CVE-2020-25584
📋 TL;DR
This vulnerability allows a superuser inside a FreeBSD jail with the non-default allow.mount permission to exploit a race condition between directory lookup and filesystem remounting, enabling access to filesystem hierarchy outside the jail. It affects FreeBSD systems running specific STABLE, RELEASE, and RC versions where jails with mount permissions are configured.
💻 Affected Systems
- FreeBSD
📦 What is this software?
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
⚠️ Risk & Real-World Impact
Worst Case
A malicious superuser inside a jail could escape confinement and access, modify, or delete sensitive files on the host system, potentially compromising the entire server.
Likely Case
Privileged users within jails could access restricted files outside their jail boundaries, violating security isolation and potentially exposing sensitive data.
If Mitigated
With proper jail configuration (no allow.mount permission), the vulnerability cannot be exploited, maintaining full jail isolation.
🎯 Exploit Status
Exploitation requires superuser privileges within a jail and the allow.mount permission, plus precise timing for the race condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FreeBSD 13.0-STABLE n245118+, 12.2-STABLE r369552+, 11.4-STABLE r369560+, 13.0-RC5 p1+, 12.2-RELEASE p6+, 11.4-RELEASE p9+
Vendor Advisory: https://security.FreeBSD.org/advisories/FreeBSD-SA-21:10.jail_mount.asc
Restart Required: Yes
Instructions:
1. Update FreeBSD using 'freebsd-update fetch' and 'freebsd-update install' for RELEASE versions. 2. For STABLE versions, update source and rebuild kernel. 3. Reboot the system to load the patched kernel.
🔧 Temporary Workarounds
Remove jail mount permissions
allDisable the allow.mount permission for all jails to prevent exploitation.
jail -m name=JAILNAME allow.mount=0
Restrict jail superuser access
allLimit superuser privileges within jails to trusted users only.
🧯 If You Can't Patch
- Remove allow.mount permission from all jail configurations immediately.
- Audit and restrict superuser access within jails to minimize attack surface.
🔍 How to Verify
Check if Vulnerable:
Check FreeBSD version with 'uname -a' and compare against affected versions. Verify jail configurations for allow.mount=1 settings.Check Version:
uname -aVerify Fix Applied:
Confirm version is patched with 'uname -a' showing updated version. Verify kernel build date or revision matches patched versions.📡 Detection & Monitoring
Log Indicators:
- Unusual mount operations within jails
- Failed jail boundary access attempts in system logs
SIEM Query:
Search for 'jail' AND 'mount' events in system logs, particularly from privileged users within jail contexts.