diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc | 160 |
1 files changed, 160 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc new file mode 100644 index 0000000000..3d8ba5176c --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc @@ -0,0 +1,160 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:05.bhyve Security Advisory + The FreeBSD Project + +Topic: Bhyve e82545 device emulation out-of-bounds write + +Category: core +Module: bhyve +Announced: 2022-04-06 +Credits: Mehdi Talbi, Synacktiv +Affects: All supported versions of FreeBSD. +Corrected: 2022-04-05 22:59:52 UTC (stable/13, 13.1-STABLE) + 2022-04-06 01:56:57 UTC (releng/13.1, 13.1-RC1-p1) + 2022-04-06 03:04:14 UTC (releng/13.0, 13.0-RELEASE-p11) + 2022-04-05 23:03:35 UTC (stable/12, 12.3-STABLE) + 2022-04-06 03:06:28 UTC (releng/12.3, 12.3-RELEASE-p5) +CVE Name: CVE-2022-23087 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest +operating systems in virtual machines. It implements a number of device +models, including an emulated Intel 82545 network interface adapter. + +II. Problem Description + +The e1000 network adapters permit a variety of modifications to an Ethernet +packet when it is being transmitted. These include the insertion of IP and +TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation +offload ("TSO"). The e1000 device model uses an on-stack buffer to generate +the modified packet header when simulating these modifications on transmitted +packets. + +When checksum offload is requested for a transmitted packet, the e1000 device +model used a guest-provided value to specify the checksum offset in the on- +stack buffer. The offset was not validated for certain packet types. + +III. Impact + +A misbehaving bhyve guest could overwrite memory in the bhyve process on the +host, possibly leading to code execution in the host context. + +The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD +version and bhyve configuration) limits the impact of exploiting this issue. + +IV. Workaround + +Only the e1000 device model is affected; the virtio-net device is not +affected by this issue. If supported by the guest operating system, +presenting only the virtio-net device to the guest is a suitable workaround. +No workaround is available if the e1000 device model is required. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and restart bhyve virtual machines. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386 platforms can +be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable bhyve virtual machines, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 53f722094798 stable/13-n250272 +releng/13.1/ 5a28d8befda0 releng/13.1-n250078 +releng/13.0/ b85c68857da3 releng/13.0-n244795 +stable/12/ r371867 +releng/12.3/ r371871 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23087> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:05.bhyve.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n +5cJERBAAoqZXVIwucgIMLepm3hQdmYsuYGDhfp12ggOR8GO/a9oL9c21u5JSSNUq +w966VU8u2Tv3JjKhNpXWSR9hbUSTuEWarkcrutNDe69GwcWv0Q8DU3DwhfrT6e9K ++IO/yMNUUBL9LlWRW4XftiowNV2r9KvqzYsGbk8Wi+bN1Vd9gXo1r31Nu3Y3JBls +EOjk8aoDuCCUqZKVjKw7VNXDjAo3MKnnt7s6nRLSJRvJH7iDGxttWGbAiREqLO07 +Aqg0ZUbbtUs8PvOL38yj/eiC4tLdOGna+Nm7VNoiS+Ee2uL/tbGU079UCgqgSJ7k +/0U8nrDss8NRirsFEbpYiNFs2zi+6dtRKjAzMGKxMU6TTnHodzfLBGsrOws5TmlS +bblLVykXBT1egNT180gCNjBRdK2mYaF23wVEPbd8bg0+JPfG5MyylG137uJJw2B0 +24RZpY3ciRCUw6xn9mRk//SOQh4fvtLSdNPfGtoYtHmzhao8wvWBqPw7SvkMkUP4 +hsdNeutyIZjqTCDvtUD4Ge81BPLnW8fUkd7yNLbWFLGBqZGlCs/xBdmTqCS/XLF7 +y9cPEsS7wb1sZS087uULgUrEDFPCnktozZ1ycCwoqCZy7dt6/zYFrYH1xu3AN+Ji +hso4aoM18gVNadHfMRqHNClBDO0iaxuXPrg+SMqffOrdQCznQ3k= +=CgB+ +-----END PGP SIGNATURE----- |