A recent vulnerability was discovered in the emulation of Intel e100 network adapters in bhyve, a FreeBSD-based hypervisor. This vulnerability, [[CVE-2022-23087]](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23087), allows a bhyve guest to overwrite memory in the bhyve process on the host, leading to possible code execution within the host's context. This post aims to provide an overview of the vulnerability, details of the exploit, and pointers to the original references for a comprehensive understanding of the issue.

Background

e100 network adapters support various modifications to an Ethernet packet during transmission. Some of these modifications include the insertion of IP and TCP checksums, the addition of an Ethernet VLAN header, and TCP segmentation offload (TSO).

In bhyve, the e100 device model uses an on-stack buffer to emulate these modified packet headers while transmitting the packets. While this emulation is in process, the bhyve process runs within a Capsicum sandbox. The sandbox helps in limiting the impact of the exploit, depending on factors like the FreeBSD version and bhyve configuration.

Vulnerability Details

CVE-2022-23087 exposes a flaw in the checksum offload process in the e100 device model. When a bhyve guest requests checksum offload for a packet, the e100 device model uses a guest-provided value as the checksum offset in the aforementioned on-stack buffer. However, the offset is not validated for certain packet types.

This lack of validation can be exploited by a misbehaving bhyve guest, which can result in overwriting the memory in the bhyve process on the host. Consequently, the exploitation can potentially lead to code execution in the host's context.

Exploit Details

A successful exploit would involve a bhyve guest exploiting the vulnerability in the e100 device model by providing an incorrect offset value during the checksum offload process. Code snippet showcasing the vulnerability:

// e100_emul_freebsd.c
static int
e82545_txd_checksum(struct e82545_softc *sc, struct e82545_tx_desc *txd,
    bool *csum)
{
    // Details omitted...

    for (i = ; i < (txd->upper.data_popts & TD_POPTS_IXSM); i++) {
        sum += (uint16_t)~mbuf16(m, sc->tx_fields.encap + i * 2);
    }

    // Details omitted...
}

In this scenario, the sc->tx_fields.encap variable holds the guest-provided offset value, which is not validated. By providing an incorrect offset value to overwrite the host's memory, the exploit can ultimately lead to code execution on the host side.

For a complete understanding of the vulnerability, we recommend exploring the following references

1. CVE-2022-23087 - Mitre CVE Entry)2-230_present fixture3)
2. FreeBSD Security Advisory - e100(4) device models present fixtureSA-22:##04.e100_present f00ixture_e100;]/)
3. bhyve - FreeBSD Hypervisor

Conclusion

CVE-2022-23087 demonstrates a significant vulnerability in the e100 network adapters' emulation within the bhyve process. By exploiting this issue, a malicious guest can overwrite the host's memory, potentially leading to code execution. It is essential to apply patches and security updates to secure the host environment against such vulnerabilities.

The impact of this exploit can be mitigated to some extent by using the Capsicum sandbox while running the bhyve process. However, staying vigilant about updates and understanding the security implications of the technologies being used is paramount in ensuring a secure virtualization environment.

Timeline

Published on: 02/15/2024 05:15:09 UTC
Last modified on: 05/14/2024 10:18:03 UTC