133 lines
5 KiB
Text
133 lines
5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-18:14.bhyve Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Insufficient bounds checking in bhyve(8) device model
|
|
|
|
Category: core
|
|
Module: bhyve
|
|
Announced: 2018-12-04
|
|
Credits: Reno Robert
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
|
|
2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
|
|
CVE Name: CVE-2018-17160
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The bhyve hypervisor uses the bhyve(8) program to emulate support for most
|
|
virtual devices used by guest operating systems.
|
|
|
|
II. Problem Description
|
|
|
|
Insufficient bounds checking in one of the device models provided by bhyve(8)
|
|
can permit a guest operating system to overwrite memory in the bhyve(8)
|
|
processing possibly permitting arbitary code execution.
|
|
|
|
III. Impact
|
|
|
|
A guest OS using a firmware image can cause the bhyve process to crash, or
|
|
possibly execute arbitrary code on the host as root.
|
|
|
|
IV. Workaround
|
|
|
|
The device model in question is only enabled when booting guests with a
|
|
firmware image such as the UEFI images from the bhyve-firmware package.
|
|
Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests
|
|
using operating systems supported by bhyveload(8) or grub2-bhyve can be
|
|
booted using these tools as a workaround.
|
|
|
|
No workaround is available for guest operating systems such as Windows that
|
|
require a firmware image.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, restart guests using firmware images.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc
|
|
# gpg --verify bhyve.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Afterward, restart guests using firmware images.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r341486
|
|
releng/11.2/ r341488
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3
|
|
nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg
|
|
3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv
|
|
9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9
|
|
rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR
|
|
AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt
|
|
jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx
|
|
MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68
|
|
vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc
|
|
fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ8PECJ+r0X5bhkzW
|
|
Ymlksu/HprW4tFLCdD4mB7lewvr3qpmoRoS1KwgMoXnRKzPbGsc=
|
|
=4zGb
|
|
-----END PGP SIGNATURE-----
|