FKIE_CVE-2024-43110

Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2025-11-04 17:16
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
References
secteam@freebsd.orghttps://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.ascVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240920-0010/
Impacted products
Vendor Product Version
freebsd freebsd *
freebsd freebsd 13.3
freebsd freebsd 13.3
freebsd freebsd 13.3
freebsd freebsd 13.3
freebsd freebsd 13.3
freebsd freebsd 13.3
freebsd freebsd 13.4
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.0
freebsd freebsd 14.1
freebsd freebsd 14.1
freebsd freebsd 14.1
freebsd freebsd 14.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
              "versionEndExcluding": "13.3",
              "versionStartIncluding": "13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
              "matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
              "matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
              "matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
              "matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
              "matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
              "matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
              "matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
              "matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
              "matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
              "matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
              "matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
              "matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
              "matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
              "matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
              "matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
              "matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
              "matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
              "matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
              "matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root.  Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.  A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n ctl_request_sense podr\u00eda exponer hasta tres bytes del mont\u00f3n del n\u00facleo al espacio de usuario. El software malintencionado que se ejecuta en una m\u00e1quina virtual invitada que expone virtio_scsi puede explotar las vulnerabilidades para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malintencionado est\u00e1 limitado por las capacidades disponibles para el proceso bhyve. Un iniciador iSCSI malintencionado podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo en el host de destino iSCSI."
    }
  ],
  "id": "CVE-2024-43110",
  "lastModified": "2025-11-04T17:16:05.300",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-09-05T05:15:13.757",
  "references": [
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20240920-0010/"
    }
  ],
  "sourceIdentifier": "secteam@freebsd.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "secteam@freebsd.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.