CVE-2020-24718
First published: Fri Sep 25 2020(Updated: )
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeBSD FreeBSD | <=11.2 | |
| FreeBSD FreeBSD | =11.3 | |
| FreeBSD FreeBSD | =11.3-p1 | |
| FreeBSD FreeBSD | =11.3-p10 | |
| FreeBSD FreeBSD | =11.3-p11 | |
| FreeBSD FreeBSD | =11.3-p12 | |
| FreeBSD FreeBSD | =11.3-p13 | |
| FreeBSD FreeBSD | =11.3-p2 | |
| FreeBSD FreeBSD | =11.3-p3 | |
| FreeBSD FreeBSD | =11.3-p4 | |
| FreeBSD FreeBSD | =11.3-p5 | |
| FreeBSD FreeBSD | =11.3-p6 | |
| FreeBSD FreeBSD | =11.3-p7 | |
| FreeBSD FreeBSD | =11.3-p8 | |
| FreeBSD FreeBSD | =11.3-p9 | |
| FreeBSD FreeBSD | =11.3-rc3 | |
| FreeBSD FreeBSD | =11.4 | |
| FreeBSD FreeBSD | =11.4-beta1 | |
| FreeBSD FreeBSD | =11.4-p1 | |
| FreeBSD FreeBSD | =11.4-p2 | |
| FreeBSD FreeBSD | =11.4-p3 | |
| FreeBSD FreeBSD | =11.4-rc1 | |
| FreeBSD FreeBSD | =11.4-rc2 | |
| FreeBSD FreeBSD | =12.0 | |
| FreeBSD FreeBSD | =12.0-p1 | |
| FreeBSD FreeBSD | =12.0-p10 | |
| FreeBSD FreeBSD | =12.0-p11 | |
| FreeBSD FreeBSD | =12.0-p12 | |
| FreeBSD FreeBSD | =12.0-p2 | |
| FreeBSD FreeBSD | =12.0-p3 | |
| FreeBSD FreeBSD | =12.0-p4 | |
| FreeBSD FreeBSD | =12.0-p5 | |
| FreeBSD FreeBSD | =12.0-p6 | |
| FreeBSD FreeBSD | =12.0-p7 | |
| FreeBSD FreeBSD | =12.0-p8 | |
| FreeBSD FreeBSD | =12.0-p9 | |
| FreeBSD FreeBSD | =12.1 | |
| FreeBSD FreeBSD | =12.1-p1 | |
| FreeBSD FreeBSD | =12.1-p2 | |
| FreeBSD FreeBSD | =12.1-p3 | |
| FreeBSD FreeBSD | =12.1-p4 | |
| FreeBSD FreeBSD | =12.1-p5 | |
| FreeBSD FreeBSD | =12.1-p6 | |
| FreeBSD FreeBSD | =12.1-p7 | |
| FreeBSD FreeBSD | =12.1-p8 | |
| FreeBSD FreeBSD | =12.1-p9 | |
| Omniosce Omnios | <=r151034 | |
| Openindiana Openindiana | <=hipster_2020.04 | |
| NetApp Clustered Data ONTAP |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-24718?
CVE-2020-24718 is a vulnerability in bhyve, as used in FreeBSD through 12.1 and illumos, that allows a root user in a container on an Intel system to gain privileges by modifying VMCS_HO.
How does CVE-2020-24718 impact FreeBSD and illumos?
CVE-2020-24718 impacts FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04).
What is the severity of CVE-2020-24718?
CVE-2020-24718 has a severity rating of 8.2 (high).
How can an attacker exploit CVE-2020-24718?
An attacker can exploit CVE-2020-24718 by being a root user in a container on an Intel system and modifying VMCS_HO to gain privileges.
Where can I find more information about CVE-2020-24718?
You can find more information about CVE-2020-24718 in the references provided: [GitHub](https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249), [FreeBSD Security Advisory](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc), and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20201016-0002/).
- collector/nvd-index
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/11.2
- version/freebsd freebsd/11.3
- version/freebsd freebsd/11.3-p1
- version/freebsd freebsd/11.3-p10
- version/freebsd freebsd/11.3-p11
- version/freebsd freebsd/11.3-p12
- version/freebsd freebsd/11.3-p13
- version/freebsd freebsd/11.3-p2
- version/freebsd freebsd/11.3-p3
- version/freebsd freebsd/11.3-p4
- version/freebsd freebsd/11.3-p5
- version/freebsd freebsd/11.3-p6
- version/freebsd freebsd/11.3-p7
- version/freebsd freebsd/11.3-p8
- version/freebsd freebsd/11.3-p9
- version/freebsd freebsd/11.3-rc3
- version/freebsd freebsd/11.4
- version/freebsd freebsd/11.4-beta1
- version/freebsd freebsd/11.4-p1
- version/freebsd freebsd/11.4-p2
- version/freebsd freebsd/11.4-p3
- version/freebsd freebsd/11.4-rc1
- version/freebsd freebsd/11.4-rc2
- version/freebsd freebsd/12.0
- version/freebsd freebsd/12.0-p1
- version/freebsd freebsd/12.0-p10
- version/freebsd freebsd/12.0-p11
- version/freebsd freebsd/12.0-p12
- version/freebsd freebsd/12.0-p2
- version/freebsd freebsd/12.0-p3
- version/freebsd freebsd/12.0-p4
- version/freebsd freebsd/12.0-p5
- version/freebsd freebsd/12.0-p6
- version/freebsd freebsd/12.0-p7
- version/freebsd freebsd/12.0-p8
- version/freebsd freebsd/12.0-p9
- version/freebsd freebsd/12.1
- version/freebsd freebsd/12.1-p1
- version/freebsd freebsd/12.1-p2
- version/freebsd freebsd/12.1-p3
- version/freebsd freebsd/12.1-p4
- version/freebsd freebsd/12.1-p5
- version/freebsd freebsd/12.1-p6
- version/freebsd freebsd/12.1-p7
- version/freebsd freebsd/12.1-p8
- version/freebsd freebsd/12.1-p9
- vendor/omniosce
- canonical/omniosce omnios
- version/omniosce omnios/r151034
- vendor/openindiana
- canonical/openindiana openindiana
- version/openindiana openindiana/hipster_2020.04
- vendor/netapp
- canonical/netapp clustered data ontap