The FreeBSD base system has been difficult to monitor for published vulnerabilities for a long time. This will improve when we achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option.

The freebsd-version(1) utility has existed since FreeBSD 10.0. This script is capable of correctly identifying the version of the FreeBSD kernel and the FreeBSD base system. It is an important step forward in helping users be confident in identifying the FreeBSD system's patch level.

I do not like reinventing the wheel, and it occurred to me that for a long time the FreeBSD SA announcements were properly documented in vuxml. This provided an opportunity and scratched an itch I had at work, so here goes nothing:

I am presenting here a useful albeit unsupported method of monitoring FreeBSD for base system vulnerabilities via pkg(8) utilizing entries in the vuxml database.

The pkg(8) utility as you probably know can check your system for known vulnerable packages. It does this with the pkg audit command. Additionally you can pass any package name and version string as an argument and it will check the database for results. It is possible to check your system against the vuxml database by converting the freebsd-version(1) output to the correct string and passing it to pkg audit.

Example of checking the base system (note, this is /bin/sh syntax):

$ freebsd-version -u
10.3-RELEASE-p2
$ pkg audit $(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Multiple vulnerabilities of ntp
CVE: CVE-2016-4957
CVE: CVE-2016-4956
CVE: CVE-2016-4955
CVE: CVE-2016-4954
CVE: CVE-2016-4953
WWW:
https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html

FreeBSD-10.3_2 is vulnerable:
libarchive -- multiple vulnerabilities
CVE: CVE-2015-2304
CVE: CVE-2013-0211
WWW:
https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html

FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Heap vulnerability in bspatch
CVE: CVE-2014-9862
WWW:
https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html

Now we have results for the base system! Let's check the kernel:

$ pkg audit $(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Buffer overflow in keyboard driver
CVE: CVE-2016-1886
WWW:
https://vuxml.FreeBSD.org/freebsd/7bbc0e8c-600a-11e6-a6c3-14dae9d210b8.html

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer
WWW:
https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in Linux compatibility layer
WWW:
https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Incorrect argument handling in sendmsg(2)
CVE: CVE-2016-1887
WWW:
https://vuxml.FreeBSD.org/freebsd/7c0bac69-600a-11e6-a6c3-14dae9d210b8.html

The results speak for themselves.

I have recently finished adding all missing entries to the vuxml database that affect -RELEASE systems since 2013. This covers the tail end of 8.x, much of 9.x, and bleeds into the 10.x RELEASE lifetime. Systems older are End of Life and never supported the FreeBSD pkg(8) utility anyway, so I have not put in the effort to search out those missing entries. This method is useful on FreeBSD systems that do not have the freebsd-version(1) utility, but you will not have a reliable method to get the version of the FreeBSD base system. You can pull the kernel version from uname(1), but you will have to devise your own method of keeping track of the base system version. Beware of the leopard, etc.

I hope you find this a valuable method for discovering vulnerabilities affecting your servers and help you assess risk and plan patch management. Please remember this is not endorsed by secteam and is liable to be full of errors or out of date. I suggest using this as a compliment to your other monitoring practices. Moving forward I hope to better coordinate with secteam to ensure we have new FreeBSD SA's entered in the vuxml database in a timely manner.

This post originally appeared on the freebsd-questions mailing list and has been lightly edited.


Java KVM Troubles on OSX

Thu 30 June 2016 by feld

I was having troubles on OSX getting access to the KVM at work which is a Dell KVM 4322DS. The connection errors from Java about security settings were not resolved by whitelisting the site in the Java console. Turns out newer Java disables some SSL/TLS algorithms and settings that ...

read more

Fixing Time Machine / Netatalk (error (null))

Fri 19 February 2016 by feld

Recently I was setting up a new Time Machine backup on my wife's MacBook so it would use my FreeBSD/ZFS server. My own personal MacBook was already backing up to it successfully and has been for quite some time. When I attempted to start a new backup to ...

read more

Mono's DNS is broken

Fri 18 December 2015 by feld

I recently started playing around with Sonarr by porting it to FreeBSD. It's a pretty well designed app -- I'm not aware of an alternative with such a well thought-out interface and deep integration into the other programs it communicates with. I've never run program via mono before ...

read more

Routing a FreeBSD Jail through OpenVPN

Tue 30 June 2015 by feld

I decided I wanted to concoct a solution where I could force all applications in a jail or jails through a VPN connection without affecting the internet connectivity of other daemons on the system. After some headbanging I was able to make this work. The OS version being used in ...

read more

Braindead FreeBSD Backups with Tarsnap and ACTS

Thu 14 May 2015 by feld

Before I start this simple blog post you should be aware that:

Now that has been said, let's start with the super basics. Do you ...

read more

IPv6 via 6rd on FreeBSD

Wed 04 February 2015 by feld

My ISP is Charter and they support 6rd for IPv6. Unfortunately 6rd support does not exist in the stf(4) driver in FreeBSD yet. There is a work-in-progress implementation available from hrs in ports, net/stf-6rd-kmod. However, I haven't found very good documentation on exactly how to use it ...

read more

BSD License Audit

Mon 22 December 2014 by feld

I recently did an audit of the "BSD" licenses in the FreeBSD ports tree. This pertains strictly to those defined as LICENSE=BSD which could be one of several licenses. It was an extremely tedious process manually verifying the license of each port, and except for a dozen which are ...

read more

Outlook-compatible WebDav with Nginx

Mon 10 November 2014 by feld

Microsoft Outlook has a Publish Online feature for sharing specific calendar information by publishing iCal files to WebDav. I don't use Apache on my personal servers, so here's how to configure it on Nginx.

You first need to ensure that you have both Nginx WebDav modules installed. They ...

read more

Setting up Xymon with Nginx

Thu 06 November 2014 by feld

Xymon has been a favorite monitoring tool of mine for quite some time now largely due to its simplicity and flexibility. However, I despise running Apache unless absoultely neccessary. Previous attempts at getting Nginx and Xymon to play nice were not successful without some lazy hacks, but I finally sat ...

read more