feat: add CVE-2020-0543 (SRBDS) mitigation detection under BSD

2026-04-02 13:17:07 +02:00 · 2026-03-31 22:47:19 +02:00
parent 2b603c68ce
commit 4875b4c71c
1 changed files with 37 additions and 4 deletions
--- a/src/vulns/CVE-2020-0543.sh
+++ b/src/vulns/CVE-2020-0543.sh
@@ -105,11 +105,44 @@ check_CVE_2020_0543_linux() {
 }

 # CVE-2020-0543 SRBDS (special register buffer data sampling) - BSD mitigation check
+# FreeBSD uses the name "rngds" (Random Number Generator Data Sampling) for SRBDS
 check_CVE_2020_0543_bsd() {
-    if ! is_cpu_affected "$cve"; then
-        # override status & msg in case CPU is not vulnerable after all
-        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    local rngds_enable rngds_state kernel_rngds
+    pr_info_nol "* Kernel supports SRBDS mitigation (machdep.mitigations.rngds.enable): "
+    rngds_enable=$(sysctl -n machdep.mitigations.rngds.enable 2>/dev/null)
+    if [ -n "$rngds_enable" ]; then
+        kernel_rngds=1
+        case "$rngds_enable" in
+            0) pstatus yellow YES "optimized (RDRAND/RDSEED not locked, faster but vulnerable)" ;;
+            1) pstatus green YES "mitigated" ;;
+            *) pstatus yellow YES "unknown value: $rngds_enable" ;;
+        esac
    else
-        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+        kernel_rngds=0
+        pstatus yellow NO
+    fi
+
+    pr_info_nol "* SRBDS mitigation state: "
+    rngds_state=$(sysctl -n machdep.mitigations.rngds.state 2>/dev/null)
+    if [ -n "$rngds_state" ]; then
+        if echo "$rngds_state" | grep -qi 'not.affected\|mitigat'; then
+            pstatus green YES "$rngds_state"
+        else
+            pstatus yellow NO "$rngds_state"
+        fi
+    else
+        pstatus yellow NO "sysctl not available"
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 1 ]; then
+        pvulnstatus "$cve" OK "SRBDS mitigation is enabled"
+    elif [ "$kernel_rngds" = 1 ] && [ "$rngds_enable" = 0 ]; then
+        pvulnstatus "$cve" VULN "SRBDS mitigation is supported but set to optimized mode (disabled for RDRAND/RDSEED)"
+        explain "To enable full SRBDS mitigation, run \`sysctl machdep.mitigations.rngds.enable=1'.\n " \
+            "To make this persistent, add 'machdep.mitigations.rngds.enable=1' to /etc/sysctl.conf."
+    else
+        pvulnstatus "$cve" VULN "your kernel doesn't support SRBDS mitigation, update it"
    fi
 }