{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-43110", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2024-08-27T16:30:55.973Z", "datePublished": "2024-09-05T04:31:19.166Z", "dateUpdated": "2025-11-04T16:13:45.604Z"}, "containers": {"cna": {"datePublic": "2024-09-04T23:37:17.000Z", "title": "Multiple issues in ctl(4) CAM Target Layer", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["ctl"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"lessThan": "p4", "status": "affected", "version": "14.1-RELEASE", "versionType": "release"}, {"lessThan": "p10", "status": "affected", "version": "14.0-RELEASE", "versionType": "release"}, {"lessThan": "p6", "status": "affected", "version": "13.3-RELEASE", "versionType": "release"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Synacktiv"}, {"lang": "en", "type": "sponsor", "value": "The FreeBSD Foundation"}, {"lang": "en", "type": "sponsor", "value": "The Alpha-Omega Project"}], "descriptions": [{"lang": "en", "value": "The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2024-09-05T04:31:19.166Z"}}, "adp": [{"affected": [{"vendor": "freebsd", "product": "freebsd", "cpes": ["cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "14.1", "status": "affected", "lessThan": "14.1_p4", "versionType": "custom"}, {"version": "14.0", "status": "affected", "lessThan": "14.0_p10", "versionType": "custom"}, {"version": "13.3", "status": "affected", "lessThan": "13.3_p6", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T13:11:06.616986Z", "id": "CVE-2024-43110", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T13:11:27.145Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20240920-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T16:13:45.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-43110", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-05T13:11:06.616986Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"], "vendor": "freebsd", "product": "freebsd", "versions": [{"status": "affected", "version": "14.1", "lessThan": "14.1_p4", "versionType": "custom"}, {"status": "affected", "version": "14.0", "lessThan": "14.0_p10", "versionType": "custom"}, {"status": "affected", "version": "13.3", "lessThan": "13.3_p6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T13:05:52.693Z"}}], "cna": {"title": "Multiple issues in ctl(4) CAM Target Layer", "credits": [{"lang": "en", "type": "finder", "value": "Synacktiv"}, {"lang": "en", "type": "sponsor", "value": "The FreeBSD Foundation"}, {"lang": "en", "type": "sponsor", "value": "The Alpha-Omega Project"}], "affected": [{"vendor": "FreeBSD", "modules": ["ctl"], "product": "FreeBSD", "versions": [{"status": "affected", "version": "14.1-RELEASE", "lessThan": "p4", "versionType": "release"}, {"status": "affected", "version": "14.0-RELEASE", "lessThan": "p10", "versionType": "release"}, {"status": "affected", "version": "13.3-RELEASE", "lessThan": "p6", "versionType": "release"}], "defaultStatus": "unknown"}], "datePublic": "2024-09-04T23:37:17.000Z", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2024-09-05T04:31:19.166Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43110", "state": "PUBLISHED", "dateUpdated": "2024-09-05T13:11:27.145Z", "dateReserved": "2024-08-27T16:30:55.973Z", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "datePublished": "2024-09-05T04:31:19.166Z", "assignerShortName": "freebsd"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289", "versionEndExcluding": "13.3", "versionStartIncluding": "13.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*", "matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*", "matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*", "matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*", "matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*", "matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*", "matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*", "matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*", "matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*", "matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*", "matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*", "matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*", "matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*", "matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*", "matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*", "matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*", "matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*", "matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*", "matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*", "matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*", "matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*", "matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*", "matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."}, {"lang": "es", "value": "La funci\u00f3n ctl_request_sense podr\u00eda exponer hasta tres bytes del mont\u00f3n del n\u00facleo al espacio de usuario. El software malintencionado que se ejecuta en una m\u00e1quina virtual invitada que expone virtio_scsi puede explotar las vulnerabilidades para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malintencionado est\u00e1 limitado por las capacidades disponibles para el proceso bhyve. Un iniciador iSCSI malintencionado podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo en el host de destino iSCSI."}], "id": "CVE-2024-43110", "lastModified": "2025-11-04T17:16:05.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-05T05:15:13.757", "references": [{"source": "secteam@freebsd.org", "tags": ["Vendor Advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240920-0010/"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "secteam@freebsd.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}