125 lines
4.5 KiB
Text
125 lines
4.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-16:32.bhyve Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: bhyve - privilege escalation vulnerability
|
|
|
|
Category: core
|
|
Module: bhyve
|
|
Announced: 2016-10-25
|
|
Credits: Ilja van Sprundel, IOActive
|
|
Affects: FreeBSD 11.0 amd64
|
|
Corrected: 2016-10-25 17:15:32 UTC (stable/11, 11.0-STABLE)
|
|
2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2)
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
bhyve is a BSD licensed hypervisor that supports running a variety of
|
|
virtual machines (guests).
|
|
|
|
II. Problem Description
|
|
|
|
An unchecked array reference in the VGA device emulation code could
|
|
potentially allow guests access to the heap of the bhyve process.
|
|
Since the bhyve process is running as root, this may allow guests to
|
|
obtain full control of the hosts they are running on.
|
|
|
|
III. Impact
|
|
|
|
For bhyve virtual machines with the "fbuf" framebuffer device
|
|
configured, if exploited, a malicious guest could obtain full access
|
|
to not just the host system, but to other virtual machines running on
|
|
the system.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, however systems not using bhyve for
|
|
virtualization are not vulnerable. Additionally systems using bhyve
|
|
but without the "fbuf" framebuffer device configured are not
|
|
vulnerable.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
No reboot is needed. Rather the bhyve process for vulnerable virtual
|
|
machines should be restarted.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the amd64 platforms
|
|
can be updated via the freebsd-update(8) utility.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch.asc
|
|
# gpg --verify bhyve.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart the bhyve process(es).
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r307939
|
|
releng/11.0/ r307935
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:32.bhyve.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIcBAEBCgAGBQJYD5UbAAoJEO1n7NZdz2rnOAcP/03LJPbzVE05gIkN+j8z4jz5
|
|
Q/EX+zGgid5omIqslsiM6obDNupnH3HYE7Suv5sCJky9pyX8mv1g3jTkxXzm+32k
|
|
9rCcBtGdIviKKG8GNuMa56ZU5EvgUkwndn4qTi7KmZ/+1l8UGRCAsU04L6qQHwb2
|
|
Si7WcgZLse+epkYAgzyje+YFR/Ib2xc3vdXXpj+uxlQWs6U3RZ95v+6M5ARhBHes
|
|
YJ34QKphy/PaT02hI9AvLU6aB4hkN5XVE2uHgpciNRLp0DF3XwqHRYbDx2bACifS
|
|
ge7hbpsSCZuOayYWdtw8gcbzJXxX1fMv1q9ntj5XLh/a4av7coHWYPHDYmIC7Inb
|
|
RNAhynR8W9SWFZ1EqUEWhKeWPwpKgiy1e4+CpDm5wbnj+CzJLc08tMU77jIUV6In
|
|
ilJkZ04sv25mjOdnjSkjt6PnXmT1n+UrWdKjOYsAkaWiHpAUzGT2dSgRfn8zh5wv
|
|
hc1368Z2v2v43HJ+Y4x0M0VVuuEydEHB+sWBhn8evxlQ6KIAC2sdi7juP4TLAgkj
|
|
A1kA3Oob4+pGlxzTGgHDE+/HzHnGEfmoWHS/u0dmDiUuTlQDKQCdCEUnjfRdJYuc
|
|
3fbigdY70d2wx6igs4VZszSQLu4c4ranewy3ORS1OghpOjnvO7mvJVUbseusLaNC
|
|
fYkumZ2XfUaJuya63z7z
|
|
=gyCa
|
|
-----END PGP SIGNATURE-----
|