Two vulnerabilities have been identified in the jail sandbox system developed by the FreeBSD project:
- CVE-2020-25582 – vulnerability in the implementation of the jail_attach system call, designed for attaching external processes to existing jail environments. The problem manifests itself when jail_attach is called using jexec or killall, and allows a privileged process, isolated inside the jail, to change its root directory and gain full access to all files and directories on the system.
- CVE-2020-25581 – race condition when deleting processes using the jail_remove system call, allows the privileged process running inside jail to avoid being deleted when the jail exits and gain full access to the system through devfs when the jail is next launched with the same root directory, taking advantage of the moment when devfs is already mounted for jail, but isolation rules are not yet applied.
Additionally, please note vulnerability (CVE-2020-25580) in PAM -the pam_login_access module, which is responsible for processing the login_access file, which defines the access rules for users and groups that are applied when logging in to the system (by default, login via the console, sshd and telnetd is allowed). The vulnerability allows you to bypass the login_access restrictions and allow you to log in, despite the presence of deny rules.
Vulnerabilities have been fixed in the 13.0-STABLE, 12.2-STABLE, and 11.4-STABLE branches, and in the FreeBSD 12.2-RELEASE-p4 and 11.4-RELEASE-p8 hotfixes.
/Media reports.