, CVE-2024-45063, CVE-2024-8178 are https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc
If you're not running bhyve or do not export iSCSI targets on pfSense, (and by default, you are not) this does not affect you. If you are running bhyve and do not make use of virtuio_scsi, this does not affect you.
CVE-2024-32668 is https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc
Once again, If you're not running bhyve on pfSense (and by default you are not) this does not affect you.
So now we're down to these two SAs:
CVE-2024-45287, CVE-2024-45288 are https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc
CVE-2024-45287 is scored 7.3 by NIST NVD
CVE-2024-45288 is not (yet) scored by NISD NVDThis SA involves libnv. Exploiting it requires running code on the box. Given the sub-9.0 score and the difficulty of exploiting this, I consider it low risk.
And finally, CVE-2024-43102 is https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc
CVE-2024-43102 is scored 10.0 by NIST NVD
The _umtx_op() system call is non-standard and is used by the 1:1 Threading Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 ("POSIX.1") pthread(3) functionality. We're still analyzing this, but it's the only one of any concern.
As @stephenw10 notes, these are all in the (pending) 24.08 release.
Since you're in Germany,... I wonder what the German BSI/CERT Bund thinks about OPNonSense reverting FreeBSD-SA-24:05.pf in 24.7.4 (I wonder if they even know?). The excuse offered is really weak and political.
-
@jwt said in FreeBSD security advisory relevant?:
As @stephenw10 notes, these are all in the (pending) 24.08 release.
..and 2.8.0 CE?
-
Not yet in internal 2.8 builds but would be before any release.
