CVE-2025-0373
📋 TL;DR
A stack buffer overflow vulnerability in FreeBSD's cd9660, tarfs, and ext2fs filesystems allows attackers to cause kernel panics on NFS servers exporting these filesystems. The vulnerability affects 64-bit systems and could potentially lead to privilege escalation or remote code execution, though this hasn't been demonstrated. Systems running affected FreeBSD versions with NFS exports of vulnerable filesystems are at risk.
💻 Affected Systems
- FreeBSD
- NetApp products using FreeBSD kernel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote kernel code execution leading to complete system compromise, privilege escalation, or persistent backdoor installation.
Likely Case
Denial of service through kernel panic causing system crashes and service disruption.
If Mitigated
Stack protection catches the overflow and causes a controlled panic, preventing exploitation but still causing downtime.
🎯 Exploit Status
Exploitation requires NFS client access to mount vulnerable exports. Stack protection in release kernels makes reliable exploitation difficult.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FreeBSD 14.1-RELEASE-p2, 13.3-RELEASE-p4, 12.5-RELEASE-p2
Vendor Advisory: https://security.freebsd.org/advisories/FreeBSD-SA-25:02.fs.asc
Restart Required: Yes
Instructions:
1. Update FreeBSD using 'freebsd-update fetch' and 'freebsd-update install'. 2. Reboot the system. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable vulnerable filesystem exports
allRemove or disable NFS exports of cd9660, tarfs, and ext2fs filesystems
Edit /etc/exports to remove vulnerable filesystem exports
Run 'exportfs -r' to reload NFS exports
Restrict NFS access
allLimit NFS access to trusted clients only using firewall rules
ipfw add deny tcp from any to any 2049
pfctl -t nfs_clients -T add 192.168.1.0/24
🧯 If You Can't Patch
- Disable NFS server entirely if not required
- Migrate vulnerable filesystem exports to non-affected filesystems like UFS or ZFS
🔍 How to Verify
Check if Vulnerable:
Check if running affected FreeBSD version with 'uname -a' and verify NFS exports in /etc/exports contain cd9660, tarfs, or ext2fsCheck Version:
uname -aVerify Fix Applied:
Verify kernel version matches patched release with 'uname -a' showing 14.1-RELEASE-p2, 13.3-RELEASE-p4, or 12.5-RELEASE-p2📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages
- NFS mount attempts from unexpected clients
- Stack protection violation logs
Network Indicators:
- Unexpected NFS traffic to port 2049
- Multiple connection attempts to NFS exports
SIEM Query:
source="kernel" AND "panic" AND ("cd9660" OR "tarfs" OR "ext2fs")