ID CVE-2016-1889
Summary Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor.
References
Vulnerable Configurations
  • FreeBSD 10.2
    cpe:2.3:o:freebsd:freebsd:10.2
  • FreeBSD 10.3
    cpe:2.3:o:freebsd:freebsd:10.3
  • FreeBSD 11.0 -
    cpe:2.3:o:freebsd:freebsd:11.0
  • FreeBSD 10.1 -
    cpe:2.3:o:freebsd:freebsd:10.1
CVSS
Base: 7.2 (as of 16-02-2017 - 09:45)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_E722E3C6BBEE11E6B1CF14DAE9D210B8.NASL
    description The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow. Impact : For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95588
    published 2016-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95588
    title FreeBSD : FreeBSD -- bhyve(8) virtual machine escape (e722e3c6-bbee-11e6-b1cf-14dae9d210b8)
  • NASL family Firewalls
    NASL id PFSENSE_SA-17_03.NASL
    description According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 106503
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106503
    title pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)
refmap via4
freebsd FreeBSD-SA-16:38
sectrack 1037400
Last major update 16-02-2017 - 09:58
Published 15-02-2017 - 10:59
Back to Top