CVE-2024-25940

`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host.  Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image.  A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
freebsdCNA
---
---
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
freebsdfreebsd
𝑥
< 13.2
freebsdfreebsd
13.3 ≤
𝑥
< 14.0
freebsdfreebsd
13.2:p1
freebsdfreebsd
13.2:p2
freebsdfreebsd
13.2:p3
freebsdfreebsd
13.2:p4
freebsdfreebsd
13.2:p5
freebsdfreebsd
13.2:p6
freebsdfreebsd
13.2:p7
freebsdfreebsd
13.2:p8
freebsdfreebsd
13.2:p9
freebsdfreebsd
14.0:beta5
freebsdfreebsd
14.0:p1
freebsdfreebsd
14.0:p2
freebsdfreebsd
14.0:p3
freebsdfreebsd
14.0:p4
freebsdfreebsd
14.0:rc3
freebsdfreebsd
14.0:rc4-p1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc
https://security.netapp.com/advisory/ntap-20240419-0004/
https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc
https://security.netapp.com/advisory/ntap-20240419-0004/