Vulnerabilities > CVE-2016-1889 - Integer Overflow or Wraparound vulnerability in Freebsd
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E722E3C6BBEE11E6B1CF14DAE9D210B8.NASL description The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow. Impact : For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they last seen 2020-06-01 modified 2020-06-02 plugin id 95588 published 2016-12-07 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95588 title FreeBSD : FreeBSD -- bhyve(8) virtual machine escape (e722e3c6-bbee-11e6-b1cf-14dae9d210b8) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(95588); script_version("3.4"); script_cvs_date("Date: 2018/11/10 11:49:46"); script_cve_id("CVE-2016-1889"); script_xref(name:"FreeBSD", value:"SA-16:38.bhyve"); script_name(english:"FreeBSD : FreeBSD -- bhyve(8) virtual machine escape (e722e3c6-bbee-11e6-b1cf-14dae9d210b8)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The bounds checking of accesses to guest memory greater than 4GB by device emulations is subject to integer overflow. Impact : For a bhyve virtual machine with more than 3GB of guest memory configured, a malicious guest could craft device descriptors that could give it access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they're running on." ); # https://vuxml.freebsd.org/freebsd/e722e3c6-bbee-11e6-b1cf-14dae9d210b8.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7a685d8c" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:FreeBSD"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); if (report_paranoia < 2) audit(AUDIT_PARANOID); flag = 0; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=11.0<11.0_4")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=10.3<10.3_13")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=10.2<10.2_26")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=10.1<10.1_43")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Firewalls NASL id PFSENSE_SA-17_03.NASL description According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories. last seen 2020-06-01 modified 2020-06-02 plugin id 106503 published 2018-01-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106503 title pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106503); script_version("1.12"); script_cvs_date("Date: 2019/11/08"); script_cve_id( "CVE-2016-1889", "CVE-2016-6559", "CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-8610", "CVE-2016-8858", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312", "CVE-2016-10009", "CVE-2016-10010" ); script_bugtraq_id( 93776, 93841, 94444, 94446, 94447, 94448, 94450, 94451, 94452, 94453, 94454, 94455, 94694, 94968, 94972 ); script_xref(name:"CERT", value:"633847"); script_xref(name:"FreeBSD", value:"SA-16:29.bspatch"); script_xref(name:"FreeBSD", value:"SA-16:31.libarchive"); script_xref(name:"FreeBSD", value:"SA-16:33.openssh"); script_xref(name:"FreeBSD", value:"SA-16:35.openssl"); script_xref(name:"FreeBSD", value:"SA-16:37.libc"); script_xref(name:"FreeBSD", value:"SA-16:38.bhyve"); script_xref(name:"FreeBSD", value:"SA-16:39.ntp"); script_xref(name:"FreeBSD", value:"SA-17:01.openssh"); script_name(english:"pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)"); script_summary(english:"Checks the version of pfSense."); script_set_attribute(attribute:"synopsis", value: "The remote firewall host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories."); script_set_attribute(attribute:"see_also", value:"https://doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes"); # https://www.pfsense.org/security/advisories/pfSense-SA-17_01.webgui.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?96e388ec"); # https://www.pfsense.org/security/advisories/pfSense-SA-17_02.webgui.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?871cf23b"); # https://www.pfsense.org/security/advisories/pfSense-SA-17_03.webgui.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?36b6ea9d"); script_set_attribute(attribute:"solution", value: "Upgrade to pfSense version 2.3.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6559"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/02/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/31"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:pfsense:pfsense"); script_set_attribute(attribute:"cpe", value:"cpe:/a:bsdperimeter:pfsense"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("pfsense_detect.nbin"); script_require_keys("Host/pfSense"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); if (!get_kb_item("Host/pfSense")) audit(AUDIT_HOST_NOT, "pfSense"); app_info = vcf::pfsense::get_app_info(); constraints = [ { "fixed_version" : "2.3.3" } ]; vcf::pfsense::check_version_and_report( app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE, xsrf:TRUE} );