Multiple issues in ctl(4) CAM Target Layer

Vulnerability

The ctl_write_buffer function in the FreeBSD ctl(4) CAM Target Layer incorrectly sets a flag, resulting in a kernel Use-After-Free (UAF) when a command finishes processing [1]. This vulnerability affects all supported versions of FreeBSD prior to the patches released on 2024-09-04 for stable/14, releng/14.1, releng/14.0, stable/13, releng/13.4, and releng/13.3 branches [1].

Exploitation

An attacker must be running malicious software in a guest VM that exposes virtio_scsi, or be a malicious iSCSI initiator [1]. The attacker triggers the UAF by sending a crafted SCSI command that invokes ctl_write_buffer under specific conditions, leading to a use-after-free in kernel memory. The bhyve hypervisor runs in a Capsicum sandbox, so the exploitation is constrained by the available capabilities [1].

Impact

Successful exploitation can achieve code execution on the host within the bhyve userspace process, which typically runs as root [1]. This allows the attacker to compromise the host system from a guest VM or remotely via iSCSI, leading to full host compromise within sandbox limitations.

Mitigation

Patches are available for all supported FreeBSD versions as of 2024-09-04 [1]. The fixed versions are: 14.1-RELEASE-p4, 14.0-RELEASE-p10, 13.4-RC2-p1, and 13.3-RELEASE-p6, along with the corresponding STABLE branches [1]. Users should update their systems immediately; no workaround is mentioned in the advisory.