CVE-2023-5978 – FreeBSD Advisory

FreeBSD-SA-23:16.cap_net is a security advisory that addresses a vulnerability in the libcap_net module of FreeBSD versions 13.2 and later. The vulnerability, identified as CVE-2023-5978, allows an application to manipulate the limitation list, potentially bypassing restrictions and introducing unauthorized domain entries.

Users are advised to upgrade their systems to a supported FreeBSD stable or release branch after the correction date provided. No workaround is available, and the base system software in FreeBSD is not affected by this vulnerability. Promptly updating the systems is crucial to mitigate the security risk.

Key Takeaways:

  • FreeBSD 13.2 and later are affected by an issue in the libcap_net module.
  • The problem lies in the incorrect manipulation of the libcap_net limitation list.
  • If only a list of resolvable domain names was specified without any other limitations, an application could submit a new list of domains including entries not previously in the list.
  • No workaround is available, but it’s important to note that no FreeBSD base system software is vulnerable.
  • Upgrade to a supported FreeBSD stable or release/security branch after the correction date to resolve the issue.
  • Two methods for updating the vulnerable system are provided: binary patch or source code patch.
  • More details about the correction and references can be found in the original advisory.