| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.9 | $0-$5k | 0.00 |
Summary
A vulnerability marked as problematic has been reported in FreeBSD 9.3/10.2. Affected by this issue is the function sysarch(2) of the file /sys/amd64/amd64/sys_machdep.c. This manipulation causes memory corruption.
The identification of this vulnerability is CVE-2016-1885. The attack can only be executed locally. Furthermore, there is an exploit available.
To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability classified as problematic was found in FreeBSD 9.3/10.2 (Operating System). Affected by this vulnerability is the function sysarch(2) of the file /sys/amd64/amd64/sys_machdep.c. The manipulation with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect availability.
The weakness was shared 03/16/2016 by Francisco Falcon with Core Security as FreeBSD-SA-16:15.sysarch as confirmed security advisory (Website). It is possible to read the advisory at security.FreeBSD.org. This vulnerability is known as CVE-2016-1885 since 01/13/2016. Attacking locally is a requirement. A single authentication is needed for exploitation. Technical details and also a public exploit are known. The advisory points out:
A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.
It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept. We expect the 0-day to have been worth approximately $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 106499 (pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Firewalls and running in the context r.
Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (111527), Exploit-DB (39570), Tenable (106499), SecurityFocus (BID 84526†) and SecurityTracker (ID 1035309†). The entries VDB-80319 and VDB-112273 are related to this item. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Name
Version
License
Website
- Product: https://www.freebsd.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.2VulDB Meta Temp Score: 5.9
VulDB Base Score: 6.2
VulDB Temp Score: 5.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.2
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 106499
Nessus Name: pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
01/13/2016 🔍03/16/2016 🔍
03/16/2016 🔍
03/16/2016 🔍
03/16/2016 🔍
03/17/2016 🔍
03/17/2016 🔍
03/20/2016 🔍
04/11/2016 🔍
01/31/2018 🔍
07/06/2024 🔍
Sources
Product: freebsd.orgAdvisory: FreeBSD-SA-16:15.sysarch
Researcher: Francisco Falcon
Organization: Core Security
Status: Confirmed
CVE: CVE-2016-1885 (🔍)
GCVE (CVE): GCVE-0-2016-1885
GCVE (VulDB): GCVE-100-81379
X-Force: 111527 - FreeBSD kernel amd64_set_ldt function heap-based buffer overflow
SecurityFocus: 84526 - FreeBSD CVE-2016-1885 Local Heap Based Buffer Overflow Vulnerability
SecurityTracker: 1035309
Vulnerability Center: 57416 - FreeBSD Kernel 10.2 amd64 Local Denial of Service Vulnerability, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/17/2016 11:10Updated: 07/06/2024 00:21
Changes: 03/17/2016 11:10 (77), 02/01/2019 14:45 (14), 07/10/2022 14:04 (4), 07/06/2024 00:21 (15)
Complete: 🔍
Cache ID: 216:3BF:103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.