Vulnerabilities > CVE-2018-6916 - Use After Free vulnerability in Freebsd 10.3/10.4/11.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
COMPLETE Summary
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p7, 10.4-STABLE, 10.4-RELEASE-p7, and 10.3-RELEASE-p28, the kernel does not properly validate IPsec packets coming from a trusted host. Additionally, a use-after-free vulnerability exists in the IPsec AH handling code. This issue could cause a system crash or other unpredictable results.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 19 |
Common Weakness Enumeration (CWE)
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DCA7CED0279611E895ECA4BADB2F4699.NASL description Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. Impact : Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results. last seen 2020-06-01 modified 2020-06-02 plugin id 108353 published 2018-03-15 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108353 title FreeBSD : FreeBSD -- ipsec validation and use-after-free (dca7ced0-2796-11e8-95ec-a4badb2f4699) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(108353); script_version("1.5"); script_cvs_date("Date: 2018/12/07 9:46:53"); script_cve_id("CVE-2018-6916"); script_xref(name:"FreeBSD", value:"SA-18:01.ipsec"); script_name(english:"FreeBSD : FreeBSD -- ipsec validation and use-after-free (dca7ced0-2796-11e8-95ec-a4badb2f4699)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash. Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results. Impact : Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results." ); # https://vuxml.freebsd.org/freebsd/dca7ced0-2796-11e8-95ec-a4badb2f4699.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?830ed0a6" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:FreeBSD"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); if (report_paranoia < 2) audit(AUDIT_PARANOID); flag = 0; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=11.1<11.1_7")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=10.4<10.4_7")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=10.3<10.3_28")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Firewalls NASL id PFSENSE_SA-18_03.NASL description According to its self-reported version number, the remote pfSense install is a version prior to 2.4.3 It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories. last seen 2020-06-01 modified 2020-06-02 plugin id 109038 published 2018-04-13 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109038 title pfSense < 2.4.3 Multiple Vulnerabilities (SA-18_01 / SA-18_02 / SA-18_03) (Meltdown) (Spectre) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(109038); script_version("1.4"); script_cvs_date("Date: 2018/07/25 14:27:29"); script_cve_id("CVE-2017-5715", "CVE-2017-5754", "CVE-2018-6916"); script_bugtraq_id(103513); script_xref(name:"FreeBSD", value:"SA-18:01.ipsec"); script_xref(name:"FreeBSD", value:"SA-18:03.speculative_execution"); script_xref(name:"IAVA", value:"2018-A-0019"); script_xref(name:"IAVA", value:"2018-A-0020"); script_name(english:"pfSense < 2.4.3 Multiple Vulnerabilities (SA-18_01 / SA-18_02 / SA-18_03) (Meltdown) (Spectre)"); script_summary(english:"Checks the version of pfSense."); script_set_attribute(attribute:"synopsis", value: "The remote firewall host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the remote pfSense install is a version prior to 2.4.3 It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories."); script_set_attribute(attribute:"see_also", value:"https://doc.pfsense.org/index.php/2.4.3_New_Features_and_Changes"); # https://www.pfsense.org/security/advisories/pfSense-SA-18_01.packages.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ac779c2"); # https://www.pfsense.org/security/advisories/pfSense-SA-18_02.webgui.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d531aa61"); # https://www.pfsense.org/security/advisories/pfSense-SA-18_03.webgui.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c483bc2"); script_set_attribute(attribute:"solution", value: "Upgrade to pfSense version 2.4.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:pfsense:pfsense"); script_set_attribute(attribute:"cpe", value:"cpe:/a:bsdperimeter:pfsense"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("pfsense_detect.nbin"); script_require_keys("Host/pfSense"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); if (!get_kb_item("Host/pfSense")) audit(AUDIT_HOST_NOT, "pfSense"); app_info = vcf::pfsense::get_app_info(); constraints = [ { "fixed_version" : "2.4.3" } ]; vcf::pfsense::check_version_and_report( app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE, xsrf:TRUE} );