bhyve(8) privileged guest escape via USB controller

Vulnerability

An insufficient boundary validation in the USB code of the bhyve hypervisor, specifically in the emulation of the XHCI (USB 3.0) controller, leads to an out-of-bounds write on the heap with attacker-controlled data. This affects all supported versions of FreeBSD (stable/14, releng/14.1, releng/14.0, stable/13, releng/13.4, releng/13.3) when the XHCI device is exposed to the guest via the bhyve -s xhci,... option [1].

Exploitation

A malicious, privileged software running inside a guest VM (e.g., with root access) can exploit the vulnerability by sending crafted USB requests to the emulated XHCI controller. No additional user interaction on the host is required. The attacker must have the ability to execute code in the guest with sufficient privileges to interact with the virtual USB device [1].

Impact

Successful exploitation allows the attacker to achieve code execution on the host within the bhyve userspace process, which typically runs as root. However, bhyve is confined by a Capsicum sandbox, so the attacker's capabilities are limited to those available to the bhyve process. This constitutes a guest-to-host escape, potentially leading to full host compromise depending on the sandbox restrictions [1].

Mitigation

FreeBSD released fixes on 2024-09-04. The corrected versions are: 14.1-RELEASE-p4, 14.0-RELEASE-p10, 13.4-RC2-p1, 13.3-RELEASE-p6, and the corresponding STABLE branches (stable/14, stable/13). No workaround is available other than not exposing the XHCI device to the guest. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].