ID CVE-2009-3290
Summary The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified "random addresses."
References
Vulnerable Configurations
  • Linux Kernel 2.6.25 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.25:rc1
  • Linux Kernel 2.6.30
    cpe:2.3:o:linux:linux_kernel:2.6.30
CVSS
Base: 7.2 (as of 22-09-2009 - 17:11)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1907.NASL
    description Several vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-5714 Chris Webb discovered an off-by-one bug limiting KVM's VNC passwords to 7 characters. This flaw might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. - CVE-2009-3290 It was discovered that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. The oldstable distribution (etch) does not contain kvm.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44772
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44772
    title Debian DSA-1907-1 : kvm - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1465.NASL
    description Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. The kvm_emulate_hypercall() implementation was missing a check for the Current Privilege Level (CPL). A local, unprivileged user in a virtual machine could use this flaw to cause a local denial of service or escalate their privileges within that virtual machine. (CVE-2009-3290) This update also fixes the following bugs : * non-maskable interrupts (NMI) were not supported on systems with AMD processors. As a consequence, Windows Server 2008 R2 guests running with more than one virtual CPU assigned on systems with AMD processors would hang at the Windows shut down screen when a restart was attempted. This update adds support for NMI filtering on systems with AMD processors, allowing clean restarts of Windows Server 2008 R2 guests running with multiple virtual CPUs. (BZ#520694) * significant performance issues for guests running 64-bit editions of Windows. This update improves performance for guests running 64-bit editions of Windows. (BZ#521793) * Windows guests may have experienced time drift. (BZ#521794) * removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows Server 2008 R2 caused KVM to crash. With this update, device removal should not cause this issue. (BZ#524557) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update takes effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 63897
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63897
    title RHEL 5 : kvm (RHSA-2009:1465)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1465.NASL
    description From Red Hat Security Advisory 2009:1465 : Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. The kvm_emulate_hypercall() implementation was missing a check for the Current Privilege Level (CPL). A local, unprivileged user in a virtual machine could use this flaw to cause a local denial of service or escalate their privileges within that virtual machine. (CVE-2009-3290) This update also fixes the following bugs : * non-maskable interrupts (NMI) were not supported on systems with AMD processors. As a consequence, Windows Server 2008 R2 guests running with more than one virtual CPU assigned on systems with AMD processors would hang at the Windows shut down screen when a restart was attempted. This update adds support for NMI filtering on systems with AMD processors, allowing clean restarts of Windows Server 2008 R2 guests running with multiple virtual CPUs. (BZ#520694) * significant performance issues for guests running 64-bit editions of Windows. This update improves performance for guests running 64-bit editions of Windows. (BZ#521793) * Windows guests may have experienced time drift. (BZ#521794) * removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows Server 2008 R2 caused KVM to crash. With this update, device removal should not cause this issue. (BZ#524557) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update takes effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67932
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67932
    title Oracle Linux 5 : kvm (ELSA-2009-1465)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1465.NASL
    description Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. The kvm_emulate_hypercall() implementation was missing a check for the Current Privilege Level (CPL). A local, unprivileged user in a virtual machine could use this flaw to cause a local denial of service or escalate their privileges within that virtual machine. (CVE-2009-3290) This update also fixes the following bugs : * non-maskable interrupts (NMI) were not supported on systems with AMD processors. As a consequence, Windows Server 2008 R2 guests running with more than one virtual CPU assigned on systems with AMD processors would hang at the Windows shut down screen when a restart was attempted. This update adds support for NMI filtering on systems with AMD processors, allowing clean restarts of Windows Server 2008 R2 guests running with multiple virtual CPUs. (BZ#520694) * significant performance issues for guests running 64-bit editions of Windows. This update improves performance for guests running 64-bit editions of Windows. (BZ#521793) * Windows guests may have experienced time drift. (BZ#521794) * removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows Server 2008 R2 caused KVM to crash. With this update, device removal should not cause this issue. (BZ#524557) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update takes effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43796
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43796
    title CentOS 5 : kvm (CESA-2009:1465)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-10165.NASL
    description Update to kernel 2.6.27.35: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.31 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.32 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.33 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.34 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.35 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 41973
    published 2009-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41973
    title Fedora 10 : kernel-2.6.27.35-170.2.94.fc10 (2009-10165)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-289.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). (CVE-2009-1895) Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size. (CVE-2009-2406) Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet. (CVE-2009-2407) The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a negative dentry and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount. (CVE-2009-2908) The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified random addresses. (CVE-2009-3290) Additionaly, it includes the fixes from the stable kernel version 2.6.27.37. It also fixes also fixes IBM x3650 M2 hanging when using both network interfaces and Wake on Lan problems on r8169. For details, check the package changelog. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 42284
    published 2009-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42284
    title Mandriva Linux Security Advisory : kernel (MDVSA-2009:289)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-10639.NASL
    description Update to kernel 2.6.30.9. Upstream change logs: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.9 Also fixes : - Kernel stack randomization bug - NULL dereference in r128 driver - ftrace memory corruption on module unload - boot hanging on some systems - some latency problems caused by scheduler bugs Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 42271
    published 2009-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42271
    title Fedora 11 : kernel-2.6.30.9-90.fc11 (2009-10639)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1915.NASL
    description Notice: Debian 5.0.4, the next point release of Debian 'lenny', will include a new default value for the mmap_min_addr tunable. This change will add an additional safeguard against a class of security vulnerabilities known as 'NULL pointer dereference' vulnerabilities, but it will need to be overridden when using certain applications. Additional information about this change, including instructions for making this change locally in advance of 5.0.4 (recommended), can be found at: https://wiki.debian.org/mmap_min_addr. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-2695 Eric Paris provided several fixes to increase the protection provided by the mmap_min_addr tunable against NULL pointer dereference vulnerabilities. - CVE-2009-2903 Mark Smith discovered a memory leak in the appletalk implementation. When the appletalk and ipddp modules are loaded, but no ipddp'N' device is found, remote attackers can cause a denial of service by consuming large amounts of system memory. - CVE-2009-2908 Loic Minier discovered an issue in the eCryptfs filesystem. A local user can cause a denial of service (kernel oops) by causing a dentry value to go negative. - CVE-2009-2909 Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops). - CVE-2009-2910 Jan Beulich discovered the existence of a sensitive kernel memory leak. Systems running the 'amd64' kernel do not properly sanitize registers for 32-bit processes. - CVE-2009-3001 Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue. - CVE-2009-3002 Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory. - CVE-2009-3286 Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users. - CVE-2009-3290 Jan Kiszka noticed that the kvm_emulate_hypercall function in KVM does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory. - CVE-2009-3613 Alistair Strachan reported an issue in the r8169 driver. Remote users can cause a denial of service (IOMMU space exhaustion and system crash) by transmitting a large amount of jumbo frames.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44780
    published 2010-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44780
    title Debian DSA-1915-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-852-1.NASL
    description Solar Designer discovered that the z90crypt driver did not correctly check capabilities. A local attacker could exploit this to shut down the device, leading to a denial of service. Only affected Ubuntu 6.06. (CVE-2009-1883) Michael Buesch discovered that the SGI GRU driver did not correctly check the length when setting options. A local attacker could exploit this to write to the kernel stack, leading to root privilege escalation or a denial of service. Only affected Ubuntu 8.10 and 9.04. (CVE-2009-2584) It was discovered that SELinux did not fully implement the mmap_min_addr restrictions. A local attacker could exploit this to allocate the NULL memory page which could lead to further attacks against kernel NULL-dereference vulnerabilities. Ubuntu 6.06 was not affected. (CVE-2009-2695) Cagri Coltekin discovered that the UDP stack did not correctly handle certain flags. A local user could send specially crafted commands and traffic to gain root privileges or crash the systeam, leading to a denial of service. Only affected Ubuntu 6.06. (CVE-2009-2698) Hiroshi Shimamoto discovered that monotonic timers did not correctly validate parameters. A local user could make a specially crafted timer request to gain root privileges or crash the system, leading to a denial of service. Only affected Ubuntu 9.04. (CVE-2009-2767) Michael Buesch discovered that the HPPA ISA EEPROM driver did not correctly validate positions. A local user could make a specially crafted request to gain root privileges or crash the system, leading to a denial of service. (CVE-2009-2846) Ulrich Drepper discovered that kernel signal stacks were not being correctly padded on 64-bit systems. A local attacker could send specially crafted calls to expose 4 bytes of kernel stack memory, leading to a loss of privacy. (CVE-2009-2847) Jens Rosenboom discovered that the clone method did not correctly clear certain fields. A local attacker could exploit this to gain privileges or crash the system, leading to a denial of service. (CVE-2009-2848) It was discovered that the MD driver did not check certain sysfs files. A local attacker with write access to /sys could exploit this to cause a system crash, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-2849) Mark Smith discovered that the AppleTalk stack did not correctly manage memory. A remote attacker could send specially crafted traffic to cause the system to consume all available memory, leading to a denial of service. (CVE-2009-2903) Loic Minier discovered that eCryptfs did not correctly handle writing to certain deleted files. A local attacker could exploit this to gain root privileges or crash the system, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-2908) It was discovered that the LLC, AppleTalk, IR, EConet, Netrom, and ROSE network stacks did not correctly initialize their data structures. A local attacker could make specially crafted calls to read kernel memory, leading to a loss of privacy. (CVE-2009-3001, CVE-2009-3002) It was discovered that the randomization used for Address Space Layout Randomization was predictable within a small window of time. A local attacker could exploit this to leverage further attacks that require knowledge of userspace memory layouts. (CVE-2009-3238) Eric Paris discovered that NFSv4 did not correctly handle file creation failures. An attacker with write access to an NFSv4 share could exploit this to create files with arbitrary mode bits, leading to privilege escalation or a loss of privacy. (CVE-2009-3286) Bob Tracy discovered that the SCSI generic driver did not correctly use the right index for array access. A local attacker with write access to a CDR could exploit this to crash the system, leading to a denial of service. Only Ubuntu 9.04 was affected. (CVE-2009-3288) Jan Kiszka discovered that KVM did not correctly validate certain hypercalls. A local unprivileged attacker in a virtual guest could exploit this to crash the guest kernel, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-3290). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 42209
    published 2009-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42209
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-852-1)
oval via4
accepted 2013-04-29T04:13:17.261-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified "random addresses."
family unix
id oval:org.mitre.oval:def:11328
status accepted
submitted 2010-07-09T03:56:16-04:00
title The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified "random addresses."
version 18
redhat via4
advisories
bugzilla
id 524557
title QEMU crash (during virtio-net WHQL tests for Win2008 R2)
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • OR
    • AND
      • comment kmod-kvm is earlier than 0:83-105.el5_4.7
        oval oval:com.redhat.rhsa:tst:20091465004
      • comment kmod-kvm is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20091465005
    • AND
      • comment kvm is earlier than 0:83-105.el5_4.7
        oval oval:com.redhat.rhsa:tst:20091465002
      • comment kvm is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20091465003
    • AND
      • comment kvm-qemu-img is earlier than 0:83-105.el5_4.7
        oval oval:com.redhat.rhsa:tst:20091465006
      • comment kvm-qemu-img is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20091465007
    • AND
      • comment kvm-tools is earlier than 0:83-105.el5_4.7
        oval oval:com.redhat.rhsa:tst:20091465008
      • comment kvm-tools is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20091465009
rhsa
id RHSA-2009:1465
released 2009-09-29
severity Important
title RHSA-2009:1465: kvm security and bug fix update (Important)
rpms
  • kmod-kvm-0:83-105.el5_4.7
  • kvm-0:83-105.el5_4.7
  • kvm-qemu-img-0:83-105.el5_4.7
  • kvm-tools-0:83-105.el5_4.7
refmap via4
confirm
mlist
  • [oss-security] 20090918 CVE request: kernel: KVM: x86: Disallow hypercalls for guest callers in rings > 0
  • [oss-security] 20090921 Re: CVE request: kernel: KVM: x86: Disallow hypercalls for guest callers in rings > 0
  • [oss-security] 20090922 Re: CVE request: kernel: KVM: x86: Disallow hypercalls for guest callers in rings > 0
secunia 37105
ubuntu USN-852-1
statements via4
contributor Tomas Hoger
lastmodified 2009-09-22
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-3290 This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG as KVM (Kernel-based Virtual Machine) is only supported in Red Hat Enterprise Linux 5. A future kernel update in Red Hat Enterprise Linux 5 will address this flaw.
Last major update 19-03-2012 - 00:00
Published 22-09-2009 - 06:30
Last modified 18-09-2017 - 21:29
Back to Top