Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-42416

Summary
Assigner-freebsd
Assigner Org ID-63664ac6-956c-4cba-a5d0-f46076e16109
Published At-05 Sep, 2024 | 04:31
Updated At-05 Sep, 2024 | 13:12
Rejected At-
Credits

Multiple issues in ctl(4) CAM Target Layer

The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:freebsd
Assigner Org ID:63664ac6-956c-4cba-a5d0-f46076e16109
Published At:05 Sep, 2024 | 04:31
Updated At:05 Sep, 2024 | 13:12
Rejected At:
▼CVE Numbering Authority (CNA)
Multiple issues in ctl(4) CAM Target Layer

The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

Affected Products
Vendor
FreeBSD FoundationFreeBSD
Product
FreeBSD
Modules
  • ctl
Default Status
unknown
Versions
Affected
  • From 14.1-RELEASE before p4 (release)
  • From 14.0-RELEASE before p10 (release)
  • From 13.3-RELEASE before p6 (release)
Problem Types
TypeCWE IDDescription
CWECWE-790CWE-790 Improper Filtering of Special Elements
CWECWE-823CWE-823 Use of Out-of-range Pointer Offset
Type: CWE
CWE ID: CWE-790
Description: CWE-790 Improper Filtering of Special Elements
Type: CWE
CWE ID: CWE-823
Description: CWE-823 Use of Out-of-range Pointer Offset
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Synacktiv
sponsor
The FreeBSD Foundation
sponsor
The Alpha-Omega Project
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc
vendor-advisory
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
FreeBSD Foundationfreebsd
Product
freebsd
CPEs
  • cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 14.1 before 14.1_p4 (custom)
  • From 14.0 before 14.0_p10 (custom)
  • From 13.3 before 13.3_p6 (custom)
Metrics
VersionBase scoreBase severityVector
3.18.4HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secteam@freebsd.org
Published At:05 Sep, 2024 | 05:15
Updated At:05 Sep, 2024 | 21:25

The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Secondary3.18.4HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
FreeBSD Foundation
freebsd
>>freebsd>>Versions from 13.0(inclusive) to 13.3(exclusive)
cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.3
cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.3
cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.3
cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.3
cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.3
cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.3
cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.4
cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.0
cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.1
cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.1
cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.1
cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.1
cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1284Primarynvd@nist.gov
CWE-790Secondarysecteam@freebsd.org
CWE-823Secondarysecteam@freebsd.org
CWE ID: CWE-1284
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-790
Type: Secondary
Source: secteam@freebsd.org
CWE ID: CWE-823
Type: Secondary
Source: secteam@freebsd.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.ascsecteam@freebsd.org
Vendor Advisory
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc
Source: secteam@freebsd.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found