CFS-2018-003: FreeBSD Security Vulnerabilities

Issue Date: 2018/08/30
Updated Date: 2018/08/30
Title: FreeBSD Security Vulnerabilities
Classification: High
Status: Closed
Affected Products: PZOS 7.2.0, 7.2.1

Summary

FreeBSD Security Vulnerabilities CVE-2018-5390 and CVE-2018-3615/20/46.

Details

With 7.2.0.0, Panzura has moved from FreeBSD 10 to FreeBSD 12. With FreeBSD 12, 2 security vulnerabilities have been discovered, though their impact is low. 

With the security vulnerability, CVE-2018-5390, an attacker can maliciously modify the network stack to cause denial-of-service attack. With the security vulnerability, CVE-2018-3615/20/46, Processors utilizing speculative execution (pre-execute some instructions) may allow unauthorized disclosure of information in cache if an attacker has execution privileges to install and execute a binary.

With the Panzura filer deployed as an appliance behind a corporate firewall, an attacker would have to go through multiple levels of security before gaining access to the filer. 

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390 (CVE-2018-5390) and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615 (CVE-2018-3615/20/46) for more details regarding these vulnerabilities.

Resolution

Panzura has addressed the two security vulnerabilities in the CloudFS 7.2.2 release.