CVE-2022-23092 (GCVE-0-2022-23092)
Vulnerability from cvelistv5 – Published: 2024-02-15 05:13 – Updated: 2025-02-13 16:29
VLAI?
Summary
The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.
The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox.
Severity ?
8.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
Robert Morris
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240415-0009/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "13.1-release",
"versionType": "custom"
},
{
"lessThan": "p12",
"status": "affected",
"version": "13.0-release",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-23092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-15T16:43:44.126625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T18:40:51.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"lib9p"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "13.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "13.0-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Robert Morris"
}
],
"datePublic": "2022-08-09T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The implementation of lib9p\u0027s handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.\n\nThe bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve\u0027s Capsicum sandbox."
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T15:06:21.396Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240415-0009/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing bounds check in 9p message handling",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2022-23092",
"datePublished": "2024-02-15T05:13:50.356Z",
"dateReserved": "2022-01-10T22:07:46.042Z",
"dateUpdated": "2025-02-13T16:29:03.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"The implementation of lib9p\u0027s handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.\\n\\nThe bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve\u0027s Capsicum sandbox.\"}, {\"lang\": \"es\", \"value\": \"A la implementaci\\u00f3n del manejo de mensajes RWALK por parte de lib9p le faltaba una verificaci\\u00f3n de los l\\u00edmites necesaria al descomprimir el contenido del mensaje. La verificaci\\u00f3n faltante significa que la recepci\\u00f3n de un mensaje especialmente manipulado har\\u00e1 que lib9p sobrescriba la memoria no relacionada. El error puede ser provocado por un kernel invitado de bhyve malicioso que sobrescribe la memoria en el proceso bhyve(8). Esto podr\\u00eda conducir potencialmente a la ejecuci\\u00f3n de c\\u00f3digo en modo de usuario en el host, sujeto al entorno limitado de Capsicum de bhyve.\"}]",
"id": "CVE-2022-23092",
"lastModified": "2024-11-21T06:47:58.153",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2024-02-15T06:15:45.190",
"references": "[{\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc\", \"source\": \"secteam@freebsd.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240415-0009/\", \"source\": \"secteam@freebsd.org\"}, {\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240415-0009/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23092\",\"sourceIdentifier\":\"secteam@freebsd.org\",\"published\":\"2024-02-15T06:15:45.190\",\"lastModified\":\"2025-06-04T22:09:43.293\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The implementation of lib9p\u0027s handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.\\n\\nThe bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve\u0027s Capsicum sandbox.\"},{\"lang\":\"es\",\"value\":\"A la implementaci\u00f3n del manejo de mensajes RWALK por parte de lib9p le faltaba una verificaci\u00f3n de los l\u00edmites necesaria al descomprimir el contenido del mensaje. La verificaci\u00f3n faltante significa que la recepci\u00f3n de un mensaje especialmente manipulado har\u00e1 que lib9p sobrescriba la memoria no relacionada. El error puede ser provocado por un kernel invitado de bhyve malicioso que sobrescribe la memoria en el proceso bhyve(8). Esto podr\u00eda conducir potencialmente a la ejecuci\u00f3n de c\u00f3digo en modo de usuario en el host, sujeto al entorno limitado de Capsicum de bhyve.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7412DBD8-BB1F-48A8-AAE1-BA5C8D7BDDF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"833DFF5B-BC50-424A-ABCF-EC632F421B76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F27016E-4117-4094-BB7A-9C56E38024D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:beta3-p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC7326E3-908D-47A1-B848-3AA7F34B3DD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"B149BF69-951D-47B4-996C-9E4773DA75B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"04A0E266-714C-4753-A652-A51F25582C78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p10:*:*:*:*:*:*\",\"matchCriteriaId\":\"D133E8E0-4E88-451C-9693-5DE5C3092AD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p11:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF1A096F-EC60-4C7D-AE40-D1DDAC9D4E40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"556111A1-C236-4DF6-9438-F9C874451A58\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"1673F16B-463A-492C-B66F-48917008F7F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"E73B211F-2CA9-47A4-B318-F24CC1C7E589\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C13DDEF-FF5F-4723-9C25-4EA66AE2CEDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A942EA9-0DD3-44BC-B582-C680BA34E88F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"689BC10B-0404-4468-B604-9D96337F9BD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"38DDAA43-3E9C-479F-8416-E3B9BE23C31B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:p9:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE490480-1EA1-4684-A643-9749E87A8448\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC271C93-EB83-4301-B7BA-F3249B71B1EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"04329338-AC28-4A74-BE6B-CE8EC6CC37B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADBA841F-5C83-4759-84B7-B59DA1B12EA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A8F38B3-A6DA-4178-A2BD-0D4F0267C384\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BB028A0-70F6-42DA-9E5A-F7AAF74ED45B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.0:rc5-p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"00D28E4E-022B-482E-9952-7F7F47C427C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.1:b1-p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"66364EA4-83B1-4597-8C18-D5633B361A9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.1:b2-p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF9292DD-EFB1-4B50-A941-7485D901489F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.1:rc1-p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B536EE52-ED49-4A85-BC9D-A27828D5A961\"}]}]}],\"references\":[{\"url\":\"https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc\",\"source\":\"secteam@freebsd.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240415-0009/\",\"source\":\"secteam@freebsd.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240415-0009/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240415-0009/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:28:43.506Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-23092\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-15T16:43:44.126625Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*\"], \"vendor\": \"freebsd\", \"product\": \"freebsd\", \"versions\": [{\"status\": \"affected\", \"version\": \"13.1-release\", \"lessThan\": \"p1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"13.0-release\", \"lessThan\": \"p12\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-29T18:40:01.880Z\"}}], \"cna\": {\"title\": \"Missing bounds check in 9p message handling\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Robert Morris\"}], \"affected\": [{\"vendor\": \"FreeBSD\", \"modules\": [\"lib9p\"], \"product\": \"FreeBSD\", \"versions\": [{\"status\": \"affected\", \"version\": \"13.1-RELEASE\", \"lessThan\": \"p1\", \"versionType\": \"release\"}, {\"status\": \"affected\", \"version\": \"13.0-RELEASE\", \"lessThan\": \"p12\", \"versionType\": \"release\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2022-08-09T23:00:00.000Z\", \"references\": [{\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-22:12.lib9p.asc\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240415-0009/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The implementation of lib9p\u0027s handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory.\\n\\nThe bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve\u0027s Capsicum sandbox.\"}], \"providerMetadata\": {\"orgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"shortName\": \"freebsd\", \"dateUpdated\": \"2024-04-15T15:06:21.396Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-23092\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T16:29:03.221Z\", \"dateReserved\": \"2022-01-10T22:07:46.042Z\", \"assignerOrgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"datePublished\": \"2024-02-15T05:13:50.356Z\", \"assignerShortName\": \"freebsd\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…