FreeBSD rushes out zero-day root patch

FreeBSD rushes out zero-day root patch

Summary: The team behind the open-source operating system has moved quickly to close a flaw that gives local users administrative privileges to run any code they choose

SHARE:
TOPICS: Security
0

The security team for the open-source FreeBSD operating system has rushed out a patch for a zero-day local root vulnerability.

The zero-day was published on the Full Disclosure mailing list on Monday, and the patch was made available on the same day. The vulnerability gives local users administrative privileges which allow them to run any code they choose.

The flaw affects recent versions, and resides in the run-time link editor, according to Nikolaos Rangos, the security researcher also known as Kingcope.

Colin Percival, a FreeBSD security officer, told ZDNet UK on Tuesday that the issue was serious, as exploit code was available on the internet.

"I consider all vulnerabilities to be serious if they can be exploited," Percival said in an email interview. "On systems which are vulnerable, yes, this is simple to exploit. But most issues are simple to exploit once someone publishes exploit code."

Percival said that certain system configurations were not vulnerable. "Systems without untrusted local users are not affected by this," he wrote. "Systems which only host jails [an operating-system-level virtualisation partition] are not affected by this. Systems where all the directories in which untrusted users can create files are mounted with the noexec option are not affected by this."

However, the issue was serious enough for FreeBSD to rush out a patch on Monday.

"Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP," wrote Percival on the mailing list, adding the caveat that the patch may not fully fix the issue.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion