Synacktiv

**Name of the Vulnerable Software and Affected Versions** Sony XAV-AX8500 (affected versions not specified) **Description** The issue is related to an integer overflow in the Bluetooth SDP protocol, which can lead to remote code execution. This was demonstrated at Pwn2Own. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sony XAV-AX8500 (affected versions not specified) **Description** The issue concerns an improper isolation authentication bypass vulnerability in the Bluetooth functionality. It was discovered by Mikhail Evdokimov from PCAutomotive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FCGI versions 0.44 through 0.82 Description: The included FastCGI library in FCGI is affected, causing an integer overflow and resultant heap-based buffer overflow via crafted `nameLen` or `valueLen` values in data to the IPC socket. This occurs in the `ReadParams` function in `fcgiapp.c`. Recommendations: For FCGI versions 0.44 through 0.82, consider disabling the `ReadParams` function in `fcgiapp.c` as a temporary workaround until a patch is available. Restrict access to the IPC socket to minimize the risk of exploitation. Avoid using crafted `nameLen` or `valueLen` values in data to the IPC socket until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** hda driver (affected versions not specified) **Description** The issue concerns a buffer over-read in the hda driver, which is triggered by a guest-controlled value. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The virtio vq recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hda audio driver (affected versions not specified) **Description** A guest can trigger an infinite loop in the hda audio driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NVMe driver (affected versions not specified) **Description** The NVMe driver queue processing is vulnerable to guest-induced infinite loops. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The issue allows the caller to specify an arbitrary size using the `ctl persistent reserve out` command, which will be passed to the kernel's memory allocator. This could potentially lead to unbounded allocation in the ctl(4) CAM Target Layer. There is a mention of potential exploitation over unauthenticated iSCSI connections, but no further details are provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bhyve hypervisor (affected versions not specified) **Description** The NVMe driver function nvme opc get log page is vulnerable to a buffer over-read from a guest-controlled value. This issue is related to the bhyve hypervisor and affects the NVMe driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The issue is related to an insufficient boundary validation in the USB code, which could lead to an out-of-bounds read on the heap, potentially resulting in an arbitrary write and remote code execution. This vulnerability affects the bhyve hypervisor's XHCI emulation functionality. The process bhyve typically runs with root privileges, increasing the potential impact. Although bhyve operates in an isolated environment using Capsicum, which limits available capabilities, the risk of exploitation remains. All supported versions of FreeBSD are affected, with systems using XHCI emulation being particularly vulnerable. **Recommendations** To resolve the issue, update your FreeBSD system to a version that includes the fix released on September 19, 2024. After applying the updates or patches, it is crucial to restart all guest operating systems using USB devices with XHCI emulation to ensure the fixes take effect. As a temporary workaround, consider restricting the use of XHCI emulation in the bhyve hypervisor until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the UMTX OP SHM operation's handling of anonymous shared memory used for process-shared mutexes. Concurrent removals of certain anonymous shared memory mappings by using the UMTX SHM DESTROY sub-request of UMTX OP SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercising the UMTX SHM DESTROY sub-request in parallel can panic the kernel or enable further use-after-free attacks, potentially including code execution or Capsicum sandbox escape. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bhyve (affected versions not specified) **Description** Malicious software running in a guest VM can exploit a buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. The bhyve process runs in a Capsicum sandbox, constraining malicious code to the capabilities available to the bhyve process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: libnv (affected versions not specified) Description: The issue is related to an integer overflow in the libnv library, which can occur due to a malicious value of size in a structure of packed libnv. This overflow leads to the allocation of a smaller buffer than required for the parsed data. The exploitation of this issue may allow a remote attacker to elevate their privileges or cause a denial of service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The function `ctl write buffer` incorrectly set a flag, resulting in a kernel Use-After-Free when a command finished processing. Malicious software running in a guest VM that exposes virtio scsi can exploit this issue to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeBSD (affected versions not specified) **Description** The issue is related to the `ctl request sense()` function in the ctl subsystem of FreeBSD operating systems, which can lead to a buffer overflow in memory. This can allow an attacker to execute arbitrary code. Malicious software running in a guest VM that exposes `virtio scsi` can exploit this to achieve code execution on the host in the `bhyve` userspace process, typically running as root. Note that `bhyve` runs in a Capsicum sandbox, constraining malicious code to the capabilities available to the `bhyve` process. A malicious iSCSI initiator could also achieve remote code execution on the iSCSI target host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bhyve (affected versions not specified) **Description** The issue is related to the `ctl write buffer` and `ctl read buffer` functions, which allocated memory to be returned to userspace without initializing it. This can be exploited by malicious software running in a guest VM that exposes virtio scsi to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bhyve (affected versions not specified) **Description** The issue is related to the `ctl report supported opcodes` function, which did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. This could be exploited by malicious software running in a guest VM that exposes `virtio scsi` to achieve code execution on the host in the `bhyve` userspace process, which typically runs as root. Note that `bhyve` runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the `bhyve` process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bhyve (affected versions not specified) **Description** The issue is related to an insufficient boundary validation in the USB code, which could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit this to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** Due to improper input validation, an authenticated remote attacker could execute arbitrary commands on the target system. The issue allows for the execution of arbitrary commands, potentially leading to significant system compromise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.