Vulnerability CVE-2020-24718 - CERT Civis.Net

Vulnerability Name:

CVE-2020-24718 (CCN-188408)

Assigned:

2020-09-15

Published:

2020-09-15

Updated:

2020-10-16

Summary:

bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.

CVSS v3 Severity:

8.2 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

6.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2020-24718

Source: XF
Type: UNKNOWN
freebsd-cve202024718-code-exec(188408)

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249

Source: CONFIRM
Type: Vendor Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20201016-0002/

Source: CCN
Type: FreeBSD Security Advisory FreeBSD-SA-20:28.bhyve_vmcs
bhyve privilege escalation via VMCS access

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-24718

Vulnerable Configuration:

Configuration 1:

cpe:/o:freebsd:freebsd:*:*:*:*:*:*:*:* (Version <= 11.2)

OR cpe:/o:freebsd:freebsd:11.3:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p1:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p10:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p11:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p12:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p13:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p2:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p3:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p4:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p5:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p6:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p7:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p8:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:p9:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.3:rc3:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:beta1:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:p1:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:p2:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:p3:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:rc1:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:rc2:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p1:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p10:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p11:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p12:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p2:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p3:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p4:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p5:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p6:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p7:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p8:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.0:p9:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p1:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p2:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p3:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p4:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p5:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p6:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p7:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p8:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:p9:*:*:*:*:*:*

Configuration 2:

cpe:/o:omniosce:omnios:*:*:*:*:community:*:*:* (Version <= r151034)

Configuration 3:

cpe:/o:openindiana:openindiana:*:*:*:*:*:*:*:* (Version <= hipster_2020.04)

Configuration 4:

cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:freebsd:freebsd:11.3:*:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.1:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:11.4:-:*:*:*:*:*:*

OR cpe:/o:freebsd:freebsd:12.2:-:*:*:*:*:*:*

Denotes that component is vulnerable