Date: Wed, 12 Feb 2020 16:18:46 +0000 (UTC) From: Conrad Meyer <cem@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r525917 - head/security/vuxml Message-ID: <202002121618.01CGIkqa066920@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem (src committer) Date: Wed Feb 12 16:18:45 2020 New Revision: 525917 URL: https://svnweb.freebsd.org/changeset/ports/525917 Log: security/vuxml: Document sysutils/grub2-bhyve escalations Mitigated in r525916. admbugs: 948 Reported by: Reno Robert <renorobert AT gmail.com> Approved by: bapt MFH: 2020Q1 (bapt) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Feb 12 15:32:31 2020 (r525916) +++ head/security/vuxml/vuln.xml Wed Feb 12 16:18:45 2020 (r525917) @@ -58,6 +58,68 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="9d6a48a7-4dad-11ea-8a1d-7085c25400ea"> + <topic>grub2-bhyve -- multiple privilege escalations</topic> + <affects> + <package> + <name>grub2-bhyve</name> + <range><lt>0.40_8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Reno Robert reports:</p> + <!-- No public blog entry yet but I'm sure he'll publish one soon. --> + <blockquote cite="https://www.voidsecurity.in/">; + <p>FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD + guests, a modified grub-emu is used (grub-bhyve). Grub-bhyve executes command + from guest grub.cfg file. This is a security problem because grub was never + written to handle inputs from OS as untrusted. In the current design, grub + and guest OS works across trust boundaries. This exposes a grub to untrusted + inputs from guest. + </p> + <p>grub-bhyve (emu) is built without SDL graphics support which reduces lot of + gfx attack surface, however font loading code is still accessible. Guest can + provide arbitrary font file, which is parsed by grub-bhyve running as root. + </p> + <p>In grub-core/font/font.c, <code>read_section_as_string()</code> allocates + <code>section->length + 1</code> bytes of memory. However, untrusted + <code>section->length</code> is an unsigned 32-bit number, and the result can + overflow to <code>malloc(0)</code>. This can result in a controlled buffer + overflow via the 'loadfont' command in a guest VM grub2.cfg, eventually leading + to privilege escalation from guest to host. + </p> + </blockquote> + <p>Reno Robert also reports:</p> + <!-- No public blog entry yet but I'm sure he'll publish one soon. --> + <blockquote cite="https://www.voidsecurity.in/">; + <p>GRUB supports commands to read and write addresses of choice. In + grub-bhyve, these commands provide a way to write to arbitrary virtual + addresses within the grub-bhyve process. This is another way for a guest + grub2.cfg, run by the host, to eventually escalate privileges. + </p> + </blockquote> + <p>These vulnerabilities are mitigated by disabling the 'loadfont', 'write_dword', + 'read_dword', 'inl', 'outl', and other width variants of the same functionality in + grub2-bhyve. + </p> + <p>There is also work in progress to sandbox the grub-bhyve utility such that + an escaped guest ends up with nobody:nobody in a Capsium sandbox. It is not + included in 0.40_8. + </p> + </body> + </description> + <references> + <!-- No public blog entry yet but I'm sure he'll publish one soon. --> + <url>https://www.voidsecurity.in/</url>; + </references> + <dates> + <!-- memrw was reported 2020-02-10 or 2020-02-11, but the earliest report is: --> + <discovery>2019-12-09</discovery> + <entry>2020-02-12</entry> + </dates> + </vuln> + <vuln vid="00f30cba-4d23-11ea-86ba-641c67a117d8"> <topic>libexif -- privilege escalation</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002121618.01CGIkqa066920>