FreeBSD : grub2-bhyve -- multiple privilege escalations (9d6a48a7-4dad-11ea-8a1d-7085c25400ea)

high Nessus Plugin ID 133662

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Reno Robert reports :

FreeBSD uses a two-process model for running a VM. For booting non-FreeBSD guests, a modified grub-emu is used (grub-bhyve).
Grub-bhyve executes command from guest grub.cfg file. This is a security problem because grub was never written to handle inputs from OS as untrusted. In the current design, grub and guest OS works across trust boundaries. This exposes a grub to untrusted inputs from guest.

grub-bhyve (emu) is built without SDL graphics support which reduces lot of gfx attack surface, however font loading code is still accessible. Guest can provide arbitrary font file, which is parsed by grub-bhyve running as root.

In grub-core/font/font.c, read_section_as_string() allocates section->length + 1 bytes of memory. However, untrusted section->length is an unsigned 32-bit number, and the result can overflow to malloc(0). This can result in a controlled buffer overflow via the 'loadfont' command in a guest VM grub2.cfg, eventually leading to privilege escalation from guest to host.

Reno Robert also reports :

GRUB supports commands to read and write addresses of choice. In grub-bhyve, these commands provide a way to write to arbitrary virtual addresses within the grub-bhyve process. This is another way for a guest grub2.cfg, run by the host, to eventually escalate privileges.

These vulnerabilities are mitigated by disabling the 'loadfont', 'write_dword', 'read_dword', 'inl', 'outl', and other width variants of the same functionality in grub2-bhyve.

There is also work in progress to sandbox the grub-bhyve utility such that an escaped guest ends up with nobody:nobody in a Capsium sandbox.
It is not included in 0.40_8.

Solution

Update the affected package.

See Also

https://www.voidsecurity.in/

http://www.nessus.org/u?50702284

Plugin Details

Severity: High

ID: 133662

File Name: freebsd_pkg_9d6a48a74dad11ea8a1d7085c25400ea.nasl

Version: 1.1

Type: local

Published: 2/13/2020

Updated: 2/13/2020

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:grub2-bhyve, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2/12/2020

Vulnerability Publication Date: 12/9/2019