FreeBSD is undertaking one main project and two minor ones:
Major: A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).
Minor: An initial Process Audit and an MFA pilot.
We have had some reduced bandwidth this month due to summer vacations and incoming new projects. We have, however, made some meaningful progress thanks to the ongoing engagement and support of our volunteer project maintainers.
We are working our way through the vulnerabilities uncovered by Synacktiv in their code audit. Once those with the highest severity have been resolved we will be able to release Synacktiv's report.
The Process Audit and the MFA pilot are still in planning phase as their start dates are in October and September 2024 respectively. There is some risk around the MFA pilot start date slipping due to program resource constraints. We are working to address these.
The code audit was intended to discover vulnerabilities in these systems to redress, but also looked to identify classes of vulnerabilities and/or suboptimal coding practices that we can look for across the project and incorporate learnings from into our Committer training and onboarding.
The FreeBSD Foundation appointed a code audit firm, Synacktiv, who conducted the code audit on its behalf.
Work this month has been in collaboration with FreeBSD project volunteers, focused on resolving vulnerabilities from the Synacktiv code audit that have Critical and High severity. Security Advisories will be released if needed according to the FreeBSD Project's existing Security Processes and vulnerability reporting procedure.
The Synacktiv report will be released once these processes have been completed. Tentative date for this is September 30, 2024.
Lower severity vulnerabilities that have now been fixed include:
- HYP-16: Kernel heap info leak in ctl_request_sense
- HYP-21: fbaddr updated when vm_mmap_memseg fails
- CAP-04: Kernel uninitialized heap memory read due to missing error check in acl_copyin
- CAP-05: Kernel iov counter is not decremented in pipe write buffer
As a followup to CAP-04 we added the __result_use_check function attribute to turn any similar future misuse into a compile-time error.
For more information about the code audit, please see earlier updates (June and July 2024) held in this repo.
The Foundation is also working with the bhyve and Capsicum subsystem maintainer teams to identify classes of vulnerabilities indicated by the code audit findings. Tentative date for completion is September 30, 2024.
The final Alpha-Omega code audit report where we provide commentary, findings, and additional recommendations is targeted for October 15, 2024.
The Foundation is preparing for the process audit to start in October as planned. Preparation work includes creating the process audit report proforma, and socialising the audit with volunteer project maintainers.
For more information about the objectives and deliverables of the process audit, please see the previous updates (June and July).
We have had some reduced bandwidth this month due to summer vacations and incoming new projects. We are currently creating a project and person spec to see whether we can appoint a contractor or vendor to assist with the project.
The FreeBSD Security Team oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.
The FreeBSD vulnerability reporting and disclosure policy provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.