NetbsdCVEs & Vulnerabilities
180 CVEs affecting Netbsd products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.
Most Affected Products
ftpd in NetBSD 1.4.2 does not properly parse entries in /etc/ftpchroot and does not chroot the specified users, which allows those users to access other files outside of their home directory.
NetBSD 1.4.2 and earlier allows remote attackers to cause a denial of service by sending a packet with an unaligned IP timestamp option.
procfs in BSD systems allows local users to gain root privileges by modifying the /proc/pid/mem interface via a modified file descriptor for stderr.
NetBSD ptrace call on VAX allows local users to gain privileges by modifying the PSL contents in the debugging process.
The BSD make program allows local users to modify files via a symlink attack when the -j option is being used.
FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers.
The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.
Operating systems with shared memory implementations based on BSD 4.4 code allow a user to conduct a denial of service and bypass memory limits (e.g., as specified with rlimits) using mmap or shmget to allocate memory and cause page faults.
NetBSD on a multi-homed host allows ARP packets on one network to modify ARP entries on another connected network.
NetBSD allows ARP packets to overwrite static ARP entries.
The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.
Local users can perform a denial of service in NetBSD 1.3.3 and earlier versions by creating an unusual symbolic link with the ln command, triggering a bug in VFS.
XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.
XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.
umapfs allows local users to gain root privileges by changing their uid through a malicious mount_umap program.
In some cases, NetBSD 1.3.3 mount allows local users to execute programs in some file systems that have the "noexec" flag set.
A race condition between the select() and accept() calls in NetBSD TCP servers allows remote attackers to cause a denial of service.
NetBSD netstat command allows local users to access kernel memory.
The at program in IRIX 6.2 and NetBSD 1.3.2 and earlier allows local users to read portions of arbitrary files by submitting the file to at with the -f argument, which generates error messages that at sends to the user via e-mail.
Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.
Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages.
Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.
Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.
FreeBSD mmap function allows users to modify append-only or immutable files.
mmap function in BSD allows local attackers in the kmem group to modify memory through devices.
ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.
Teardrop IP denial of service.
FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka FTP bounce.
Land IP denial of service.
The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID.
rpc.mountd on Linux, Ultrix, and possibly other operating systems, allows remote attackers to determine the existence of a file on the server by attempting to mount that file, which generates different error messages depending on whether the file exists or not.
Listening TCP ports are sequentially allocated, allowing spoofing attacks.
The rwho/rwhod service is running, which exposes machine status and user information.
Buffer overflow of rlogin program using TERM environmental variable.
Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable.
Buffer overflow in rwhod on AIX and other operating systems allows remote attackers to execute arbitrary code via a UDP packet with a long hostname.