ID OSVDB:5985 Type osvdb Reporter Colin Percival(), Katsuhisa ABE() Modified 2004-03-29T00:00:00
Description
Vulnerability Description
FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is in FreeBSD's implementation of KAME Project IPv6 code beacuse of an input validation flaw in the "setsockopt()" system call when handling certain IPv6 socket options, which will disclose the kernel memory resulting in a loss of confidentiality. No further details are available.
Solution Description
Upgrade to version RELENG_5_2 security branch or higher, as it has been reported to fix this vulnerability. Also, FreeBSD has released a patch.
Short Description
FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is in FreeBSD's implementation of KAME Project IPv6 code beacuse of an input validation flaw in the "setsockopt()" system call when handling certain IPv6 socket options, which will disclose the kernel memory resulting in a loss of confidentiality. No further details are available.
{"type": "osvdb", "published": "2004-03-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:5985", "bulletinFamily": "software", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 2.1}, "viewCount": 1, "edition": 1, "reporter": "Colin Percival(), Katsuhisa ABE()", "title": "FreeBSD KAME Project IPv6 setsockopt() Kernel Memory Disclosure", "affectedSoftware": [{"operator": "eq", "version": "5.2-RELEASE", "name": "FreeBSD"}], "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2017-04-28T13:20:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0370"]}, {"type": "openvas", "idList": ["OPENVAS:52648"]}, {"type": "nessus", "idList": ["FREEBSD_SETSOCKOPT_521_4.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:5989"]}, {"type": "freebsd", "idList": ["2C6ACEFD-8194-11D8-9645-0020ED76EF5A"]}, {"type": "osvdb", "idList": ["OSVDB:4668"]}], "modified": "2017-04-28T13:20:00", "rev": 2}, "vulnersScore": 5.3}, "references": [], "id": "OSVDB:5985", "lastseen": "2017-04-28T13:20:00", "cvelist": ["CVE-2004-0370"], "modified": "2004-03-29T00:00:00", "description": "## Vulnerability Description\nFreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is in FreeBSD's implementation of KAME Project IPv6 code beacuse of an input validation flaw in the \"setsockopt()\" system call when handling certain IPv6 socket options, which will disclose the kernel memory resulting in a loss of confidentiality. No further details are available.\n## Solution Description\nUpgrade to version RELENG_5_2 security branch or higher, as it has been reported to fix this vulnerability. Also, FreeBSD has released a patch.\n## Short Description\nFreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is in FreeBSD's implementation of KAME Project IPv6 code beacuse of an input validation flaw in the \"setsockopt()\" system call when handling certain IPv6 socket options, which will disclose the kernel memory resulting in a loss of confidentiality. No further details are available.\n## References:\nVendor URL: http://www.freebsd.org\n[Vendor Specific Advisory URL](ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc)\n[Secunia Advisory ID:11233](https://secuniaresearch.flexerasoftware.com/advisories/11233/)\n[Related OSVDB ID: 4668](https://vulners.com/osvdb/OSVDB:4668)\n[CVE-2004-0370](https://vulners.com/cve/CVE-2004-0370)\nBugtraq ID: 9992\n"}
{"cve": [{"lastseen": "2021-02-02T05:22:58", "description": "The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic.", "edition": 4, "cvss3": {}, "published": "2004-05-04T04:00:00", "title": "CVE-2004-0370", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0370"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/o:freebsd:freebsd:5.2"], "id": "CVE-2004-0370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0370", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:5.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-12-08T11:44:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0370"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-04:06.ipv6.asc", "modified": "2017-12-07T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52648", "href": "http://plugins.openvas.org/nasl.php?oid=52648", "type": "openvas", "title": "FreeBSD Security Advisory (FreeBSD-SA-04:06.ipv6.asc)", "sourceData": "#\n#ADV FreeBSD-SA-04:06.ipv6.asc\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n#\n\ntag_insight = \"IPv6 is a new Internet Protocol, designed to replace (and avoid many of\nthe problems with) the current Internet Protocol (version 4). FreeBSD\nuses the KAME Project IPv6 implementation.\n\nApplications may manipulate the behavior of an IPv6 socket using the\nsetsockopt(2) system call.\n\nA programming error in the handling of some IPv6 socket options within\nthe setsockopt(2) system call may result in memory locations being\naccessed without proper validation. While the problem originates in\ncode from the KAME Project, it does not affect other operating systems.\";\ntag_solution = \"Upgrade your system to the appropriate stable release\nor security branch dated after the correction date\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-04:06.ipv6.asc\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-04:06.ipv6.asc\";\n\n \nif(description)\n{\n script_id(52648);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_bugtraq_id(9992);\n script_cve_id(\"CVE-2004-0370\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n name = \"FreeBSD Security Advisory (FreeBSD-SA-04:06.ipv6.asc)\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n family = \"FreeBSD Local Security Checks\";\n script_family(family);\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdpatchlevel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\nvuln = 0;\nif(patchlevelcmp(rel:\"5.2.1\", patchlevel:\"4\")<0) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2004-0370"], "edition": 1, "description": "## Vulnerability Description\nFreeBSD contains a flaw due to the manner in which it implements KAME Project IPv6 code that may allow a remote denial of service. The issue is an input validation flaw in the \"setsockopt()\" system call when handling certain IPv6 socket options, and will result in loss of availability for the platform.\n## Solution Description\nUpgrade to version RELENG_5_2 security branch or higher, as it has been reported to fix this vulnerability. Also, FreeBSD has released a patch.\n## Short Description\nFreeBSD contains a flaw due to the manner in which it implements KAME Project IPv6 code that may allow a remote denial of service. The issue is an input validation flaw in the \"setsockopt()\" system call when handling certain IPv6 socket options, and will result in loss of availability for the platform.\n## References:\nVendor URL: http://www.freebsd.org\n[Vendor Specific Advisory URL](ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc)\n[Secunia Advisory ID:11233](https://secuniaresearch.flexerasoftware.com/advisories/11233/)\n[Related OSVDB ID: 5985](https://vulners.com/osvdb/OSVDB:5985)\n[CVE-2004-0370](https://vulners.com/cve/CVE-2004-0370)\nBugtraq ID: 9992\n", "modified": "2004-03-29T00:00:00", "published": "2004-03-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:4668", "id": "OSVDB:4668", "type": "osvdb", "title": "FreeBSD KAME Project IPv6 setsockopt() DoS", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0370"], "description": "\nFrom the FreeBSD Security Advisory:\n\nA programming error in the handling of some IPv6 socket\n\t options within the setsockopt(2) system call may result\n\t in memory locations being accessed without proper\n\t validation.\nIt may be possible for a local attacker to read portions\n\t of kernel memory, resulting in disclosure of sensitive\n\t information. A local attacker can cause a system\n\t panic.\n\n", "edition": 4, "modified": "2004-05-05T00:00:00", "published": "2004-03-29T00:00:00", "id": "2C6ACEFD-8194-11D8-9645-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/2c6acefd-8194-11d8-9645-0020ed76ef5a.html", "title": "setsockopt(2) IPv6 sockets input validation error", "type": "freebsd", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "cvelist": ["CVE-2004-0370"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n=============================================================================\r\nFreeBSD-SA-04:06.ipv6 Security Advisory\r\n The FreeBSD Project\r\n\r\nTopic: setsockopt(2) IPv6 sockets input validation error\r\n\r\nCategory: core\r\nModule: kernel\r\nAnnounced: 2004-03-29\r\nCredits: Katsuhisa ABE, Colin Percival\r\nAffects: FreeBSD 5.2-RELEASE\r\nCorrected: 2004-03-29 14:01:33 UTC (RELENG_5_2, 5.2.1-RELEASE-p4)\r\nCVE Name: CAN-2004-0370\r\nFreeBSD only: YES\r\n\r\nFor general information regarding FreeBSD Security Advisories,\r\nincluding descriptions of the fields above, security branches, and the\r\nfollowing sections, please visit\r\n<URL:http://www.freebsd.org/security/>.\r\n\r\nI. Background\r\n\r\nIPv6 is a new Internet Protocol, designed to replace (and avoid many of\r\nthe problems with) the current Internet Protocol (version 4). FreeBSD\r\nuses the KAME Project IPv6 implementation.\r\n\r\nApplications may manipulate the behavior of an IPv6 socket using the\r\nsetsockopt(2) system call.\r\n\r\nII. Problem Description\r\n\r\nA programming error in the handling of some IPv6 socket options within\r\nthe setsockopt(2) system call may result in memory locations being\r\naccessed without proper validation. While the problem originates in\r\ncode from the KAME Project, it does not affect other operating systems.\r\n\r\nIII. Impact\r\n\r\nIt may be possible for a local attacker to read portions of kernel\r\nmemory, resulting in disclosure of sensitive information. A local\r\nattacker can cause a system panic.\r\n\r\nIV. Workaround\r\n\r\nDo one of the following:\r\n\r\n1) Disable IPv6 entirely by following these steps:\r\n\r\n - Remove or comment out any lines mentioning `INET6' from your\r\n kernel configuration file, and recompile your kernel as described\r\n in <URL:http://www.freebsd.org/handbook/kernelconfig.html>.\r\n\r\n - Reboot your system.\r\n\r\n2) If all untrusted users are confined within a jail(8), ensure that\r\nthe security.jail.socket_unixiproute_only sysctl is set to 1 and\r\nverify that no IPv6 sockets are currently open:\r\n\r\n# sysctl security.jail.socket_unixiproute_only=1\r\n# sockstat -6\r\n\r\nThis will restrict jailed processes to creating UNIX domain, IPv4, and\r\nrouting sockets, which are not vulnerable to this problem; note however\r\nthat processes inside a jail may still be able to inherit IPv6 sockets\r\nfrom outside the jail, so this may not be sufficient for all systems.\r\n\r\nV. Solution\r\n\r\nDo one of the following:\r\n\r\n1) Upgrade your vulnerable system to the RELENG_5_2 security branch\r\ndated after the correction date.\r\n\r\n2) To patch your present system:\r\n\r\na) Download the relevant patch from the location below, and verify the\r\ndetached PGP signature using your PGP utility.\r\n\r\n# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:06/ipv6.patch\r\n# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:06/ipv6.patch.asc\r\n\r\nb) Execute the following commands as root:\r\n\r\n# cd /usr/src\r\n# patch < /path/to/patch\r\n\r\nc) Recompile the kernel as described in\r\n<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the\r\nsystem.\r\n\r\nd) Install updated kernel headers.\r\n\r\n# cd /usr/src/include\r\n# make install\r\n\r\nVI. Correction details\r\n\r\nThe following list contains the revision numbers of each file that was\r\ncorrected in FreeBSD.\r\n\r\nBranch Revision\r\n Path\r\n- -------------------------------------------------------------------------\r\nRELENG_5_2\r\n src/UPDATING 1.282.2.12\r\n src/sys/netinet6/ip6_output.c 1.71.2.2\r\n src/sys/netinet/ip6.h 1.10.2.1\r\n src/sys/conf/newvers.sh 1.56.2.11\r\n- -------------------------------------------------------------------------\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.4 (FreeBSD)\r\n\r\niD8DBQFAaC6kFdaIBMps37IRAiCBAJ9ATb8FTKysuJvwlU8E0YOArWwP1gCcCCpw\r\nrK7VXiZuLwD1zZmBepSHCt4=\r\n=FLqJ\r\n-----END PGP SIGNATURE-----\r\n\r\n \r\n\r\n", "edition": 1, "modified": "2004-03-30T00:00:00", "published": "2004-03-30T00:00:00", "id": "SECURITYVULNS:DOC:5989", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5989", "title": "FreeBSD Security Advisory FreeBSD-SA-04:06.ipv6", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2021-02-01T02:57:56", "description": "The remote host is running a version of FreeBSD 5.2 older than FreeBSD 5.2.1-p4\n\nThere is a programming error in the version of this kernel which may allow\na local attacker to read portions of the kernel memory or to cause a system\npanic by misusing the setsockopt() system call on IPv6 sockets.", "edition": 22, "published": "2004-07-06T00:00:00", "title": "FreeBSD : SA-04:06.ipv6 : setsockopt()", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0370"], "modified": "2021-02-02T00:00:00", "cpe": [], "id": "FREEBSD_SETSOCKOPT_521_4.NASL", "href": "https://www.tenable.com/plugins/nessus/12613", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(12613);\n script_version (\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2013/01/25 01:19:07 $\");\n script_cve_id(\"CVE-2004-0370\");\n name[\"english\"] = \"FreeBSD : SA-04:06.ipv6 : setsockopt()\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of FreeBSD 5.2 older than FreeBSD 5.2.1-p4\n\nThere is a programming error in the version of this kernel which may allow\na local attacker to read portions of the kernel memory or to cause a system\npanic by misusing the setsockopt() system call on IPv6 sockets.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.vuxml.org/freebsd/2c6acefd-8194-11d8-9645-0020ed76ef5a.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the FreeBSD kernel\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2013 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n\n\ninclude(\"freebsd_package.inc\");\n\nport = 0;\n\npackage = get_kb_item(\"Host/FreeBSD/release\");\nif ( egrep(pattern:\"FreeBSD-5\\.2\", string:package) )\n{\n if ( pkg_cmp(pkg:package, reference:\"FreeBSD-5.2.1_4\") < 0 )\n {\n security_note(port);\n exit(0);\n }\n}\n\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}]}
