SB2020091627 - Multiple vulnerabilities in in FreeBSD

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2020-7467)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in bhyve(8) hypervisor when processing instructions for AMD procesors sent from guest operating environmentas a number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions is not trapped.

A remote user with access to guest operating system can run a specially crafted program to write to arbitrary memory locations on the host operating system.

Successful exploitation of the vulnerability may allow an attacker to gain full control over the  host operating system.

Note, the vulnerability affects systems running bhyve(8) on AMD processors only.

2) Security restrictions bypass (CVE-ID: CVE-2020-7468)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to an error in ftpd(8) sandbox implementation, combined with capabilities available to authenticated FTP users. A remote FTP user can bypass restrictions, configured with ftpchroot(5) and gain privileged access to the system.

Note, this vulnerability cannot be exploited by users with anonymous access to FTP server.

3) Security restrictions bypass (CVE-ID: CVE-2020-24718)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in bhyve(8) hypervisor due to application does not properly impose security restrictions. A remote root user on the host within jailed environment can run a specially crafted program to execute arbitrary code on systems that rely on bhyve(8) in jail for security domain separation.

4) Input validation error (CVE-ID: CVE-2020-7464)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input in ure(3) device driver for certain Realtek USB Ethernet interfaces when processing network packets larger than 2048 bytes. A remote attacker can send large frames (these can be VLAN or non-VLAN tagged packet) to the affected host and inject arbitrary packets to be received and processed by the host. As a result, an attacker can spoof packets from other hosts or inject packets into other VLANs than the host is on.

Remediation

Install update from vendor's website.

References

• https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc