Feeds

Staunch your Heartbleed patching: FreeBSD has a nasty credentials leak

Let's not forget that FreeBSD is in OSX, NetApp kit, Juniper boxen and even some tellies

Using blade systems to cut costs and sharpen efficiencies

Got FreeBSD? Get busy on the patch, because a problem with its TCP ordering has emerged, with both denial-of-service and data leakage as possible effects.

The issue exists in how the popular Unix-like operating system handles TCP packets received out-of-order. Packets are held in a reassembly queue until they can be re-ordered and re-assembled. However, as the advisory states:

“FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry.”

Crafted packets can cause a kernel crash, the advisory states, but worse: “because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket”.

Ty Miller, CEO of Threat Intelligence, said in an e-mail the operating system is the basis of kit from a lot of well-known names, including: OSX, PlayStation, some Panasonic TVs; and security gear from Blue Coat, Checkpoint, IronPort, Juniper, McAfee and Sophos.

The difficulty of creating an exploit means this is far less likely to cause data leak before patches start becoming available. One issue, however, is very similar to Heartbleed: because FreeBSD is behind the scenes in non-obvious places, a lot of systems may never get patched.

While sysadmins will have charge of IT systems, almost no one except the very savvy home user patches consumer kit.

It should be noted that users will probably see denial-of-service rather than data leak as the most immediate potential impact. “Because of the complexity associated with the exploitation process, it is more likely to trigger the target system to crash,” Miller's e-mail noted.

Patch instructions are given at the FreeBSD advisory. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.