Highly critical flaw affects NetBSD and OpenBSD
A vulnerability that can result in a Denial of Service event, privilege escalation, or remote system access has been shown to exist in two popular UNIX brands: NetBSD and OpenBSD. Patches are already available for the affected operating systems. There are also new versions of each OS that aren't affected by the flaw. And for users of early versions of OpenBSD, there is a new component available that allows them to simply rebuild rather than upgrade to a later version.
Details
Researchers Janusz Niewiadomski and Wojciech Purczynski at iSEC Security Research discovered that the realpath() function versions used in a number of operating system versions are vulnerable to an "off-by-one" error. To exploit the flaw, an attacker must use an application to send a resolved path exactly 1,024 bytes in length to realpath(), which is the function that returns canonicalized absolute path names (i.e., it takes pathnames and removes all special characters). The original report was designated NetBSD-SA2003-011.
Applicability
The current build of NetBSD prior to Aug. 4, 2003, has a vulnerable version of realpath(), as do the following versions:
- NetBSD 1.6.1
- NetBSD 1.6
- NetBSD-1.5.3
- NetBSD-1.5.2
- NetBSD-1.5.1
- NetBSD-1.5
- OpenBSD 3.2
- OpenBSD 3.3
This threat poses multiple risks, as described above. Each of the risks is quite dangerous.
Fix—patch or update OS version
The NetBSD patch is available now, as is the next version of NetBSD, which is free from the flaw. The next version of OpenBSD (which is also free from the flaw) is available, along with patches for the 3.2 and 3.3 stable branches. There is one patch for version 3.2 and a different patch for OpenBSD 3.3. You can use a new version of realpath() to rebuild versions prior to 3.2.
Final word
If you have NetBSD or OpenBSD systems affected by this vulnerability, you should move to quickly patch or upgrade due to the severity of the risk involved.
TechRepublic originally published this article on 18 August 2003.