PT-2020-9764 · Freebsd · Freebsd
Published
2020-03-19
·
Updated
2021-07-21
·
CVE-2019-15876
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
FreeBSD versions 12.1-STABLE before r356089
FreeBSD versions 12.1-RELEASE before 12.1-RELEASE-p3
FreeBSD versions 11.3-STABLE before r356090
FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p7
Description
The issue arises from driver specific ioctl command handlers in the oce network driver, which failed to check whether the caller has sufficient privileges. This allows unprivileged users to send passthrough commands to the device firmware.
Recommendations
For FreeBSD versions 12.1-STABLE before r356089, update to a version after r356089.
For FreeBSD versions 12.1-RELEASE before 12.1-RELEASE-p3, update to 12.1-RELEASE-p3 or later.
For FreeBSD versions 11.3-STABLE before r356090, update to a version after r356090.
For FreeBSD versions 11.3-RELEASE before 11.3-RELEASE-p7, update to 11.3-RELEASE-p7 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Freebsd