FreeBSD Blocklistd Socket Leak Vulnerability Allowing Denial-of-Service

A socket descriptor leak vulnerability has been identified in the FreeBSD blocklistd service, which is responsible for managing a database of IP addresses linked to adverse events like failed SSH logins. This vulnerability affects FreeBSD 15.0 and stems from a programming error that causes blocklistd to leak socket descriptors for each adverse event report received. As the number of leaked sockets accumulates, blocklistd becomes unable to execute its helper script, which is crucial for blocking new addresses or unblocking those whose database entries have expired. Eventually, the service can no longer receive new adverse event reports, effectively disabling its functionality. This socket accumulation can also slow down other system processes until blocklistd is restarted.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where blocklistd becomes ineffective at managing adverse event reports and blocking or unblocking IP addresses. This can disrupt normal operations and allow attackers to bypass IP-based defenses. The socket leak can also cause a general system slowdown, affecting other processes until blocklistd is restarted.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the pkg utility, freebsd-update utility, or by applying a source code patch are available in the FreeBSD Security Advisory FreeBSD-SA-26:03.blocklistd.