CVE-2025-0374 in FreeBSDinfo

Summary

by MITRE • 01/30/2025

When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.

An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/30/2025

The vulnerability described in CVE-2025-0374 represents a critical security flaw in the etcupdate utility commonly found in FreeBSD and related operating systems. This utility is responsible for managing configuration file updates during system package installations and system upgrades. When conflicts arise during the merging process of configuration files, etcupdate creates temporary conflict resolution files in the /var/db/etcupdate/conflicts directory. The core technical issue stems from the improper handling of file permissions during this conflict resolution process, specifically the failure to preserve the original file mode of the input files when creating conflict markers.

The flaw manifests when etcupdate processes sensitive files such as /etc/master.passwd, which contains encrypted password hashes and other critical authentication data. During normal operation, these files typically have restricted permissions to prevent unauthorized access, but when conflicts occur and the system creates temporary files in the conflicts directory, the utility fails to maintain these security restrictions. The resulting temporary files become world-readable, creating an exploitable condition that allows any local user to access the conflict resolution files containing sensitive information. This vulnerability directly maps to CWE-732, which describes inadequate protection of security-critical information, and represents a privilege escalation vector through information disclosure.

The operational impact of this vulnerability is significant for system security, as it provides unprivileged local users with access to encrypted password hashes that could potentially be exploited through offline password cracking attacks. The temporary nature of the conflict files means that the window of opportunity for exploitation is limited to the period when conflicts are actively being resolved, but this timeframe can be extended through various system administration activities. The vulnerability affects systems where etcupdate is actively used for package management and system updates, particularly those that frequently encounter configuration file conflicts during routine maintenance operations. Attackers could leverage this information to compromise user accounts and potentially gain elevated privileges on the system.

Mitigation strategies for CVE-2025-0374 should focus on immediate system hardening and operational procedure improvements. System administrators should ensure that the /var/db/etcupdate/conflicts directory has appropriate permissions set to restrict access to authorized users only, typically through chmod 700 or similar restrictive settings. Regular monitoring of this directory should be implemented to detect unauthorized access attempts and to verify that temporary files are properly cleaned up after conflict resolution. Additionally, organizations should consider implementing automated security scanning tools that can identify and alert on insecure file permissions in critical system directories. The use of more secure configuration management tools that properly handle file permissions during conflict resolution should also be evaluated as a long-term solution. This vulnerability aligns with ATT&CK technique T1005, which covers data from local system, and highlights the importance of maintaining proper file system permissions as a fundamental security control.

Responsible

Freebsd

Reservation

01/10/2025

Disclosure

01/30/2025

Moderation

accepted

CPE

ready

EPSS

0.00290

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!