CVE-2024-11149
📋 TL;DR
This vulnerability in OpenBSD's vmm(4) hypervisor fails to properly restore GDTR limits on Intel VMX CPUs, potentially allowing a malicious virtual machine to escape isolation and execute arbitrary code on the host system. It affects OpenBSD systems running virtual machines with the vmm hypervisor on Intel CPUs. The impact is limited to environments using OpenBSD's virtualization capabilities.
💻 Affected Systems
- OpenBSD
📦 What is this software?
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
⚠️ Risk & Real-World Impact
Worst Case
A malicious virtual machine could escape hypervisor isolation, gain host system privileges, and compromise the entire physical server and other VMs.
Likely Case
VM escape leading to host system compromise, potentially allowing lateral movement to other systems in the environment.
If Mitigated
Limited to VM escape only if proper network segmentation and host hardening are in place.
🎯 Exploit Status
Exploitation requires control of a guest VM and detailed knowledge of Intel VMX architecture. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenBSD 7.4 errata 014
Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/patches/7.4/common/014_vmm.patch.sig
Restart Required: Yes
Instructions:
1. Download the patch from OpenBSD errata page. 2. Apply patch: patch -p0 < 014_vmm.patch. 3. Rebuild and install kernel. 4. Reboot system.
🔧 Temporary Workarounds
Disable vmm hypervisor
openbsdTemporarily disable virtualization if not required
sysctl hw.vmm.vmx=0
Migrate VMs to unaffected hypervisor
allMove critical VMs to alternative virtualization platforms
🧯 If You Can't Patch
- Isolate vulnerable hosts from critical networks and systems
- Implement strict VM trust boundaries and monitor for suspicious VM behavior
🔍 How to Verify
Check if Vulnerable:
Check OpenBSD version and errata status: sysctl kern.versionCheck Version:
sysctl kern.versionVerify Fix Applied:
Verify kernel includes errata 014: grep 'vmm.*GDTR' /usr/src/sys/arch/amd64/amd64/vmm.c📡 Detection & Monitoring
Log Indicators:
- Unusual VM behavior, unexpected host system calls from VM context
- Kernel panic or hypervisor crashes
Network Indicators:
- VM attempting network connections outside expected patterns
- Unexpected host network activity from VM IPs
SIEM Query:
source="openbsd" AND (event_type="kernel_panic" OR message="vmm")