FreeBSD-SA-18:14.bhyve Security Advisory
The FreeBSD Project
Topic: Insufficient bounds checking in bhyve(8) device model
Credits: Reno Robert
Affects: All supported versions of FreeBSD.
Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
CVE Name: CVE-2018-17160
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
The bhyve hypervisor uses the bhyve(8) program to emulate support for most
virtual devices used by guest operating systems.
II. Problem Description
Insufficient bounds checking in one of the device models provided by bhyve(8)
can permit a guest operating system to overwrite memory in the bhyve(8)
processing possibly permitting arbitary code execution.
A guest OS using a firmware image can cause the bhyve process to crash, or
possibly execute arbitrary code on the host as root.
The device model in question is only enabled when booting guests with a
firmware image such as the UEFI images from the bhyve-firmware package.
Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests
using operating systems supported by bhyveload(8) or grub2-bhyve can be
booted using these tools as a workaround.
No workaround is available for guest operating systems such as Windows that
require a firmware image.
Perform one of the following:
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterward, restart guests using firmware images.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.