Preface: Today, FreeBSD is used by many IT companies such as IBM, Nokia, Juniper Networks, and NetApp to build their products.

Background: bhyve, pronounced “beehive” is a hypervisor/virtual machine manager for FreeBSD that supports a wide range of guest operating systems on Intel and AMD processors that support the “POPCNT” (POPulation Count) feature, and experimentally ARM64/aarch64 processors that support the gic0: <ARM Generic Interrupt Controller v3.0> feature (visible in dmesg(8)).

bhyve supports multiple storage and networking back-ends, UEFI, FreeBSD loader, and GRUB booting, PCI Pass-Through (PPT), integrated VNC and 9pfs servers, and many more features.

As of 14.0-RELEASE, bhyve supports TPM passthrough and TPM emulation

Vulnerability details: An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.

Official announcement: Please refer to the vendor announcement for details – https://www.tenable.com/cve/CVE-2024-41721

Preface: When you got a valid non-NULL pointer to a memory address returned by malloc(), only the requested size of memory is allocated to your process and you’re allowed to use (read and / or write) into that much space only.

Background: When you launch a KVM-based guest, most often you would see QEMU doing the major user space heavy-lifting by providing a PC-like environment—it handles guest memory management, network cards, emulated storage devices, and so forth.

When using QEMU, all I/O travels through a single queue, which can affect performance.

Vulnerability details: In the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest.

Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak

Ref: A bounce buffer resides in memory low enough for a device to copy from and write data to. It is then copied to the desired user page in high memory. This additional copy is undesirable, but unavoidable. Pages are allocated in low memory which are used as buffer pages for DMA to and from the device.

This CVE only low risk vulnerability. However, but should staying alert.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-8612

Preface: Originally founded in 1992 as M-Tech Information Technology, acquired by Hitachi, Ltd. in 2008, and acquired by the Volaris Group in 2022, Bravura Security, Inc is a leading provider of identity, privileged access, password, and passwordless solutions. Bravura Security Fabric brings together all the benefits of SaaS plus IAM & PAM into one comprehensive solution.

Background: The API Service (idapi) enables client programs to access Bravura Security Fabric workflow and provisioning features programmatically. Client programs communicate with the service using:

SOAP (Simple Object Access Protocol) – Some organizations use the SOAP API to build their own customized front-end to Bravura Security Fabric.

Vulnerability details: An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple failed login attempts through API SOAP.

Official announcement: Please refer to the vendor announcement for details –

https://www.bravurasecurity.com/cve-2024-45523-resource-leak-in-api-after-a-failed-login-attempt

Preface: Enables Vaultwarden’s built-in HTTPS functionality (via the Rocket web framework). Rocket’s HTTPS implementation is relatively immature and has limited functionality.

Rocket is a web framework written in Rust. It supports HTTP requests, Web Sockets JSON, templating and more. Its design was inspired by Rails, Flask, Bottle, and Yesod.

Background: Vaultwarden is an unofficial Bitwarden server implementation written in Rust that is compatible with the official Bitwarden client, making it ideal for resource-intensive self-hosted deployments where you don’t want to run the official Bitwarden client.

Vaultwarden implements the Bitwarden APIs required for most functionality, including: Web interface (equivalent to https://vault.bitwarden.com/), Event Logs, Password sharing and access control..etc

Vulnerability details: An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator’s browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.

Official announcement: Please refer to the vendor announcement for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-39926

Preface: A mutex is a mutual exclusion lock. Only one thread can hold the lock. Mutexes are used to protect data or other resources from concurrent access. A mutex has attributes, which specify the characteristics of the mutex.

Background: During the boot process, the console provides a lot of important information about the initial phase of the system startup. To avoid loss of the early messages the kernel utilizes what is called a ring buffer. This buffer stores all messages, including boot messages, generated by the printk() function within the kernel code. The messages from the kernel ring buffer are then read and stored in log files on permanent storage, for example, by the syslog service. The buffer mentioned above is a cyclic data structure which has a fixed size, and is hard-coded into the kernel.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.

Official announcement: Please refer to the vendor announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-46713

Preface: In session hijacking, an attacker gets hold of a valid user session to gain unauthorized access to the account. This is typically done through three methods:

Brute force: The attacker keeps trying session IDs until they are successful.

Calculation: If the session IDs are generated in a non-random manner, the attacker can calculate them.

Theft: The attacker acquires the session ID through techniques like session sniffing, session fixation, and cross-site scripting.

Background: FortiSOAR helps IT/OT security teams thwart attacks by centralizing incident management and automating the myriad of analyst activities required for effective threat investigation and response.

Vulnerability details: An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.

Official announcement: Please refer to the vendor announcement for details –

https://fortiguard.fortinet.com/psirt/FG-IR-24-048