FreeBSD-SA-20:08.jail : kmem disclosure with nested jails
Versions Affected : All verisons prior to FreeNAS 11.3-U2
Description
A missing NUL-termination check for the jail_set(2) configration option “osrelease” may return more bytes when reading the jail configuration back with jail_get(2) than were originally set.
For jails with a non-default setting of children.max > 0 (“nested jails”) a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory.
Workaround
No workaround is available. Systems not altering the default settings of the jail configuration option children.max=0 are not affected as a root on the base system has ccess to kernel memory by other means and a super user inside a jail cannot create further jails.
Mitigation
- Upgrade to FreeNAS 11.3-U2 or later.