Monitoring FreeBSD Base System Vulnerabilities with pkg audit

Fri 12 August 2016 by feld

The FreeBSD base system has been difficult to monitor for published vulnerabilities for a long time. This will improve when we achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option.

The freebsd-version(1) utility has existed since FreeBSD 10.0. This script is capable of correctly identifying the version of the FreeBSD kernel and the FreeBSD base system. It is an important step forward in helping users be confident in identifying the FreeBSD system's patch level.

I do not like reinventing the wheel, and it occurred to me that for a long time the FreeBSD SA announcements were properly documented in vuxml. This provided an opportunity and scratched an itch I had at work, so here goes nothing:

I am presenting here a useful albeit unsupported method of monitoring FreeBSD for base system vulnerabilities via pkg(8) utilizing entries in the vuxml database.

The pkg(8) utility as you probably know can check your system for known vulnerable packages. It does this with the pkg audit command. Additionally you can pass any package name and version string as an argument and it will check the database for results. It is possible to check your system against the vuxml database by converting the freebsd-version(1) output to the correct string and passing it to pkg audit.

Example of checking the base system (note, this is /bin/sh syntax):

$ freebsd-version -u
$ pkg audit $(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Multiple vulnerabilities of ntp
CVE: CVE-2016-4957
CVE: CVE-2016-4956
CVE: CVE-2016-4955
CVE: CVE-2016-4954
CVE: CVE-2016-4953

FreeBSD-10.3_2 is vulnerable:
libarchive -- multiple vulnerabilities
CVE: CVE-2015-2304
CVE: CVE-2013-0211

FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Heap vulnerability in bspatch
CVE: CVE-2014-9862

Now we have results for the base system! Let's check the kernel:

$ pkg audit $(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Buffer overflow in keyboard driver
CVE: CVE-2016-1886

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in Linux compatibility layer

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Incorrect argument handling in sendmsg(2)
CVE: CVE-2016-1887

The results speak for themselves.

I have recently finished adding all missing entries to the vuxml database that affect -RELEASE systems since 2013. This covers the tail end of 8.x, much of 9.x, and bleeds into the 10.x RELEASE lifetime. Systems older are End of Life and never supported the FreeBSD pkg(8) utility anyway, so I have not put in the effort to search out those missing entries. This method is useful on FreeBSD systems that do not have the freebsd-version(1) utility, but you will not have a reliable method to get the version of the FreeBSD base system. You can pull the kernel version from uname(1), but you will have to devise your own method of keeping track of the base system version. Beware of the leopard, etc.

I hope you find this a valuable method for discovering vulnerabilities affecting your servers and help you assess risk and plan patch management. Please remember this is not endorsed by secteam and is liable to be full of errors or out of date. I suggest using this as a compliment to your other monitoring practices. Moving forward I hope to better coordinate with secteam to ensure we have new FreeBSD SA's entered in the vuxml database in a timely manner.

This post originally appeared on the freebsd-questions mailing list and has been lightly edited.