bhyve USB Out-of-bounds Heap Write Leads to Host Privilege Escalation
CVE-2024-32668 Published on September 5, 2024
bhyve(8) privileged guest escape via USB controller
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.
A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
Vulnerability Analysis
CVE-2024-32668 is exploitable with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
What is an off-by-five Vulnerability?
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
CVE-2024-32668 has been classified to as an off-by-five vulnerability or weakness.
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2024-32668 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2024-32668
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 14.1-RELEASE and below p4 is affected.
- Version 14.0-RELEASE and below p10 is affected.
- Version 13.3-RELEASE and below p6 is affected.
- Version 14.1 and below 14.1_p4 is affected.
- Version 14.0 and below 14.0_p10 is affected.
- Version 13.3 and below 13.3_p6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.