Buffer Overwrite Vulnerability in mpr, mps, and mpt Drivers Could Lead to Privilege Escalation
CVE-2022-23086

7.8HIGH

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 15 February 2024

What is CVE-2022-23086?

The vulnerability arises from improper handling of buffer allocation in the mpr, mps, and mpt drivers within the FreeBSD operating system. These drivers allow users to specify the size of a buffer for read/write operations through ioctl calls. If a user specifies a buffer size smaller than required, the fixed-size header copied into the allocated memory can lead to overwriting other heap data. This flaw can be exploited by users who have access to the device node, which by default is restricted to 'root' and those within the 'operator' group. The risk can lead to privilege escalation, allowing an unauthorized user to gain higher-level access than intended.

Affected Version(s)

FreeBSD 13.1-RC1

FreeBSD 13.0-RELEASE

FreeBSD 12.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-22:06....

vendor-advisory

https://security.netapp.com/advisory/ntap-20240419-0002/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2024
Vulnerability Reserved
Jan 10, 2022

Credit

Lucas Leong (@_wmliang_)

Trend Micro Zero Day Initiative