Monitoring FreeBSD Base System Vulnerabilities

Mark Felder feld at
Thu Aug 11 22:33:04 UTC 2016

The FreeBSD base system has been difficult to monitor for published
vulnerabilities for a very long time. This will improve drastically when
we finally achieve a packaged base system, but that leaves users of
currently supported -RELEASE systems without a standardized option. 

The freebsd-version(1) utility has existed since FreeBSD 10.0. This
script is capable of correctly identifying the version of the FreeBSD
kernel and the FreeBSD base system. It is an important step forward in
helping users be confident in identifying the FreeBSD system's patch

I do not like reinventing the wheel, and it occurred to me that for a
long time the FreeBSD SA announcements were properly documented in
vuxml. This provided an opportunity and scratched an itch I had at work,
so here goes nothing:

I am presenting here a useful albeit unsupported method of monitoring
FreeBSD for base system vulnerabilities via the pkg(8) utility utilizing
 entries in the vuxml database.

The pkg(8) utility as you probably know can check your system for known
vulnerable packages. It does this with the "pkg audit" command.
Additionally you can pass any package name and version string as an
argument and it will check the database for results. It is possible to
check your system against the vuxml database by converting the
freebsd-version(1) output to the correct string and passing it to "pkg

Example of checking the base system (note, this is /bin/sh syntax):

$ freebsd-version -u
$ pkg audit $(freebsd-version -u | sed 's,-RELEASE-p,_,')
FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Multiple vulnerabilities of ntp
CVE: CVE-2016-4957
CVE: CVE-2016-4956
CVE: CVE-2016-4955
CVE: CVE-2016-4954
CVE: CVE-2016-4953

FreeBSD-10.3_2 is vulnerable:
libarchive -- multiple vulnerabilities
CVE: CVE-2015-2304
CVE: CVE-2013-0211

FreeBSD-10.3_2 is vulnerable:
FreeBSD -- Heap vulnerability in bspatch
CVE: CVE-2014-9862

Now we have results for the base system! Let's check the kernel:

$ pkg audit $(freebsd-version -k | sed 's,-RELEASE-p,_,')
FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Buffer overflow in keyboard driver
CVE: CVE-2016-1886

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Kernel stack disclosure in Linux compatibility layer

FreeBSD-kernel-10.3_2 is vulnerable:
FreeBSD -- Incorrect argument handling in sendmsg(2)
CVE: CVE-2016-1887

The results speak for themselves.

I have recently finished adding all missing entries to the vuxml
database that affect -RELEASE systems since 2013. This covers the tail
end of 8.x, much of 9.x, and bleeds into the 10.x RELEASE lifetime.
Systems older are End of Life and never supported the FreeBSD pkg(8)
utility anyway, so I have not put in the effort to search out those
missing entries. This method can be used on FreeBSD systems that do not
have the freebsd-version(1) utility, but you will not have a reliable
method to get the version of the FreeBSD base system. You can pull the
kernel version from uname(1), but you will have to devise your own
method of keeping track of the base system version. Beware of the
leopard, etc.

I hope you find this a valuable method for discovering vulnerabilities
affecting your servers and help you assess risk and plan patch
management. Please remember this is not endorsed by secteam and is
liable to be full of errors or out of date. I would suggest using this
as one several method of assessing your systems. Moving forward I hope
to better coordinate with secteam to ensure we have new FreeBSD SA's
entered in the vuxml database in a timely manner.

  Mark Felder
  ports-secteam member
  feld at

More information about the freebsd-questions mailing list