CVE-2014-3953

Vulnerability

CVE-2014-3953 affects FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 before p7. The kernel does not properly initialize padding in certain SCTP control messages (SCTP_SNDRCV, SCTP_EXTRCV, SCTP_RCVINFO) and notifications (SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR, SCTP_AUTHENTICATION_EVENT), leading to disclosure of uninitialized kernel memory [1].

Exploitation

A local attacker can invoke the affected recvmsg(2) or sendmsg(2) system calls using the specific SCTP message types listed above. No special privileges beyond local user access are required; the attacker simply needs to craft appropriate socket operations that trigger the copying of the control message or notification to user space, where the uninitialized padding bytes from kernel heap/stack are exposed [1].

Impact

Successful exploitation results in a kernel memory disclosure leak of potentially sensitive information (e.g., cryptographic keys, passwords, or other secrets) from kernel memory to an unprivileged local user. This violates confidentiality without requiring any privilege escalation [1].

Mitigation

The issue was corrected in FreeBSD stable/10 (10.0-STABLE) and releng/10.0 (10.0-RELEASE-p7) on 2014-07-08, as well as in stable/9, releng/9.3, releng/9.2, releng/9.1, stable/8, and releng/8.4 (respective patch levels) on the same date [1]. Administrators should update to the patched versions. No workaround is documented, and there is no indication of this CVE being listed on CISA's Known Exploited Vulnerabilities catalog.