CVE-2024-25940

`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to. In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc
https://security.netapp.com/advisory/ntap-20240419-0004/
https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc
https://security.netapp.com/advisory/ntap-20240419-0004/

Configurations

No configuration.

History

No history.

Information

Published : 2024-02-15 05:15

Updated : 2024-11-21 17:15

NVD link : CVE-2024-25940

Mitre link : CVE-2024-25940

CVE.ORG link : CVE-2024-25940

JSON object : View

Products Affected

No product.

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-25940", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2024-02-15T05:15:11.100", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc", "source": "secteam@freebsd.org"}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0004/", "source": "secteam@freebsd.org"}, {"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240419-0004/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.\u00a0In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root."}, {"lang": "es", "value": "`bhyveload -h ` se puede usar para otorgar acceso al cargador al \u00e1rbol de directorios en el host. Las versiones afectadas de bhyveload(8) no intentan restringir el acceso del cargador a , lo que le permite leer cualquier archivo al que el usuario host tenga acceso. En el modelo bhyveload(8), el host proporciona un userboot.so para arrancar, pero los scripts del cargador generalmente provienen de la imagen del invitado. Se podr\u00eda utilizar un script creado con fines malintencionados para extraer datos confidenciales del host al que puede acceder el usuario que ejecuta bhyhveload(8), que suele ser la ra\u00edz del sistema."}], "lastModified": "2024-11-21T17:15:11.910", "sourceIdentifier": "secteam@freebsd.org"}