CVE-2020-7457
published 2020-07-09CVE-2020-7457: In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing…
PriorityP266high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
32.98%
98.1th percentile
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via racing setsockopt calls using IPV6_2292PKTOPTIONS socket option on IPv6 sockets, which may indicate a UAF exploit attempt against the FreeBSD kernel. ↗
- →Monitor for local privilege escalation on FreeBSD systems (amd64) running affected releases: 9.0-RELEASE through 12.1-RELEASE r354233; unexpected privilege changes from unprivileged users to root may indicate exploitation. ↗
- →The exploit overwrites the ip6po_pktinfo pointer within a freed ip6_pktopts struct to achieve arbitrary kernel read/write; kernel memory corruption or unexpected kernel panics on IPv6 socket operations may be an indicator. ↗
- →On PS5 targets, this CVE was chained with a bd-j exploit chain to gain kernel access; monitor for bd-j exploit activity as a precursor indicator. ↗
- ·No workaround is available; the only mitigation is patching to a corrected FreeBSD release or stable branch dated after the correction date. ↗
- ·All supported versions of FreeBSD are affected; patched revisions are: stable/12 r359565, releng/12.1 r363026, stable/11 r362975, releng/11.4 r363026, releng/11.3 r363026. ↗
- ·This is a local privilege escalation vulnerability requiring a malicious user application already running on the target system; it is not remotely exploitable on its own. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jhq7-2279-q727: In FreeBSD 12
ghsa_unreviewed·2022-05-24
CVE-2020-7457 [MEDIUM] CWE-362 GHSA-jhq7-2279-q727: In FreeBSD 12
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution.
BSD
FreeBSD-SA-20:20.ipv6: IPv6 socket option race condition and use after free
bsd_advisories·2020-07-08·CVSS 8.1
CVE-2020-7457 [HIGH] FreeBSD-SA-20:20.ipv6: IPv6 socket option race condition and use after free
FreeBSD-SA-20:20.ipv6 Security Advisory
The FreeBSD Project
Topic: IPv6 socket option race condition and use after free
Category: core
Module: network
Announced: 2020-07-08
Credits: syzkaller, Andy Nguyen
Affects: All supported versions of FreeBSD.
Corrected: 2020-04-02 15:30:51 UTC (stable/12, 12.1-STABLE)
2020-07-08 20:11:40 UTC (releng/12.1, 12.1-RELEASE-p7)
2020-07-06 20:23:14 UTC (stable/11, 11.4-STABLE)
2020-07-08 20:11:40 UTC (releng/11.4, 11.4-RELEASE-p1)
2020-07-08 20:11:40 UTC (releng/11.3, 11.3-RELEASE-p11)
CVE Name: CVE-2020-7457
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The IPV6_2292PKTOPTIONS socket option allows user code to set IP
No detection rules found.
Trendmicro
Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
blogs_trendmicro·2022-07-27
Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
# Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
Learn about the patch gap vulnerabilities in the VMware ESXi TCP/IP stack.
By: Zero Day Initiative
2022/07/27
Read time: ( words)
Save to Folio
Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service, VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c. In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/IP s
Trendmicro
Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
blogs_trendmicro·2022-07-27
Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
## Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
Learn about the patch gap vulnerabilities in the VMware ESXi TCP/IP stack.
By: Zero Day Initiative 2022/07/27 Read time: ( words)
Save to Folio
Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service , VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c . In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/IP
Trendmicro
Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
blogs_trendmicro·2022-07-27
Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
## Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
Learn about the patch gap vulnerabilities in the VMware ESXi TCP/IP stack.
By: Zero Day Initiative Jul 27, 2022 Read time: ( words)
Save to Folio
Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service , VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c . In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/
HackerOne
Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457)
hackerone·2022-09-20·CVSS 8.1
CVE-2020-7457 [HIGH] Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457)
Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457)
The PS5 is vulnerable to https://hackerone.com/reports/826026 which easily grants kernel access to an attacker. This vulnerability had been reported by me for the PS4 2 years ago when the PS5 did not yet exist, thus this should be considered as a new report and **not a duplicate**.
I was able to use this vulnerability in conjunction with the bd-j exploit chain to gain kernel access.
See https://www.freebsd.org/security/advisories/FreeBSD-SA-20:20.ipv6.asc for more details.
## Impact
Gain kernel access on PS5.
http://packetstormsecurity.com/files/158695/FreeBSD-ip6_setpktopt-Use-After-Free-Privilege-Escalation.htmlhttps://security.FreeBSD.org/advisories/FreeBSD-SA-20:20.ipv6.aschttps://security.netapp.com/advisory/ntap-20200724-0002/http://packetstormsecurity.com/files/158695/FreeBSD-ip6_setpktopt-Use-After-Free-Privilege-Escalation.htmlhttps://security.FreeBSD.org/advisories/FreeBSD-SA-20:20.ipv6.aschttps://security.netapp.com/advisory/ntap-20200724-0002/
2020-07-09
Published