svn commit: r525917 - head/security/vuxml
Conrad Meyer
cem at FreeBSD.org
Wed Feb 12 16:18:47 UTC 2020
Author: cem (src committer)
Date: Wed Feb 12 16:18:45 2020
New Revision: 525917
URL: https://svnweb.freebsd.org/changeset/ports/525917
Log:
security/vuxml: Document sysutils/grub2-bhyve escalations
Mitigated in r525916.
admbugs: 948
Reported by: Reno Robert <renorobert AT gmail.com>
Approved by: bapt
MFH: 2020Q1 (bapt)
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Wed Feb 12 15:32:31 2020 (r525916)
+++ head/security/vuxml/vuln.xml Wed Feb 12 16:18:45 2020 (r525917)
@@ -58,6 +58,68 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="9d6a48a7-4dad-11ea-8a1d-7085c25400ea">
+ <topic>grub2-bhyve -- multiple privilege escalations</topic>
+ <affects>
+ <package>
+ <name>grub2-bhyve</name>
+ <range><lt>0.40_8</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Reno Robert reports:</p>
+ <!-- No public blog entry yet but I'm sure he'll publish one soon. -->
+ <blockquote cite="https://www.voidsecurity.in/">
+ <p>FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD
+ guests, a modified grub-emu is used (grub-bhyve). Grub-bhyve executes command
+ from guest grub.cfg file. This is a security problem because grub was never
+ written to handle inputs from OS as untrusted. In the current design, grub
+ and guest OS works across trust boundaries. This exposes a grub to untrusted
+ inputs from guest.
+ </p>
+ <p>grub-bhyve (emu) is built without SDL graphics support which reduces lot of
+ gfx attack surface, however font loading code is still accessible. Guest can
+ provide arbitrary font file, which is parsed by grub-bhyve running as root.
+ </p>
+ <p>In grub-core/font/font.c, <code>read_section_as_string()</code> allocates
+ <code>section->length + 1</code> bytes of memory. However, untrusted
+ <code>section->length</code> is an unsigned 32-bit number, and the result can
+ overflow to <code>malloc(0)</code>. This can result in a controlled buffer
+ overflow via the 'loadfont' command in a guest VM grub2.cfg, eventually leading
+ to privilege escalation from guest to host.
+ </p>
+ </blockquote>
+ <p>Reno Robert also reports:</p>
+ <!-- No public blog entry yet but I'm sure he'll publish one soon. -->
+ <blockquote cite="https://www.voidsecurity.in/">
+ <p>GRUB supports commands to read and write addresses of choice. In
+ grub-bhyve, these commands provide a way to write to arbitrary virtual
+ addresses within the grub-bhyve process. This is another way for a guest
+ grub2.cfg, run by the host, to eventually escalate privileges.
+ </p>
+ </blockquote>
+ <p>These vulnerabilities are mitigated by disabling the 'loadfont', 'write_dword',
+ 'read_dword', 'inl', 'outl', and other width variants of the same functionality in
+ grub2-bhyve.
+ </p>
+ <p>There is also work in progress to sandbox the grub-bhyve utility such that
+ an escaped guest ends up with nobody:nobody in a Capsium sandbox. It is not
+ included in 0.40_8.
+ </p>
+ </body>
+ </description>
+ <references>
+ <!-- No public blog entry yet but I'm sure he'll publish one soon. -->
+ <url>https://www.voidsecurity.in/</url>
+ </references>
+ <dates>
+ <!-- memrw was reported 2020-02-10 or 2020-02-11, but the earliest report is: -->
+ <discovery>2019-12-09</discovery>
+ <entry>2020-02-12</entry>
+ </dates>
+ </vuln>
+
<vuln vid="00f30cba-4d23-11ea-86ba-641c67a117d8">
<topic>libexif -- privilege escalation</topic>
<affects>
More information about the svn-ports-all
mailing list