bhyve privileged guest escape via fwctl

Vulnerability

The fwctl interface in bhyve, used when booting guests with the -l bootrom option (e.g., UEFI mode), implements a state machine that processes commands from guest firmware via x86 I/O ports. A bug in this state machine allows a guest to copy a string into a buffer resident in the bhyve process' memory, but the buffer can overflow. This affects FreeBSD 13.1 and 13.2 [1].

Exploitation

An attacker with privileged access to a guest VM (i.e., able to execute code at the hypervisor-privileged level within the guest) can manipulate the I/O port accesses triggered by the state machine. By crafting specific sequences, the attacker causes the copy operation to exceed the allocated buffer size, resulting in a buffer overflow [1]. The attack requires the guest to be configured with the bootrom interface active.

Impact

Successful exploitation allows the attacker to achieve code execution on the host in the bhyve userspace process, which typically runs as root. However, bhyve is constrained by the Capsicum sandbox, limiting the capabilities available to the compromised process [1]. This could lead to further host compromise depending on the sandbox restrictions and kernel mitigations.

Mitigation

FreeBSD has released patches for CVE-2023-3494: fixed in stable/13 (13.2-STABLE), 13.2-RELEASE-p2, and 13.1-RELEASE-p9. Users should upgrade to a patched version. No workaround is available; bhyve guests running without the -l bootrom option are not affected [1].