Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35867: ZDI-22-949

This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-15056.

CVE
#vulnerability#git#buffer_overflow#zero_day

July 6th, 2022

(0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability****ZDI-22-949
ZDI-CAN-15056

CVE ID

CVE-2022-35867

CVSS SCORE

7.5, (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

AFFECTED VENDORS

xhyve

AFFECTED PRODUCTS

xhyve

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.

The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor.

ADDITIONAL DETAILS

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120-day deadline.

10/21/21 – ZDI attempted to contact the vendor and obtain secure keys.
10/22/21 – The contact advised they were only a one-time contributor but provided their key and agreed to receive the notification in case this was about their contribution.
10/22/21 – The contact provided a GitHub link pointing to the admin of the repository as well as their contact information.
10/25/21 –  The project owner advises to send the information, but also notes that the problem could have originated in FreeBSD’s bhyve. This issue was fixed in FreeBSD’s bhyve under CVE-2019-5609 and the code was never updated in xhyve.
10/25/21 –  ZDI re-notified the case to the project owner and advised him to review the potential to notify FreeBSD.
06/24/22 – ZDI verified that this code was still vulnerable as of this date.
06/29/22 –  ZDI notified the vendor of the intention to publish the case as  a 0-day advisory on 07/6/22

– Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

DISCLOSURE TIMELINE

  • 2021-10-22 - Vulnerability reported to vendor
  • 2022-07-06 - Coordinated public release of advisory
  • 2022-07-14 - Advisory Updated

CREDIT

Alisa Esage of Zero Day Engineering (zerodayengineering.com)

BACK TO ADVISORIES

Related news

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36661: Disclose Three Bugs in xhyve

xhyve commit dfbe09b was discovered to contain a NULL pointer dereference via the component vi_pci_read(). This vulnerability allows attackers to cause a Denial of Service via unspecified vectors.

CVE-2019-5609

In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the on-stack buffer without validation when TCP segmentation offload is requested for a transmitted packet. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907