CVE-2019-15878
📋 TL;DR
This vulnerability allows an unprivileged local user to trigger a use-after-free condition in FreeBSD's SCTP implementation when an application attempts to update an SCTP-AUTH shared key. This could lead to system crashes or potential privilege escalation. Only FreeBSD systems with SCTP enabled and running affected versions are vulnerable.
💻 Affected Systems
- FreeBSD
📦 What is this software?
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, system crash, or remote code execution if combined with other vulnerabilities.
Likely Case
System crash (kernel panic) or denial of service, potentially allowing limited privilege escalation.
If Mitigated
Minimal impact if SCTP is disabled or systems are patched; isolated crashes if exploited.
🎯 Exploit Status
Requires local access and knowledge of SCTP operations. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FreeBSD 12.1-STABLE r352509+, 11.3-STABLE r352509+, 11.3-RELEASE p9+
Vendor Advisory: https://security.FreeBSD.org/advisories/FreeBSD-SA-20:14.sctp.asc
Restart Required: Yes
Instructions:
1. Update FreeBSD using 'freebsd-update fetch' and 'freebsd-update install' for RELEASE versions. 2. For STABLE versions, update source and rebuild kernel. 3. Reboot the system after patching.
🔧 Temporary Workarounds
Disable SCTP kernel module
allPrevents SCTP from being loaded, eliminating the vulnerability if SCTP is not required.
echo 'sctp_load="NO"' >> /boot/loader.conf
reboot
Unload SCTP kernel module
allImmediately unloads SCTP module without reboot (temporary workaround).
kldunload sctp
🧯 If You Can't Patch
- Disable SCTP kernel module via /boot/loader.conf and reboot.
- Restrict local user access to systems where SCTP is required.
🔍 How to Verify
Check if Vulnerable:
Check FreeBSD version with 'uname -a' and compare against affected versions. Check if SCTP is loaded with 'kldstat | grep sctp'.Check Version:
uname -aVerify Fix Applied:
Verify version is patched with 'uname -a' showing r352509+ or p9+. Confirm SCTP module is still loaded if required.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs in /var/log/messages
- SCTP-related crash dumps
- Unexpected system reboots
Network Indicators:
- Unusual SCTP traffic patterns if exploited remotely (unlikely)
SIEM Query:
source="freebsd" AND ("kernel panic" OR "sctp" AND "crash")