Headline
CVE-2022-35867: ZDI-22-949
This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-15056.
July 6th, 2022
(0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability****ZDI-22-949
ZDI-CAN-15056
CVE ID
CVE-2022-35867
CVSS SCORE
7.5, (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
AFFECTED VENDORS
xhyve
AFFECTED PRODUCTS
xhyve
VULNERABILITY DETAILS
This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.
The specific flaw exists within the e1000 virtual device. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor.
ADDITIONAL DETAILS
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120-day deadline.
10/21/21 – ZDI attempted to contact the vendor and obtain secure keys.
10/22/21 – The contact advised they were only a one-time contributor but provided their key and agreed to receive the notification in case this was about their contribution.
10/22/21 – The contact provided a GitHub link pointing to the admin of the repository as well as their contact information.
10/25/21 – The project owner advises to send the information, but also notes that the problem could have originated in FreeBSD’s bhyve. This issue was fixed in FreeBSD’s bhyve under CVE-2019-5609 and the code was never updated in xhyve.
10/25/21 – ZDI re-notified the case to the project owner and advised him to review the potential to notify FreeBSD.
06/24/22 – ZDI verified that this code was still vulnerable as of this date.
06/29/22 – ZDI notified the vendor of the intention to publish the case as a 0-day advisory on 07/6/22
– Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
DISCLOSURE TIMELINE
- 2021-10-22 - Vulnerability reported to vendor
- 2022-07-06 - Coordinated public release of advisory
- 2022-07-14 - Advisory Updated
CREDIT
Alisa Esage of Zero Day Engineering (zerodayengineering.com)
BACK TO ADVISORIES
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
xhyve commit dfbe09b was discovered to contain a NULL pointer dereference via the component vi_pci_read(). This vulnerability allows attackers to cause a Denial of Service via unspecified vectors.
In FreeBSD 12.0-STABLE before r350619, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350619, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the bhyve e1000 device emulation used a guest-provided value to determine the size of the on-stack buffer without validation when TCP segmentation offload is requested for a transmitted packet. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.