ID CVE-2016-3713
Summary The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call.
References
Vulnerable Configurations
  • Linux Kernel 4.6
    cpe:2.3:o:linux:linux_kernel:4.6
CVSS
Base: 5.6 (as of 27-06-2016 - 13:08)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2979-2.NASL
    description USN-2979-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host, expose sensitive information from the host, or possibly gain administrative privileges in the host. (CVE-2016-3713) Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0758). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91189
    published 2016-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91189
    title Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-2979-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2978-1.NASL
    description David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host, expose sensitive information from the host, or possibly gain administrative privileges in the host. (CVE-2016-3713) Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0758). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91185
    published 2016-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91185
    title Ubuntu 15.10 : linux vulnerabilities (USN-2978-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2978-2.NASL
    description USN-2978-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS. David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host, expose sensitive information from the host, or possibly gain administrative privileges in the host. (CVE-2016-3713) Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0758). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91186
    published 2016-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91186
    title Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2978-2)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-F8739A80B0.NASL
    description The 4.5.5 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92211
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92211
    title Fedora 24 : kernel (2016-f8739a80b0)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-2363B37A98.NASL
    description The 4.4.11 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92067
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92067
    title Fedora 22 : kernel (2016-2363b37a98)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4300.NASL
    description Description of changes: kernel-uek [3.8.13-118.28.1.el7uek] - udf: Check component length before reading it (Jan Kara) [Orabug: 21193696] {CVE-2014-9728} - udf: Verify i_size when loading inode (Shan Hai) [Orabug: 21193696] {CVE-2014-9728} - intel_pstate: Fix overflow in busy_scaled due to long delay (mridula shastry) [Orabug: 28005134] - scsi: libsas: defer ata device eh commands to libata (Jason Yan) [Orabug: 28459689] {CVE-2018-10021} - nfsd: silence sparse warning about accessing credentials (Jeff Layton) [Orabug: 28824742] {CVE-2017-13168} - scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug: 28824742] {CVE-2017-13168} - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) [Orabug: 28892683] {CVE-2018-1000204} - ALSA: rawmidi: Change resized buffers atomically (Takashi Iwai) [Orabug: 28898650] {CVE-2018-10902} - KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901657] {CVE-2016-3713} {CVE-2016-3713} - cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929777] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710} - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) {CVE-2018-7755} {CVE-2018-7755} - crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug: 28976585] {CVE-2017-17805} - crypto: hmac - require that the underlying hash algorithm is unkeyed (Eric Biggers) [Orabug: 28976654] {CVE-2017-17806}
    last seen 2019-02-21
    modified 2018-12-10
    plugin id 119535
    published 2018-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119535
    title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4300)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1842-1.NASL
    description The remote Oracle Linux host is missing a security update for the kernel package(s).
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 102511
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102511
    title Oracle Linux 7 : kernel (ELSA-2017-1842-1) (Stack Clash)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-06F1572324.NASL
    description The 4.5.5 stable update contains a number of important fixes across the tree. ---- The 4.5.4 stable update contains a number of important fixes across the tree. ---- The 4.5.3 stable rebase contains enhanced hardware support, additional features, and a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 92055
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92055
    title Fedora 23 : kernel (2016-06f1572324)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2979-1.NASL
    description David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host, expose sensitive information from the host, or possibly gain administrative privileges in the host. (CVE-2016-3713) Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local unprivileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-0758). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91188
    published 2016-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91188
    title Ubuntu 16.04 LTS : linux vulnerabilities (USN-2979-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4301.NASL
    description Description of changes: [2.6.39-400.304.1.el6uek] - mnt: Prevent pivot_root from creating a loop in the mount tree (Eric W. Biederman) [Orabug: 26575709] {CVE-2014-7970} {CVE-2014-7970} - vfs: more mnt_parent cleanups (Al Viro) [Orabug: 26575709] {CVE-2014-7970} - vfs: new internal helper: mnt_has_parent(mnt) (Al Viro) [Orabug: 26575709] {CVE-2014-7970} - ALSA: seq: Fix racy pool initializations (Takashi Iwai) [Orabug: 28459730] {CVE-2018-7566} - xen-netback: calculate full_coalesce before the pre-estimation of ring buffer slots to consume (Dongli Zhang) [Orabug: 28818690] - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) [Orabug: 28892695] {CVE-2018-1000204} - KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901711] {CVE-2016-3713} {CVE-2016-3713} - cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929788] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710} - udf: Check component length before reading it (Jan Kara) [Orabug: 28941923] {CVE-2014-9728} - udf: Verify symlink size before loading it (Shan Hai) [Orabug: 28941923] {CVE-2014-9728} - udf: Verify i_size when loading inode (Shan Hai) [Orabug: 28941923] {CVE-2014-9728} - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) [Orabug: 28956549] {CVE-2018-7755} {CVE-2018-7755} - crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug: 28976586] {CVE-2017-17805} - crypto: hmac - require that the underlying hash algorithm is unkeyed (Eric Biggers) [Orabug: 28976655] {CVE-2017-17806}
    last seen 2019-02-21
    modified 2018-12-11
    plugin id 119567
    published 2018-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119567
    title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4301)
refmap via4
confirm
mlist [oss-security] 20160516 CVE-2016-3713 Linux kernel: kvm: OOB r/w access issue with MSR 0x2F8
Last major update 27-06-2016 - 13:57
Published 27-06-2016 - 06:59
Back to Top