Reinforcing Sandbox Security
The Capsicum security framework is a fundamental part of FreeBSD’s strategy for limiting application access to system resources through effective sandboxing. A recent audit confirmed that Capsicum has a robust and secure design but also identified vulnerabilities in certain kernel components that can be accessed within a sandboxed environment.
It’s important to note that these issues are not flaws in Capsicum itself but in other subsystems within the sandbox’s reach. Thus, while Capsicum operates as intended, some kernel components still possess vulnerabilities that could be exploited to escalate privileges outside of the sandbox.
- FreeBSD-SA-24:09.libnv Multiple vulnerabilities in libnv
- FreeBSD-SA-24:14.umtx umtx Kernel panic or Use-After-Free
- FreeBSD-SA-24:16.libnv Integer overflow in libnv
Securing FreeBSD’s Virtualization Platform
The bhyve hypervisor is a core component of FreeBSD’s virtualization capabilities, allowing multiple virtual machines to run concurrently. The audit identified several vulnerabilities in bhyve that could affect both guest and host systems.
- FreeBSD-SA-24:10.bhyve bhyve(8) privileged guest escape via TPM device passthrough
- FreeBSD-SA-24:11.ctl Multiple issues in ctl(4) CAM Target Layer
- FreeBSD-SA-24:12.bhyve bhyve(8) privileged guest escape via USB controller
- FreeBSD-SA-24:15.bhyve bhyve(8) out-of-bounds read access via XHCI emulation
- FreeBSD-SA-24:17.bhyve Multiple issues in the bhyve hypervisor
- FreeBSD-SA-24:18.ctl Unbounded allocation in ctl(4) CAM Target Layer
Update Your FreeBSD System
As always, we strongly encourage all users and system administrators to update their FreeBSD systems to protect them against these vulnerabilities. As a reminder, here are the steps to follow to update any FreeBSD system.
Check for Updates
Run the following command to fetch the latest security updates for your system:
sudo freebsd-update fetch
Apply Updates
After fetching the updates, apply them using this command:
sudo freebsd-update install
Reboot Your System
If the updates require a reboot (which is common for kernel patches), you will be prompted to do so. Reboot with:
sudo reboot