CVE-2020-24718

high-risk

Published 2020-09-25

bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.

Do I need to act?

0.10% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.2/10 High

LOCAL / LOW complexity

Affected Products (20)

Freebsd

Affected Vendors

Freebsd Netapp Omniosce Openindiana

References (6)

Exploit https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872f...

Vendor Advisory https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc

Third Party Advisory https://security.netapp.com/advisory/ntap-20201016-0002/

Exploit https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872f...

Vendor Advisory https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc

Third Party Advisory https://security.netapp.com/advisory/ntap-20201016-0002/

/ 100

high-risk

Severity 25/34 · High

Exploitability 0/34 · Minimal

Exposure 25/34 · High