bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.
References
Link | Resource |
---|---|
https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249 | Exploit Third Party Advisory |
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc | Vendor Advisory |
https://security.netapp.com/advisory/ntap-20201016-0002/ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-09-25T03:49:02
Updated: 2020-10-16T10:06:12
Reserved: 2020-08-27T00:00:00
Link: CVE-2020-24718
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-09-25T04:23:04.683
Modified: 2022-01-01T18:39:11.670
Link: CVE-2020-24718
JSON object: View
Redhat Information
No data.
CWE