FreeBSD etcupdate Unprivileged Access to Sensitive System Files Vulnerability

A vulnerability exists in the FreeBSD etcupdate utility, which is used to manage updates to system files. When etcupdate encounters conflicts while merging files, it creates a temporary version in /var/db/etcupdate/conflicts that contains conflict markers. This version is world-readable and does not preserve the original file permissions, potentially exposing sensitive information from files that typically have restricted access, such as /etc/master.passwd. An unprivileged local user could exploit this to read encrypted passwords for root and other users, but only if conflicts arise in the password file during an update, and the unprotected file is not deleted after the conflicts are resolved.

Impact

Exploitation of this vulnerability could allow an unprivileged local user to access encrypted passwords from the temporary master.passwd file in /var/db/etcupdate/conflicts, including passwords for the root user.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the FreeBSD Update utility or applying a source code patch are available in the FreeBSD Security Advisory.