A high-severity vulnerability in the FreeBSD hypervisor, bhyve, has been discovered, allowing malicious software running in a guest virtual machine (VM) to potentially execute arbitrary code on the host system.
The vulnerability, identified as CVE-2024-41721, affects all supported versions of FreeBSD and has been patched by the FreeBSD Project.
bhyve is a hypervisor that runs guest operating systems inside a virtual machine. The vulnerability arises from an insufficient boundary validation in the USB code, which could lead to an out-of-bounds read on the heap, potentially resulting in an arbitrary write and remote code execution.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free
A malicious, privileged software running in a guest VM can exploit this vulnerability to crash the hypervisor process or potentially achieve code execution on the host in the bhyve userspace process, which typically runs as root.
However, bhyve runs in a Capsicum sandbox, which constrains malicious code by the capabilities available to the bhyve process.
Solution and Workaround
No workaround is available for this vulnerability, but guests who do not use XHCI emulation are not impacted.
To address this issue, users are advised to upgrade their vulnerable systems to a supported FreeBSD stable or release/security branch dated after the correction date.
This involves updating the system via a binary patch using the freebsd-update utility or applying a source code patch and recompiling the operating system.
The issue is corrected as of the corresponding Git commit hash in the following stable and release branches:
- stable/14: 419da61f8203
- releng/14.1: 3c6c0dcb5acb
- releng/14.0: ba46f1174972
- stable/13: 2abd2ad64899
- releng/13.4: 5f035df278cc
- releng/13.3: e7a790dc3ffe
Users are strongly advised to update their systems and restart the corresponding bhyve processes or reboot the system to apply the correction.
FreeBSD users should prioritize applying the available security updates to protect their systems from potential exploitation.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial