CVE-2024-41721: The FreeBSD Flaw That Opens the Door to Remote Attacks

A critical vulnerability has been identified in the FreeBSD operating system, enabling remote code execution (RCE) via the bhyve hypervisor. This flaw, assigned CVE-2024-41721, was disclosed on September 19, 2024, and is credited to researchers from Synacktiv.

The vulnerability stems from errors in XHCI emulation within the bhyve hypervisor, which is used for running virtual machines. The primary issue is insufficient bounds checking in the USB code, leading to out-of-bounds memory access.

Exploiting this vulnerability allows an attacker operating within the guest system to either crash the hypervisor process or execute malicious code on the host system. Given that the bhyve process typically runs with root privileges, the consequences could be severe.

Although bhyve operates within the isolated Capsicum sandbox, this does not fully eliminate the risk. Systems utilizing XHCI emulation are particularly vulnerable, as no workarounds exist for them. The flaw affects all supported versions of FreeBSD, and successful exploitation could result in unauthorized access or complete system control.

Patches for all supported versions of FreeBSD were released on September 19. Administrators are strongly advised to apply the fixes as soon as possible to avoid the potential fallout from attacks. For systems utilizing XHCI emulation, it is especially critical to reboot guest operating systems after applying the patch.