Multiple vulnerabilities in in FreeBSD



Published: 2020-09-16
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2020-7467
CVE-2020-7468
CVE-2020-24718
CVE-2020-7464
CWE ID CWE-264
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
FreeBSD
Operating systems & Components / Operating system

Vendor FreeBSD Foundation

Security Advisory

1) Security restrictions bypass

Risk: Medium

CVSSv3: 3.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7467

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in bhyve(8) hypervisor when processing instructions for AMD procesors sent from guest operating environmentas a number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions is not trapped.

A remote user with access to guest operating system can run a specially crafted program to write to arbitrary memory locations on the host operating system.

Successful exploitation of the vulnerability may allow an attacker to gain full control over the  host operating system.

Note, the vulnerability affects systems running bhyve(8) on AMD processors only.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FreeBSD: 11.0, 11.1, 11.2, 11.3, 11.4, 12.0, 12.1, 12.2

CPE External links

https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

Risk: Medium

CVSSv3: 3.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7468

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to an error in ftpd(8) sandbox implementation, combined with capabilities available to authenticated FTP users. A remote FTP user can bypass restrictions, configured with ftpchroot(5) and gain privileged access to the system.

Note, this vulnerability cannot be exploited by users with anonymous access to FTP server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FreeBSD: 11.0, 11.1, 11.2, 11.3, 11.4, 12.0, 12.1, 12.2

CPE External links

https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security restrictions bypass

Risk: Medium

CVSSv3: 3.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-24718

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in bhyve(8) hypervisor due to application does not properly impose security restrictions. A remote root user on the host within jailed environment can run a specially crafted program to execute arbitrary code on systems that rely on bhyve(8) in jail for security domain separation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FreeBSD: 11.0, 11.1, 11.2, 11.3, 11.4, 12.0, 12.1, 12.2

CPE External links

https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

Risk: Medium

CVSSv3: 3.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7464

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input in ure(3) device driver for certain Realtek USB Ethernet interfaces when processing network packets larger than 2048 bytes. A remote attacker can send large frames (these can be VLAN or non-VLAN tagged packet) to the affected host and inject arbitrary packets to be received and processed by the host. As a result, an attacker can spoof packets from other hosts or inject packets into other VLANs than the host is on.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FreeBSD: 11.0, 11.1, 11.2, 11.3, 11.4, 12.0, 12.1, 12.2

CPE External links

https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.