16.16.FreeBSD 安全公告

像许多优秀操作系统的开发者一样，FreeBSD 项目也有一个安全团队，负责确定每个 FreeBSD 版本的生命周期结束日期（End-of-Life，EoL），并为尚未达到 EoL 的支持版本提供安全更新。关于 FreeBSD 安全团队和受支持版本的更多信息可以在 FreeBSD 安全页面查阅。

安全团队的一项任务是回应报告的 FreeBSD 操作系统中的安全漏洞。待确认漏洞，安全团队会验证修复该漏洞所需的步骤，并将修复更新到源代码中。然后，它会将详细信息发布为“安全通告”。安全通告发布在 FreeBSD 网站上，并通过 FreeBSD 安全通知邮件列表、FreeBSD 安全邮件列表和 FreeBSD 公告邮件列表发送。

16.16.1. 安全通告的格式

以下是个 FreeBSD 安全通告的示例：

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:07.bhyve                                      Security Advisory
                                                          The FreeBSD Project

Topic:          bhyve privileged guest escape via fwctl

Category:       core
Module:         bhyve
Announced:      2023-08-01
Credits:        Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft
Affects:        FreeBSD 13.1 and 13.2
Corrected:      2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)
                2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
                2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
CVE Name:       CVE-2023-3494

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

bhyve(8)'s fwctl interface provides a mechanism through which guest
firmware can query the hypervisor for information about the virtual
machine.  The fwctl interface is available to guests when bhyve is run
with the "-l bootrom" option, used for example when booting guests in
UEFI mode.

bhyve is currently only supported on the amd64 platform.

II.  Problem Description

The fwctl driver implements a state machine which is executed when the
guest accesses certain x86 I/O ports.  The interface lets the guest copy
a string into a buffer resident in the bhyve process' memory.  A bug in
the state machine implementation can result in a buffer overflowing when
copying this string.

III. Impact

A malicious, privileged software running in a guest VM can exploit the
buffer overflow to achieve code execution on the host in the bhyve
userspace process, which typically runs as root.  Note that bhyve runs
in a Capsicum sandbox, so malicious code is constrained by the
capabilities available to the bhyve process.

IV.  Workaround

No workaround is available.  bhyve guests that are executed without the
"-l bootrom" option are unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart all affected virtual machines.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.2]
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc
# gpg --verify bhyve.13.2.patch.asc

[FreeBSD 13.1]
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc
# gpg --verify bhyve.13.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all affected virtual machines.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              9fe302d78109    stable/13-n255918
releng/13.2/                            2bae613e0da3  releng/13.2-n254625
releng/13.1/                            87702e38a4b4  releng/13.1-n250190
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3494>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A
Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K
qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM
cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K
KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV
fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb
hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF
NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip
hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0
drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0
JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4
LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=
=MlAY
-----END PGP SIGNATURE-----

每份安全通告都遵循以下格式：

每份安全通告都会由安全官员的 PGP 密钥签名。可以在 OpenPGP Keys 验证安全官员的公钥。
安全通告的名称始终以 FreeBSD-SA-（FreeBSD 安全通告）开头，接着是两位数的年份格式（23:），然后是该年度的通告编号（07.），最后是受影响的应用程序或子系统的名称（例如 bhyve）。
Topic 字段简要描述了漏洞。
Category 表示受影响的系统部分，可能是 core、contrib 或 ports。core 类别意味着漏洞影响了 FreeBSD 操作系统的核心组件；contrib 类别意味着漏洞影响了 FreeBSD 包含的软件，如 BIND；ports 类别表示漏洞影响了通过 Ports 提供的软件。
Module 字段指示受影响的组件位置。在这个例子中，受影响的模块是 bhyve，因此这个漏洞影响的是操作系统中安装的应用程序。
Announced 字段反映了安全通告发布的日期。这意味着安全团队已经验证问题存在，并且补丁已经提交到 FreeBSD 源代码库中。
Credits 字段为发现漏洞并报告的个人或组织提供了荣誉。
Affects 字段解释了哪些 FreeBSD 版本受此漏洞影响。
Corrected 字段指示修复的日期、时间、时间偏移量和已修复的版本。括号中的部分显示了修复已经合并的每个分支，以及相应发布版本的版本号。发布标识符本身包括版本号，并在适当时包含补丁级别。补丁级别是字母 p 后跟数字，表示补丁的序列号，允许用户跟踪系统上已应用的补丁。
CVE Name 字段列出如果有的话，安全漏洞数据库中该漏洞的公开 CVE 编号，来源于 cve.mitre.org。
Background 字段提供受影响模块的描述。
Problem Description 字段解释了漏洞。这可以包括有关有缺陷代码的信息以及如何恶意利用该实用程序。
Impact 字段描述了问题可能对系统造成的影响类型。
Workaround 字段指示是否有工作区解决方案，供系统管理员在无法立即修补系统时使用。
Solution 字段提供了修补受影响系统的步骤。这是一个经过测试和验证的步骤方法，帮助用户修补系统并确保其安全。
Correction Details 字段显示了每个受影响的 Subversion 或 Git 分支及其包含修复代码的修订号。
References 字段提供了有关漏洞的更多信息来源。

上一页16.15.监控第三方安全问题下一页17.1.概述

最后更新于1个月前

这有帮助吗？

16.16.1. 安全通告的格式

以下是个 FreeBSD 安全通告的示例：

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:07.bhyve                                      Security Advisory
                                                          The FreeBSD Project

Topic:          bhyve privileged guest escape via fwctl

Category:       core
Module:         bhyve
Announced:      2023-08-01
Credits:        Omri Ben Bassat and Vladimir Eli Tokarev from Microsoft
Affects:        FreeBSD 13.1 and 13.2
Corrected:      2023-08-01 19:48:53 UTC (stable/13, 13.2-STABLE)
                2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
                2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
CVE Name:       CVE-2023-3494

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

bhyve(8)'s fwctl interface provides a mechanism through which guest
firmware can query the hypervisor for information about the virtual
machine.  The fwctl interface is available to guests when bhyve is run
with the "-l bootrom" option, used for example when booting guests in
UEFI mode.

bhyve is currently only supported on the amd64 platform.

II.  Problem Description

The fwctl driver implements a state machine which is executed when the
guest accesses certain x86 I/O ports.  The interface lets the guest copy
a string into a buffer resident in the bhyve process' memory.  A bug in
the state machine implementation can result in a buffer overflowing when
copying this string.

III. Impact

A malicious, privileged software running in a guest VM can exploit the
buffer overflow to achieve code execution on the host in the bhyve
userspace process, which typically runs as root.  Note that bhyve runs
in a Capsicum sandbox, so malicious code is constrained by the
capabilities available to the bhyve process.

IV.  Workaround

No workaround is available.  bhyve guests that are executed without the
"-l bootrom" option are unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart all affected virtual machines.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.2]
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.2.patch.asc
# gpg --verify bhyve.13.2.patch.asc

[FreeBSD 13.1]
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch
# fetch https://security.FreeBSD.org/patches/SA-23:07/bhyve.13.1.patch.asc
# gpg --verify bhyve.13.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all affected virtual machines.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              9fe302d78109    stable/13-n255918
releng/13.2/                            2bae613e0da3  releng/13.2-n254625
releng/13.1/                            87702e38a4b4  releng/13.1-n250190
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3494>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:07.bhyve.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsIACgkQbljekB8A
Gu8Q1Q/7BFw5Aa0cFxBzbdz+O5NAImj58MvKS6xw61bXcYr12jchyT6ENC7yiR+K
qCqbe5TssRbtZ1gg/94gSGEXccz5OcJGxW+qozhcdPUh2L2nzBPkMCrclrYJfTtM
cnmQKjg/wFZLUVr71GEM95ZFaktlZdXyXx9Z8eBzow5rXexpl1TTHQQ2kZZ41K4K
KFhup91dzGCIj02cqbl+1h5BrXJe3s/oNJt5JKIh/GBh5THQu9n6AywQYl18HtjV
fMb1qRTAS9WbiEP5QV2eEuOG86ucuhytqnEN5MnXJ2rLSjfb9izs9HzLo3ggy7yb
hN3tlbfIPjMEwYexieuoyP3rzKkLeYfLXqJU4zKCRnIbBIkMRy4mcFkfcYmI+MhF
NPh2R9kccemppKXeDhKJurH0vsetr8ti+AwOZ3pgO21+9w+mjE+EfaedIi+JWhip
hwqeFv03bAQHJdacNYGV47NsJ91CY4ZgWC3ZOzBZ2Y5SDtKFjyc0bf83WTfU9A/0
drC0z3xaJribah9e6k5d7lmZ7L6aHCbQ70+aayuAEZQLr/N1doB0smNi0IHdrtY0
JdIqmVX+d1ihVhJ05prC460AS/Kolqiaysun1igxR+ZnctE9Xdo1BlLEbYu2KjT4
LpWvSuhRMSQaYkJU72SodQc0FM5mqqNN42Vx+X4EutOfvQuRGlI=
=MlAY
-----END PGP SIGNATURE-----

每份安全通告都遵循以下格式：

每份安全通告都会由安全官员的 PGP 密钥签名。可以在 OpenPGP Keys 验证安全官员的公钥。

安全通告的名称始终以 FreeBSD-SA-（FreeBSD 安全通告）开头，接着是两位数的年份格式（23:），然后是该年度的通告编号（07.），最后是受影响的应用程序或子系统的名称（例如 bhyve）。

Topic 字段简要描述了漏洞。

Category 表示受影响的系统部分，可能是 core、contrib 或 ports。core 类别意味着漏洞影响了 FreeBSD 操作系统的核心组件；contrib 类别意味着漏洞影响了 FreeBSD 包含的软件，如 BIND；ports 类别表示漏洞影响了通过 Ports 提供的软件。

Module 字段指示受影响的组件位置。在这个例子中，受影响的模块是 bhyve，因此这个漏洞影响的是操作系统中安装的应用程序。

Announced 字段反映了安全通告发布的日期。这意味着安全团队已经验证问题存在，并且补丁已经提交到 FreeBSD 源代码库中。

Credits 字段为发现漏洞并报告的个人或组织提供了荣誉。

Affects 字段解释了哪些 FreeBSD 版本受此漏洞影响。

Corrected 字段指示修复的日期、时间、时间偏移量和已修复的版本。括号中的部分显示了修复已经合并的每个分支，以及相应发布版本的版本号。发布标识符本身包括版本号，并在适当时包含补丁级别。补丁级别是字母 p 后跟数字，表示补丁的序列号，允许用户跟踪系统上已应用的补丁。

CVE Name 字段列出如果有的话，安全漏洞数据库中该漏洞的公开 CVE 编号，来源于 cve.mitre.org。

Background 字段提供受影响模块的描述。

Problem Description 字段解释了漏洞。这可以包括有关有缺陷代码的信息以及如何恶意利用该实用程序。

Impact 字段描述了问题可能对系统造成的影响类型。

Workaround 字段指示是否有工作区解决方案，供系统管理员在无法立即修补系统时使用。

Solution 字段提供了修补受影响系统的步骤。这是一个经过测试和验证的步骤方法，帮助用户修补系统并确保其安全。

Correction Details 字段显示了每个受影响的 Subversion 或 Git 分支及其包含修复代码的修订号。

References 字段提供了有关漏洞的更多信息来源。