CVE-2020-25581 – A race condition in FreeBSD's jail

Q: What is the severity of CVE-2020-25581?

CVE-2020-25581 has a CVSS score of 7.5 (HIGH). A race condition in FreeBSD's jail_remove(2) system call may fail to kill some processes when removing a jail, potentially allowing processes to escape jail confinement. This affects FreeBSD systems using jails for process isolation, particularly those running vulnerable versions of FreeBSD 11.4 and 12.2.

📋 TL;DR

A race condition in FreeBSD's jail_remove(2) system call may fail to kill some processes when removing a jail, potentially allowing processes to escape jail confinement. This affects FreeBSD systems using jails for process isolation, particularly those running vulnerable versions of FreeBSD 11.4 and 12.2.

💻 Affected Systems

Products:

FreeBSD

Versions: FreeBSD 12.2-STABLE before r369312, 11.4-STABLE before r369313, 12.2-RELEASE before p4, 11.4-RELEASE before p8

Operating Systems: FreeBSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using FreeBSD jails feature; systems not using jails are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Processes escape jail confinement, potentially gaining unauthorized access to the host system or other jails, leading to privilege escalation or lateral movement.

🟠

Likely Case

Some processes remain running after jail removal, causing resource leaks, inconsistent system state, or unexpected behavior in multi-jail environments.

🟢

If Mitigated

With proper monitoring and process management, escaped processes can be detected and terminated manually, limiting impact to resource consumption.

🌐 Internet-Facing: MEDIUM - Jails often contain internet-facing services; escaped processes could expose host system to attacks.

🏢 Internal Only: HIGH - In multi-tenant or containerized environments, jail escape compromises isolation between internal workloads.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires race condition timing and jail removal operations; no public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreeBSD 12.2-STABLE r369312+, 11.4-STABLE r369313+, 12.2-RELEASE p4+, 11.4-RELEASE p8+

Vendor Advisory: https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc

Restart Required: Yes

Instructions:

1. Update FreeBSD using 'freebsd-update fetch' and 'freebsd-update install'. 2. Rebuild kernel if using custom kernel. 3. Reboot system to apply kernel changes.

🔧 Temporary Workarounds

Avoid jail removal during active operations

all

Minimize use of jail_remove when jails contain active processes; stop all processes before removing jail.

# Before removing jail, stop all processes: jail -r jailname
# Or kill processes manually: pkill -j jailname

🧯 If You Can't Patch

Monitor for orphaned processes after jail removal using 'ps -j' and manually terminate any escaped processes.
Implement strict process monitoring and alerting for unexpected processes running outside jails.

🔍 How to Verify

Check if Vulnerable:

Run 'uname -a' to check FreeBSD version; if version matches affected range and jails are used, system is vulnerable.

Check Version:

uname -a

Verify Fix Applied:

After patching, verify version is patched with 'uname -a' and test jail removal with active processes to ensure all are terminated.

📡 Detection & Monitoring

Log Indicators:

Processes continuing to run after jail removal in system logs
Unexpected process ancestry showing jail escape

Network Indicators:

Network connections from processes that should be jailed appearing from host IP

SIEM Query:

process.parent.name:jail AND process.name NOT IN (expected_jail_processes)

📊 Metadata

CVE ID: CVE-2020-25581

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: March 26, 2021

Last Updated: November 21, 2024

🔗 References

https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc Vendor Advisory
https://security.netapp.com/advisory/ntap-20210423-0006/ Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:04.jail_remove.asc Vendor Advisory
https://security.netapp.com/advisory/ntap-20210423-0006/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25581, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

Freebsd by Freebsd

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Avoid jail removal during active operations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities