FreeBSD UFS "vulnerability": Is NIST off its medication,
or am I missing something?
Colin Percival
cperciva at freebsd.org
Tue Nov 14 07:34:42 UTC 2006
Bill Moran wrote:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
>
> Following the links around, it seems that you would have to mount a "corrupt" or
> "malicious" filesystem in order to exploit this "vulnerability".
>
> Yes, NIST claims there is no authentication required to exploit? Are new versions
> of FreeBSD suddenly allowing unauthenticated users to mount filesystems by default?
> If so, something's wrong with my 6.1 workstation!
>
> It seems like this is the 2nd or 3rd "vulnerability" I've seen that's been blown
> out of proportion by NIST, or am I missing something?
CVE names are assigned, and NIST creates an entry in its database, whenever
someone claims that a security problem exists; their purpose is to provide
a consistent name for whatever people are talking about, not to decide what
exactly constitutes a security issue (as I explained in my BSDCan'06 paper,
different vendors have many different policies about what constitute security
issues).
In this case (and another very similar bug found by the MoKB people), the
FreeBSD security team has no intention to handle the bug as a security issue;
obviously this is a kernel bug and deserves to be fixed, but no more so than
any other kernel bug, and in fact this bug seems far less important than most.
Colin Percival
More information about the freebsd-questions
mailing list