Lucene search

[email protected]CVE-2020-24718

HistorySep 25, 2020 - 4:23 a.m.

CVE-2020-24718

2020-09-2504:23:04

CWE-862

[email protected]

web.nvd.nist.gov

cve-2020-24718

bhyve

freebsd

illumos

privilege escalation

vmcs

vmcb

nvd

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.5%

JSON

bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.

Affected configurations

NVD

Node

freebsdfreebsdRange≤11.2

freebsdfreebsdMatch11.3-

freebsdfreebsdMatch11.3p1

freebsdfreebsdMatch11.3p10

freebsdfreebsdMatch11.3p11

freebsdfreebsdMatch11.3p12

freebsdfreebsdMatch11.3p13

freebsdfreebsdMatch11.3p2

freebsdfreebsdMatch11.3p3

freebsdfreebsdMatch11.3p4

freebsdfreebsdMatch11.3p5

freebsdfreebsdMatch11.3p6

freebsdfreebsdMatch11.3p7

freebsdfreebsdMatch11.3p8

freebsdfreebsdMatch11.3p9

freebsdfreebsdMatch11.3rc3

freebsdfreebsdMatch11.4-

freebsdfreebsdMatch11.4beta1

freebsdfreebsdMatch11.4p1

freebsdfreebsdMatch11.4p2

freebsdfreebsdMatch11.4p3

freebsdfreebsdMatch11.4rc1

freebsdfreebsdMatch11.4rc2

freebsdfreebsdMatch12.0-

freebsdfreebsdMatch12.0p1

freebsdfreebsdMatch12.0p10

freebsdfreebsdMatch12.0p11

freebsdfreebsdMatch12.0p12

freebsdfreebsdMatch12.0p2

freebsdfreebsdMatch12.0p3

freebsdfreebsdMatch12.0p4

freebsdfreebsdMatch12.0p5

freebsdfreebsdMatch12.0p6

freebsdfreebsdMatch12.0p7

freebsdfreebsdMatch12.0p8

freebsdfreebsdMatch12.0p9

freebsdfreebsdMatch12.1-

freebsdfreebsdMatch12.1p1

freebsdfreebsdMatch12.1p2

freebsdfreebsdMatch12.1p3

freebsdfreebsdMatch12.1p4

freebsdfreebsdMatch12.1p5

freebsdfreebsdMatch12.1p6

freebsdfreebsdMatch12.1p7

freebsdfreebsdMatch12.1p8

freebsdfreebsdMatch12.1p9

Node

omniosceomniosRange≤r151034community

Node

openindianaopenindianaRange≤hipster_2020.04

Node

netappclustered_data_ontapMatch-

CPENameOperatorVersion
freebsd:freebsdfreebsdle11.2
freebsd:freebsdfreebsdeq11.3
freebsd:freebsdfreebsdeq11.4
freebsd:freebsdfreebsdeq12.0
freebsd:freebsdfreebsdeq12.1

CPE	Name	Operator	Version
freebsd:freebsd	freebsd	le	11.2
freebsd:freebsd	freebsd	eq	11.3
freebsd:freebsd	freebsd	eq	11.4
freebsd:freebsd	freebsd	eq	12.0
freebsd:freebsd	freebsd	eq	12.1

References

github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249

security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc

security.netapp.com/advisory/ntap-20201016-0002/

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.5%

JSON

Related for CVE-2020-24718

freebsd_advisory1 cvelist1 nvd1 nessus1 freebsd1 prion1