CVE-2020-7461

HIGH

Freebsd - Out-of-Bounds Write

Title source: rule

Description

In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.

Exploits (2)

nomisec WORKING POC 15 stars

by knqyf263 · poc

https://github.com/knqyf263/CVE-2020-7461

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by 0xkol · poc

https://github.com/0xkol/freebsd-dhclient-poc

View Code ZIP pw:eip

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://security.FreeBSD.org/advisories/FreeBSD-SA-20:26.dhclient.asc

Third Party Advisory x_refsource_misc

https://cert-portal.siemens.com/productcert/pdf/ssa-288459.pdf

Scores

CVSS v3 7.3

EPSS 0.0909

EPSS Percentile 92.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-787

Status published

Products (5)

freebsd/freebsd 11.3 (13 CPE variants)

freebsd/freebsd 11.4 (3 CPE variants)

freebsd/freebsd 12.1 (9 CPE variants)

siemens/simatic_rf350m_firmware

siemens/simatic_rf650m_firmware

Published Mar 26, 2021

Tracked Since Feb 18, 2026