bhyve privileged guest escape via fwctl
CVE-2023-3494

8.8HIGH

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 1 August 2023

What is CVE-2023-3494?

A vulnerability in the fwctl driver of FreeBSD can lead to a buffer overflow when a bhyve guest accesses specific x86 I/O ports. This flaw allows for the potential execution of malicious code on the host system, specifically within the bhyve userspace process, which generally operates with root privileges. Although mitigated by certain capabilities offered through the Capsicum sandbox, the risk posed by executing privileged software in a guest VM highlights the need for timely updates and proper configuration.

Affected Version(s)

FreeBSD 13.2-RELEASE < 13.2-RELEASE-p2

FreeBSD 13.1-RELEASE < 13.1-RELEASE-p9

References

https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07....

vendor-advisory

https://security.netapp.com/advisory/ntap-20230831-0006/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 1, 2023
Vulnerability Reserved
Jun 30, 2023

Credit

Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft