{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-16T10:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20201016-0002/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24718", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249", "refsource": "MISC", "url": "https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249"}, {"name": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc", "refsource": "CONFIRM", "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc"}, {"name": "https://security.netapp.com/advisory/ntap-20201016-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20201016-0002/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24718", "datePublished": "2020-09-25T03:49:02", "dateReserved": "2020-08-27T00:00:00", "dateUpdated": "2020-10-16T10:06:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "B985F217-C03B-4FB4-9967-55793399E30F", "versionEndIncluding": "11.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:-:*:*:*:*:*:*", "matchCriteriaId": "F35957CE-AF9F-40CA-BDD1-FA6A0E73783F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p1:*:*:*:*:*:*", "matchCriteriaId": "EA929713-B797-494A-853D-C121D9D69519", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p10:*:*:*:*:*:*", "matchCriteriaId": "B87AF171-95AC-4DDA-8D94-694F85638B46", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p11:*:*:*:*:*:*", "matchCriteriaId": "1CC8B031-41BB-4846-B092-7E4BC6F35D6B", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p12:*:*:*:*:*:*", "matchCriteriaId": "83E34012-BC9D-4F0C-AAE1-FE5767B4EED6", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p13:*:*:*:*:*:*", "matchCriteriaId": "57EF03AC-0934-46FD-A77C-76A0CAF4342C", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p2:*:*:*:*:*:*", "matchCriteriaId": "3C3D8EDC-91D3-45B2-AC1D-EF4346D4A714", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p3:*:*:*:*:*:*", "matchCriteriaId": "EA5006FF-06A5-4D95-BF5B-29F26248D11F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p4:*:*:*:*:*:*", "matchCriteriaId": "A705031B-FD63-4076-B92E-E826E11D7111", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p5:*:*:*:*:*:*", "matchCriteriaId": "11C1EFB1-68E5-45F4-A7E1-744574F290D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p6:*:*:*:*:*:*", "matchCriteriaId": "25F649A7-9265-4552-8934-BCE083363982", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p7:*:*:*:*:*:*", "matchCriteriaId": "F202C856-5B95-4796-AC4A-1F210E7BAB8F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p8:*:*:*:*:*:*", "matchCriteriaId": "9419C866-C478-4CDE-A9A1-E592D8FF0933", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:p9:*:*:*:*:*:*", "matchCriteriaId": "2B6DFC23-A7A1-431A-9AD9-A820579F95F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "E03E6445-DD63-44E8-85D1-3971253F395A", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:-:*:*:*:*:*:*", "matchCriteriaId": "4A865EA1-01D7-4E5A-9D13-80780F8A9D7A", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:beta1:*:*:*:*:*:*", "matchCriteriaId": "B80FBD1B-D03E-4408-9150-2F86FAF7F1D7", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:p1:*:*:*:*:*:*", "matchCriteriaId": "9FCA6A72-2A72-45FD-A43D-B5BF7C329121", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:p2:*:*:*:*:*:*", "matchCriteriaId": "90F9B3CB-3B60-4AA8-9EAF-4F0BE7D27691", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:p3:*:*:*:*:*:*", "matchCriteriaId": "C04EE177-C7D1-4049-B680-F961A27C677F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "2B0FB7BE-DB4E-47CE-8B51-C43DC5AADD17", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:11.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D427061-B399-47BA-865D-9FAB315210CF", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:-:*:*:*:*:*:*", "matchCriteriaId": "826B53C2-517F-4FC6-92E8-E7FCB24F91B4", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p1:*:*:*:*:*:*", "matchCriteriaId": "93F10A46-AEF2-4FDD-92D6-0CF07B70F986", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p10:*:*:*:*:*:*", "matchCriteriaId": "8C7B8FCA-2170-469A-B6D6-2C6AB254F20F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p11:*:*:*:*:*:*", "matchCriteriaId": "E94067A1-5C68-4401-A7B6-29B4FE553733", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p12:*:*:*:*:*:*", "matchCriteriaId": "87EE567B-7604-41CC-B0A7-B51255D4C240", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p2:*:*:*:*:*:*", "matchCriteriaId": "E1AD57A9-F53A-4E40-966E-F2F50852C5E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p3:*:*:*:*:*:*", "matchCriteriaId": "C4029113-130F-4A33-A8A0-BC3E74000378", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p4:*:*:*:*:*:*", "matchCriteriaId": "46C5A6FD-7BBF-4E84-9895-8EE14DC846E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p5:*:*:*:*:*:*", "matchCriteriaId": "6D71D083-3279-4DF4-91E1-38C373DD062F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p6:*:*:*:*:*:*", "matchCriteriaId": "882669AB-BCFC-4517-A3E9-33D344F1ED0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p7:*:*:*:*:*:*", "matchCriteriaId": "BC3D24FB-50A2-4E37-A479-AF21F8ECD706", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p8:*:*:*:*:*:*", "matchCriteriaId": "3070787D-76E1-4671-B99D-213F7103B3A2", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.0:p9:*:*:*:*:*:*", "matchCriteriaId": "0140276F-9C31-4B5C-A5AC-DE0EBB885275", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:-:*:*:*:*:*:*", "matchCriteriaId": "BD730B6A-F123-4685-ACB3-4F20AAAB77F3", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p1:*:*:*:*:*:*", "matchCriteriaId": "508150E3-2C0C-4EEB-BFC9-BB5CEB404C06", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p2:*:*:*:*:*:*", "matchCriteriaId": "B5D692EF-A5D7-430E-91BA-4CD137343B66", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p3:*:*:*:*:*:*", "matchCriteriaId": "D50C60A7-4C9F-4636-92E9-9F5B8B01BE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p4:*:*:*:*:*:*", "matchCriteriaId": "6C49F6C7-A740-42F4-93BB-512CBF334516", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p5:*:*:*:*:*:*", "matchCriteriaId": "402740C4-5B55-423F-BAD2-F742E1E21ADC", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p6:*:*:*:*:*:*", "matchCriteriaId": "9DCAA10A-C612-45E0-84B7-55897F49D65E", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p7:*:*:*:*:*:*", "matchCriteriaId": "CB6258A5-8066-48B8-A417-09A1547DD57A", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p8:*:*:*:*:*:*", "matchCriteriaId": "6601C7C4-EC36-4EAA-90AC-D3156A2BF330", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.1:p9:*:*:*:*:*:*", "matchCriteriaId": "EDCBC06C-B16B-498A-A99B-5F9F17C5FF03", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:omniosce:omnios:*:*:*:*:community:*:*:*", "matchCriteriaId": "6F88A2E7-1972-4CBD-9197-9680DCF9806F", "versionEndIncluding": "r151034", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openindiana:openindiana:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F91E6EC-CDE1-4B4B-B556-1B91C0CA5BEA", "versionEndIncluding": "hipster_2020.04", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "matchCriteriaId": "1FE996B1-6951-4F85-AA58-B99A379D2163", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP."}, {"lang": "es", "value": "bhyve, como es usado en FreeBSD versiones hasta 12.1 e illumos (por ejemplo, OmniOS CE versiones hasta r151034 y OpenIndiana versiones hasta Hipster 2020.04), no restringe apropiadamente las operaciones de lectura y de escritura de VMCS y VMCB, como es demostrado por un usuario root en un contenedor en un sistema Intel, qui\u00e9n puede alcanzar privilegios al modificar VMCS_HOST_RIP"}], "id": "CVE-2020-24718", "lastModified": "2022-01-01T18:39:11.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-25T04:23:04.683", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20201016-0002/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}