FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- bhyve privilege escalation via VMCS access

Affected packages
12.1 <= FreeBSD-kernel < 12.1_10
11.4 <= FreeBSD-kernel < 11.4_4
11.3 <= FreeBSD-kernel < 11.3_14

Details

VuXML ID 2c5b9cd7-f7e6-11ea-88f8-901b0ef719ab
Discovery 2020-09-15
Entry 2020-09-16

Problem Description:

AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures.

Impact:

An attacker with host root access (including to a jailed bhyve instance) can use this vulnerability to achieve kernel code execution.

References

CVE Name CVE-2020-24718
FreeBSD Advisory SA-20:28.bhyve_vmcs