bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-862,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openindiana | openindiana | * |
| netapp | clustered_data_ontap | - |
| omniosce | omnios | * |
| freebsd | freebsd | 11.3 |
| freebsd | freebsd | 12.0 |
| freebsd | freebsd | 11.4 |
| freebsd | freebsd | 12.1 |
| freebsd | freebsd | * |
An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. A local unprivileged user can cause a deadlock and kernel panic via crafted rename and rmdir calls on tmpfs filesystems. Oracle Solaris 10 and 11 is also affected.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | solaris | 10 |
| omniosce | omnios | r151038 |
| joyent | smartos | 20210923 |
| oracle | solaris | 11 |
| illumos | illumos | * |
| openindiana | openindiana | hipster_2021.04 |