CVE-2023-3494 : The fwctl driver implements a state machine which is executed when a bhyve guest

The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. Malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root, mitigated by the capabilities assigned through the Capsicum sandbox available to the bhyve process.

Published 2023-08-01 23:15:31

Updated 2025-02-13 17:16:57

Source FreeBSD

View at NVD, CVE.org

Vulnerability category: Overflow

Products affected by CVE-2023-3494

Freebsd » Freebsd » Version: 13.1 Update B1-p1
cpe:2.3:o:freebsd:freebsd:13.1:b1-p1:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update B2-p2
cpe:2.3:o:freebsd:freebsd:13.1:b2-p2:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update Rc1-p1
cpe:2.3:o:freebsd:freebsd:13.1:rc1-p1:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P1
cpe:2.3:o:freebsd:freebsd:13.1:p1:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P2
cpe:2.3:o:freebsd:freebsd:13.1:p2:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P3
cpe:2.3:o:freebsd:freebsd:13.1:p3:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P4
cpe:2.3:o:freebsd:freebsd:13.1:p4:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P5
cpe:2.3:o:freebsd:freebsd:13.1:p5:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1
cpe:2.3:o:freebsd:freebsd:13.1:-:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P6
cpe:2.3:o:freebsd:freebsd:13.1:p6:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P7
cpe:2.3:o:freebsd:freebsd:13.1:p7:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.2
cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.1 Update P8
cpe:2.3:o:freebsd:freebsd:13.1:p8:*:*:*:*:*:*
Matching versions
Freebsd » Freebsd » Version: 13.2 Update P1
cpe:2.3:o:freebsd:freebsd:13.2:p1:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-3494

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-3494

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	2.0	6.0	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-3494

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
Assigned by:
- nvd@nist.gov (Primary)
- secteam@freebsd.org (Secondary)

References for CVE-2023-3494

https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc

Vendor Advisory
https://security.netapp.com/advisory/ntap-20230831-0006/

CVE-2023-3494 FreeBSD Vulnerability in NetApp Products | NetApp Product Security

Jump to

Vulnerability Details : CVE-2023-3494

Products affected by CVE-2023-3494

Exploit prediction scoring system (EPSS) score for CVE-2023-3494

CVSS scores for CVE-2023-3494

CWE ids for CVE-2023-3494

References for CVE-2023-3494