Vulnerabilities > CVE-2014-1453 - Resource Management Errors vulnerability in Freebsd

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
freebsd
CWE-399
nessus

Summary

The NFS server (nfsserver) in FreeBSD 8.3 through 10.0 does not acquire locks in the proper order when converting a directory file handle to a vnode, which allows remote authenticated users to cause a denial of service (deadlock) via vectors involving a thread that uses the correct locking order.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6A384960600711E6A6C314DAE9D210B8.NASL
    descriptionThe kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that grab locks in the right order, constitutes a deadlock condition because no thread can proceed. Impact : An attacker on a trusted client could cause the NFS server become deadlocked, resulting in a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id92898
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92898
    titleFreeBSD : FreeBSD -- Deadlock in the NFS server (6a384960-6007-11e6-a6c3-14dae9d210b8)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92898);
      script_version("2.4");
      script_cvs_date("Date: 2018/12/07  9:46:53");
    
      script_cve_id("CVE-2014-1453");
      script_bugtraq_id(66726);
      script_xref(name:"FreeBSD", value:"SA-14:05.nfsserver");
    
      script_name(english:"FreeBSD : FreeBSD -- Deadlock in the NFS server (6a384960-6007-11e6-a6c3-14dae9d210b8)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The kernel holds a lock over the source directory vnode while trying
    to convert the target directory file handle to a vnode, which needs to
    be returned with the lock held, too. This order may be in violation of
    normal lock order, which in conjunction with other threads that grab
    locks in the right order, constitutes a deadlock condition because no
    thread can proceed. Impact : An attacker on a trusted client could
    cause the NFS server become deadlocked, resulting in a denial of
    service."
      );
      # https://vuxml.freebsd.org/freebsd/6a384960-6007-11e6-a6c3-14dae9d210b8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7befe99a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:FreeBSD");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=10.0<10.0_1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=9.2<9.2_4")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=9.1<9.1_11")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=8.4<8.4_8")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=8.3<8.3_15")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2952.NASL
    descriptionSeveral vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or possibly disclosure of kernel memory. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-1453 A remote, authenticated attacker could cause the NFS server become deadlocked, resulting in a denial of service. - CVE-2014-3000 : An attacker who can send a series of specifically crafted packets with a connection could cause a denial of service situation by causing the kernel to crash. Additionally, because the undefined on stack memory may be overwritten by other kernel threads, while difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket. This may result in the disclosure of sensitive information such as login credentials, etc. before or even without crashing the system. - CVE-2014-3880 A local attacker can trigger a kernel crash (triple fault) with potential data loss, related to the execve/fexecve system calls. Reported by Ivo De Decker.
    last seen2020-03-17
    modified2014-06-09
    plugin id74374
    published2014-06-09
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74374
    titleDebian DSA-2952-1 : kfreebsd-9 - security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2952. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74374);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-1453", "CVE-2014-3000", "CVE-2014-3880");
      script_bugtraq_id(66726, 67153);
      script_xref(name:"DSA", value:"2952");
    
      script_name(english:"Debian DSA-2952-1 : kfreebsd-9 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the FreeBSD kernel
    that may lead to a denial of service or possibly disclosure of kernel
    memory. The Common Vulnerabilities and Exposures project identifies
    the following problems :
    
      - CVE-2014-1453
        A remote, authenticated attacker could cause the NFS
        server become deadlocked, resulting in a denial of
        service.
    
      - CVE-2014-3000 :
        An attacker who can send a series of specifically
        crafted packets with a connection could cause a denial
        of service situation by causing the kernel to crash.
    
      Additionally, because the undefined on stack memory may be
      overwritten by other kernel threads, while difficult, it may be
      possible for an attacker to construct a carefully crafted attack to
      obtain portion of kernel memory via a connected socket. This may
      result in the disclosure of sensitive information such as login
      credentials, etc. before or even without crashing the system.
    
      - CVE-2014-3880
        A local attacker can trigger a kernel crash (triple
        fault) with potential data loss, related to the
        execve/fexecve system calls. Reported by Ivo De Decker."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-1453"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-3000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-3880"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/kfreebsd-9"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2014/dsa-2952"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the kfreebsd-9 packages.
    
    For the stable distribution (wheezy), these problems have been fixed
    in version 9.0-10+deb70.7."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kfreebsd-9");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/06/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9-486", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9-686", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9-686-smp", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9-amd64", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9-malta", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9-xen", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2-486", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2-686", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2-686-smp", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2-amd64", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2-malta", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-headers-9.0-2-xen", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9-486", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9-686", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9-686-smp", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9-amd64", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9-malta", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9-xen", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9.0-2-486", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9.0-2-686", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9.0-2-686-smp", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9.0-2-amd64", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9.0-2-malta", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-image-9.0-2-xen", reference:"9.0-10+deb70.7")) flag++;
    if (deb_check(release:"7.0", prefix:"kfreebsd-source-9.0", reference:"9.0-10+deb70.7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:66726 CVE ID:CVE-2014-1453 FreeBSD是一种UNIX操作系统,是由经过BSD、386BSD和4.4BSD发展而来的Unix的一个重要分支。 FreeBSD在转换目标文件句柄为vnode时存在锁顺序错误,这可导致死锁,造成拒绝服务。 0 FreeBS 目前厂商已经发布了升级补丁以修复漏洞,请下载使用: http://www.freebsd.org/security/index.html
idSSV:62156
last seen2017-11-19
modified2014-04-14
published2014-04-14
reporterRoot
titleFreeBSD远程拒绝服务漏洞