cbcvebase.
CVE-2020-7457
published 2020-07-09

CVE-2020-7457: In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing…

PriorityP266high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
32.98%
98.1th percentile
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS socket option set handler contained a race condition allowing a malicious application to modify memory after being freed, possibly resulting in code execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://security.FreeBSD.org/patches/SA-20:20/ipv6.patch
urlhttps://security.FreeBSD.org/patches/SA-20:20/ipv6.patch.asc
  • Detect exploitation attempts via racing setsockopt calls using IPV6_2292PKTOPTIONS socket option on IPv6 sockets, which may indicate a UAF exploit attempt against the FreeBSD kernel.
  • Monitor for local privilege escalation on FreeBSD systems (amd64) running affected releases: 9.0-RELEASE through 12.1-RELEASE r354233; unexpected privilege changes from unprivileged users to root may indicate exploitation.
  • The exploit overwrites the ip6po_pktinfo pointer within a freed ip6_pktopts struct to achieve arbitrary kernel read/write; kernel memory corruption or unexpected kernel panics on IPv6 socket operations may be an indicator.
  • On PS5 targets, this CVE was chained with a bd-j exploit chain to gain kernel access; monitor for bd-j exploit activity as a precursor indicator.
  • ·No workaround is available; the only mitigation is patching to a corrected FreeBSD release or stable branch dated after the correction date.
  • ·All supported versions of FreeBSD are affected; patched revisions are: stable/12 r359565, releng/12.1 r363026, stable/11 r362975, releng/11.4 r363026, releng/11.3 r363026.
  • ·This is a local privilege escalation vulnerability requiring a malicious user application already running on the target system; it is not remotely exploitable on its own.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.