CVE-2014-3873

Vulnerability

The ktrace utility in the FreeBSD kernel uses an incorrect size for page fault kernel trace entries due to an overlooked merge to -STABLE branches [1]. This affects FreeBSD 8.4 before p11, 9.1 before p14, 9.2 before p7, and 9.3-BETA1 before p1 [1]. The kernel must be built with the KTRACE option (enabled by default) for the vulnerability to be present [1].

Exploitation

Exploitation requires local access and the ability to enable kernel process tracing via the ktrace utility [1]. An attacker enables tracing on a process; when a page fault occurs, the kernel writes a trace entry with an incorrect size, causing portions of kernel memory to be included in the trace output [1]. The attacker then reads the trace file to obtain sensitive kernel memory contents [1].

Impact

A local user who can enable kernel process tracing can read the contents of kernel memory [1]. This memory may contain sensitive information such as portions of the file cache or terminal buffers, which could be directly useful or leveraged to obtain elevated privileges [1].

Mitigation

Update to the fixed versions: FreeBSD 8.4-RELEASE-p11, 9.1-RELEASE-p14, 9.2-RELEASE-p7, or 9.3-BETA1-p1 [1]. No workaround is available; the vulnerability is corrected by applying the appropriate patch [1].