FreeBSD Issues Critical Security Advisory for CVE-2024-41721 (CVSS 9.8)

CVE-2024-41721 - FreeBSD

A recently disclosed security advisory has unveiled a critical vulnerability affecting FreeBSD’s bhyve hypervisor. Identified as CVE-2024-41721, this flaw carries a CVSS score of 9.8, reflecting its high severity. The vulnerability is found in bhyve’s USB emulation functionality, specifically when it is configured to emulate devices on a virtual USB controller (XHCI). If exploited, this flaw could allow malicious code execution, posing a serious threat to systems running vulnerable versions of FreeBSD.

bhyve is a hypervisor designed to run guest operating systems inside virtual machines (VMs). The issue arises from insufficient boundary validation in the USB emulation code. A privileged guest operating system can trigger an out-of-bounds read on the heap, which can potentially escalate to arbitrary writes. This flaw opens the door to a range of attacks, including crashing the hypervisor or achieving code execution in the host’s bhyve userspace process, which usually runs with root privileges.

This vulnerability is especially concerning as it allows a malicious actor, with control over a guest VM, to crash the hypervisor or even execute arbitrary code on the host machine. While bhyve is protected by the Capsicum sandbox, which restricts the capabilities of the process, the flaw still poses a significant risk if left unpatched.

This vulnerability was discovered and responsibly disclosed to the FreeBSD Project by security researchers from Synacktiv.

At present, there is no available workaround for CVE-2024-41721. However, guest VMs that do not employ XHCI emulation for USB devices remain unaffected by this vulnerability.

The FreeBSD Project strongly advises all users to upgrade their systems to the latest patched versions of FreeBSD: 14.1-STABLE, 14.1-RELEASE-p5, 14.0-RELEASE-p11, 13.4-STABLE, 13.4-RELEASE-p1, or 13.3-RELEASE-p7. Importantly, guest operating systems that utilize XHCI emulation for USB devices will require a restart for the patch to be fully effective.

Related Posts: