FreeBSD rushes out zero-day root patch

Summary:The team behind the open-source operating system has moved quickly to close a flaw that gives local users administrative privileges to run any code they choose

The security team for the open-source FreeBSD operating system has rushed out a patch for a zero-day local root vulnerability.

The zero-day was published on the Full Disclosure mailing list on Monday, and the patch was made available on the same day. The vulnerability gives local users administrative privileges which allow them to run any code they choose.

The flaw affects recent versions, and resides in the run-time link editor, according to Nikolaos Rangos, the security researcher also known as Kingcope.

Colin Percival, a FreeBSD security officer, told ZDNet UK on Tuesday that the issue was serious, as exploit code was available on the internet.

"I consider all vulnerabilities to be serious if they can be exploited," Percival said in an email interview. "On systems which are vulnerable, yes, this is simple to exploit. But most issues are simple to exploit once someone publishes exploit code."

Percival said that certain system configurations were not vulnerable. "Systems without untrusted local users are not affected by this," he wrote. "Systems which only host jails [an operating-system-level virtualisation partition] are not affected by this. Systems where all the directories in which untrusted users can create files are mounted with the noexec option are not affected by this."

However, the issue was serious enough for FreeBSD to rush out a patch on Monday.

"Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP," wrote Percival on the mailing list, adding the caveat that the patch may not fully fix the issue.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.