ID CVE-2012-2121
Summary The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (memory leak and host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices.
References
Vulnerable Configurations
  • Linux Kernel 3.3.3
    cpe:2.3:o:linux:linux_kernel:3.3.3
CVSS
Base: 4.9 (as of 17-05-2012 - 13:46)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120521_KVM_ON_SL5_X.NASL
    description KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Scientific Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : - An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61315
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61315
    title Scientific Linux Security Update : kvm on SL5.x x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2036-1.NASL
    description A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Multiple integer overflow flaws where discovered in the Alchemy LCD frame- buffer drivers in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges. (CVE-2013-4511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 71203
    published 2013-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71203
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-2036-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1472-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133) Stephan Mueller reported a flaw in the Linux kernel's dl2k network driver's handling of ioctls. An unprivileged local user could leverage this flaw to cause a denial of service. (CVE-2012-2313) Timo Warns reported multiple flaws in the Linux kernel's hfsplus filesystem. An unprivileged local user could exploit these flaws to gain root system priviliges. (CVE-2012-2319) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of cliprect on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2383) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of buffer_count on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2384). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59476
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59476
    title Ubuntu 11.10 : linux vulnerabilities (USN-1472-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2012-0042.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix bug number for commit 'cciss: Update HPSA_BOUNDARY' (Joe Jin) [Orabug: 14681166] - cciss: Update HPSA_BOUNDARY. (Joe Jin) [Orabug: 14319765] - KVM: introduce kvm_for_each_memslot macro (Maxim Uvarov) [Bugdb: 13966] - dl2k: Clean up rio_ioctl (Jeff Mahoney) [Orabug: 14126896] (CVE-2012-2313) - NFSv4: include bitmap in nfsv4 get acl data (Andy Adamson) (CVE-2011-4131) - KVM: Fix buffer overflow in kvm_set_irq (Avi Kivity) [Bugdb: 13966] (CVE-2012-2137) - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb (Jason Wang) [Bugdb: 13966] (CVE-2012-2136) - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition (Andrea Arcangeli) [Bugdb: 13966] (CVE-2012-2373) - KVM: lock slots_lock around device assignment (Alex Williamson) [Bugdb: 13966] (CVE-2012-2121) - KVM: unmap pages from the iommu when slots are removed (Maxim Uvarov) [Bugdb: 13966] (CVE-2012-2121) - fcaps: clear the same personality flags as suid when fcaps are used (Eric Paris) [Bugdb: 13966] (CVE-2012-2123) - tilegx: enable SYSCALL_WRAPPERS support (Chris Metcalf) (CVE-2009-0029) - drm/i915: fix integer overflow in i915_gem_do_execbuffer (Xi Wang) [Orabug: 14107456] (CVE-2012-2384) - drm/i915: fix integer overflow in i915_gem_execbuffer2 (Xi Wang) [Orabug: 14107445] (CVE-2012-2383) - [dm] do not forward ioctls from logical volumes to the underlying device (Joe Jin) (CVE-2011-4127) - [block] fail SCSI passthrough ioctls on partition devices (Joe Jin) (CVE-2011-4127) - [block] add and use scsi_blk_cmd_ioctl (Joe Jin) [Orabug: 14056755] (CVE-2011-4127) - KVM: Ensure all vcpus are consistent with in-kernel irqchip settings (Avi Kivity) [Bugdb: 13871] (CVE-2012-1601) - regset: Return -EFAULT, not -EIO, on host-side memory fault (H. Peter Anvin) (CVE-2012-1097) - regset: Prevent null pointer reference on readonly regsets (H. Peter Anvin) (CVE-2012-1097) - cifs: fix dentry refcount leak when opening a FIFO on lookup (Jeff Layton) (CVE-2012-1090) - mm: thp: fix pmd_bad triggering in code paths holding mmap_sem read mode (Andrea Arcangeli) (CVE-2012-1179) - ext4: fix undefined behavior in ext4_fill_flex_info (Xi Wang) (CVE-2009-4307) - ocfs2: clear unaligned io flag when dio fails (Junxiao Bi) [Orabug: 14063941] - aio: make kiocb->private NUll in init_sync_kiocb (Junxiao Bi) [Orabug: 14063941] - igb: Fix for Alt MAC Address feature on 82580 and later devices (Carolyn Wyborny) [Orabug: 14258706] - igb: Alternate MAC Address Updates for Func2&3 (Akeem G. Abodunrin) [Orabug: 14258706] - igb: Alternate MAC Address EEPROM Updates (Akeem G. Abodunrin) [Orabug: 14258706] - cciss: only enable cciss_allow_hpsa when for ol5 (Joe Jin) [Orabug: 14106006] - Revert 'cciss: remove controllers supported by hpsa' (Joe Jin) [Orabug: 14106006] - [scsi] hpsa: add all support devices for ol5 (Joe Jin) [Orabug: 14106006] - Disable VLAN 0 tagging for none VLAN traffic (Adnan Misherfi) [Orabug: 14406424] - x86: Add Xen kexec control code size check to linker script (Daniel Kiper) - drivers/xen: Export vmcoreinfo through sysfs (Daniel Kiper) - x86/xen/enlighten: Add init and crash kexec/kdump hooks (Maxim Uvarov) - x86/xen: Add kexec/kdump makefile rules (Daniel Kiper) - x86/xen: Add x86_64 kexec/kdump implementation (Daniel Kiper) - x86/xen: Add placeholder for i386 kexec/kdump implementation (Daniel Kiper) - x86/xen: Register resources required by kexec-tools (Daniel Kiper) - x86/xen: Introduce architecture dependent data for kexec/kdump (Daniel Kiper) - xen: Introduce architecture independent data for kexec/kdump (Daniel Kiper) - x86/kexec: Add extra pointers to transition page table PGD, PUD, PMD and PTE (Daniel Kiper) - kexec: introduce kexec_ops struct (Daniel Kiper) - SPEC: replace DEFAULTKERNEL from kernel-ovs to kernel-uek
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79484
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79484
    title OracleVM 3.1 : kernel-uek (OVMSA-2012-0042)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0676.NASL
    description Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 64037
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64037
    title RHEL 5 : kvm (RHSA-2012:0676)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1470-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59474
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59474
    title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1470-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0743.NASL
    description From Red Hat Security Advisory 2012:0743 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities. (CVE-2012-2123, Important) * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important) * A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate) * A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate) * A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2373, Moderate) Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68544
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68544
    title Oracle Linux 6 : kernel (ELSA-2012-0743)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120618_KERNEL_ON_SL6_X.NASL
    description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) - A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) - When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by us for Scientific Linux is made privileged via file system capabilities. (CVE-2012-2123, Important) - It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important) - A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important) - A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate) - A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate) - A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate) - A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2373, Moderate) This update also fixes several bugs. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61331
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61331
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1476-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133) Stephan Mueller reported a flaw in the Linux kernel's dl2k network driver's handling of ioctls. An unprivileged local user could leverage this flaw to cause a denial of service. (CVE-2012-2313) Timo Warns reported multiple flaws in the Linux kernel's hfsplus filesystem. An unprivileged local user could exploit these flaws to gain root system priviliges. (CVE-2012-2319) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of cliprect on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2383) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of buffer_count on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2384)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 59553
    published 2012-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59553
    title USN-1476-1 : linux-ti-omap4 vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0676.NASL
    description Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 59212
    published 2012-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59212
    title CentOS 5 : kvm (CESA-2012:0676)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1457-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59321
    published 2012-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59321
    title Ubuntu 11.04 : linux vulnerabilities (USN-1457-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-2020.NASL
    description Description of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn't validated before use, leading to heap overflow. A user having access to TUN/TAP virtual device could use this flaw to crash the system or to potentially escalate their privileges. * CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler. A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. * CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service. CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem. In some cases, the hugepage subsystem would allocate new PMDs when not expected by the memory management subsystem. A privileged user in the KVM guest can use this flaw to crash the host, an unprivileged local user could use this flaw to crash the system. CVE-2012-2373: Denial of service in PAE page tables. On a PAE system, a non-atomic load could be corrupted by a page fault resulting in a kernel crash, triggerable by an unprivileged user. * Regression in handling of bind() with AF_UNSPEC family sockets. Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow them to continue doing so, but verify that the address is indeed INADDR_ANY. kernel-uek: [2.6.32-300.27.1.el6uek] - net: sock: validate data_len before allocating skb (Jason Wang) [Bugdb: 13966]{CVE-2012-2136} - fcaps: clear the same personality flags as suid when fcaps are used (Eric Paris) [Bugdb: 13966] {CVE-2012-2123} - Revert 'nfs: when attempting to open a directory, fall back on normal lookup (Todd Vierling) [Orabug 14141154] [2.6.32-300.26.1.el6uek] - mptsas: do not call __mptsas_probe in kthread (Maxim Uvarov) [Orabug: 14175509] - mm: check if any page in a pageblock is reserved before marking it MIGRATE_RESERVE (Maxim Uvarov) [Orabug: 14073214] - mm: reduce the amount of work done when updating min_free_kbytes (Mel Gorman) [Orabug: 14073214] - vmxnet3: Updated to el6-u2 (Guangyu Sun) [Orabug: 14027961] - xen: expose host uuid via sysfs. (Zhigang Wang) - sched: Fix cgroup movement of waking process (Daisuke Nishimura) [Orabug: 13946210] - sched: Fix cgroup movement of newly created process (Daisuke Nishimura) [Orabug: 13946210] - sched: Fix cgroup movement of forking process (Daisuke Nishimura) [Orabug: 13946210] - x86, boot: Wait for boot cpu to show up if nr_cpus limit is about to hit (Zhenzhong Duan) [Orabug: 13629087] - smp: Use nr_cpus= to set nr_cpu_ids early (Zhenzhong Duan) [Orabug: 13629087] - net: ipv4: relax AF_INET check in bind() (Maxim Uvarov) [Orabug: 14054411] ofa-2.6.32-300.27.1.el6uek: [1.5.1-4.0.58] - Add Patch 158-169
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68675
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68675
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2020)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1471-1.NASL
    description Andy Adamson discovered a flaw in the Linux kernel's NFSv4 implementation. A remote NFS server (attacker) could exploit this flaw to cause a denial of service. (CVE-2011-4131) A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133) Stephan Mueller reported a flaw in the Linux kernel's dl2k network driver's handling of ioctls. An unprivileged local user could leverage this flaw to cause a denial of service. (CVE-2012-2313) Timo Warns reported multiple flaws in the Linux kernel's hfsplus filesystem. An unprivileged local user could exploit these flaws to gain root system priviliges. (CVE-2012-2319) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of cliprect on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2383) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of buffer_count on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2384). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59475
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59475
    title Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1471-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1473-1.NASL
    description A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133) Stephan Mueller reported a flaw in the Linux kernel's dl2k network driver's handling of ioctls. An unprivileged local user could leverage this flaw to cause a denial of service. (CVE-2012-2313) Timo Warns reported multiple flaws in the Linux kernel's hfsplus filesystem. An unprivileged local user could exploit these flaws to gain root system priviliges. (CVE-2012-2319) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of cliprect on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2383) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of buffer_count on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2384). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 59495
    published 2012-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59495
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-1473-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0743.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities. (CVE-2012-2123, Important) * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important) * A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate) * A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate) * A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2373, Moderate) Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 59609
    published 2012-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59609
    title CentOS 6 : kernel (CESA-2012:0743)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-6386.NASL
    description Fixes CVEs : CVE-2012-2123 CVE-2012-2121 CVE-2012-2119 Also fixes a boot regression on some Dell machines. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 58862
    published 2012-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58862
    title Fedora 16 : kernel-3.3.2-6.fc16 (2012-6386)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-2021.NASL
    description Description of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn't validated before use, leading to heap overflow. A user having access to TUN/TAP virtual device could use this flaw to crash the system or to potentially escalate their privileges. * CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler. A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. * CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service. CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem. In some cases, the hugepage subsystem would allocate new PMDs when not expected by the memory management subsystem. A privileged user in the KVM guest can use this flaw to crash the host, an unprivileged local user could use this flaw to crash the system. CVE-2012-2373: Denial of service in PAE page tables. On a PAE system, a non-atomic load could be corrupted by a page fault resulting in a kernel crash, triggerable by an unprivileged user. * Regression in handling of bind() with AF_UNSPEC family sockets. Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow them to continue doing so, but verify that the address is indeed INADDR_ANY. [2.6.39-100.10.1.el6uek] - thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE (Andrea Arcangeli) [Orabug: 14217003] [2.6.39-100.9.1.el6uek] - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition (Andrea Arcangeli) [Bugdb: 13966] {CVE-2012-2373} - mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode (Andrea Arcangeli) {CVE-2012-1179} - KVM: Fix buffer overflow in kvm_set_irq() (Avi Kivity) [Bugdb: 13966] {CVE-2012-2137} - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (Jason Wang) [Bugdb: 13966] {CVE-2012-2136} - KVM: lock slots_lock around device assignment (Alex Williamson) [Bugdb: 13966] {CVE-2012-2121} - KVM: unmap pages from the iommu when slots are removed (Alex Williamson) [Bugdb: 13966] {CVE-2012-2121} - KVM: introduce kvm_for_each_memslot macro (Xiao Guangrong) [Bugdb: 13966] - fcaps: clear the same personality flags as suid when fcaps are used (Eric Paris) [Bugdb: 13966] {CVE-2012-2123} [2.6.39-100.8.1.el6uek] - net: ipv4: relax AF_INET check in bind() (Eric Dumazet) [Orabug: 14054411]
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68676
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68676
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2021)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2668.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2012-2121 Benjamin Herrenschmidt and Jason Baron discovered issues with the IOMMU mapping of memory slots used in KVM device assignment. Local users with the ability to assign devices could cause a denial of service due to a memory page leak. - CVE-2012-3552 Hafid Lin reported an issue in the IP networking subsystem. A remote user can cause a denial of service (system crash) on servers running applications that set options on sockets which are actively being processed. - CVE-2012-4461 Jon Howell reported a denial of service issue in the KVM subsystem. On systems that do not support the XSAVE feature, local users with access to the /dev/kvm interface can cause a system crash. - CVE-2012-4508 Dmitry Monakhov and Theodore Ts'o reported a race condition in the ext4 filesystem. Local users could gain access to sensitive kernel memory. - CVE-2012-6537 Mathias Krause discovered information leak issues in the Transformation user configuration interface. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. - CVE-2012-6539 Mathias Krause discovered an issue in the networking subsystem. Local users on 64-bit systems can gain access to sensitive kernel memory. - CVE-2012-6540 Mathias Krause discovered an issue in the Linux virtual server subsystem. Local users can gain access to sensitive kernel memory. Note: this issue does not affect Debian provided kernels, but may affect custom kernels built from Debian's linux-source-2.6.32 package. - CVE-2012-6542 Mathias Krause discovered an issue in the LLC protocol support code. Local users can gain access to sensitive kernel memory. - CVE-2012-6544 Mathias Krause discovered issues in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. - CVE-2012-6545 Mathias Krause discovered issues in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. - CVE-2012-6546 Mathias Krause discovered issues in the ATM networking support. Local users can gain access to sensitive kernel memory. - CVE-2012-6548 Mathias Krause discovered an issue in the UDF file system support. Local users can obtain access to sensitive kernel memory. - CVE-2012-6549 Mathias Krause discovered an issue in the isofs file system support. Local users can obtain access to sensitive kernel memory. - CVE-2013-0349 Anderson Lizardo discovered an issue in the Bluetooth Human Interface Device Protocol (HIDP) stack. Local users can obtain access to sensitive kernel memory. - CVE-2013-0914 Emese Revfy discovered an issue in the signal implementation. Local users may be able to bypass the address space layout randomization (ASLR) facility due to a leaking of information to child processes. - CVE-2013-1767 Greg Thelen reported an issue in the tmpfs virtual memory filesystem. Local users with sufficient privilege to mount filesystems can cause a denial of service or possibly elevated privileges due to a use-after free defect. - CVE-2013-1773 Alan Stern provided a fix for a defect in the UTF8->UTF16 string conversion facility used by the VFAT filesystem. A local user could cause a buffer overflow condition, resulting in a denial of service or potentially elevated privileges. - CVE-2013-1774 Wolfgang Frisch provided a fix for a NULL pointer dereference defect in the driver for some serial USB devices from Inside Out Networks. Local users with permission to access these devices can create a denial of service (kernel oops) by causing the device to be removed while it is in use. - CVE-2013-1792 Mateusz Guzik of Red Hat EMEA GSS SEG Team discovered a race condition in the access key retention support in the kernel. A local user could cause a denial of service (NULL pointer dereference). - CVE-2013-1796 Andrew Honig of Google reported an issue in the KVM subsystem. A user in a guest operating system could corrupt kernel memory, resulting in a denial of service. - CVE-2013-1798 Andrew Honig of Google reported an issue in the KVM subsystem. A user in a guest operating system could cause a denial of service due to a use after-free defect. - CVE-2013-1826 Mathias Krause discovered an issue in the Transformation (XFRM) user configuration interface of the networking stack. A user with the CAP_NET_ADMIN capability may be able to gain elevated privileges. - CVE-2013-1860 Oliver Neukum discovered an issue in the USB CDC WCM Device Management driver. Local users with the ability to attach devices can cause a denial of service (kernel crash) or potentially gain elevated privileges. - CVE-2013-1928 Kees Cook provided a fix for an information leak in the VIDEO_SET_SPU_PALETTE ioctl for 32-bit applications running on a 64-bit kernel. Local users can gain access to sensitive kernel memory. - CVE-2013-1929 Oded Horovitz and Brad Spengler reported an issue in the device driver for Broadcom Tigon3 based gigabit Ethernet. Users with the ability to attach untrusted devices can create an overflow condition, resulting in a denial of service or elevated privileges. - CVE-2013-2015 Theodore Ts'o provided a fix for an issue in the ext4 filesystem. Local users with the ability to mount a specially crafted filesystem can cause a denial of service (infinite loop). - CVE-2013-2634 Mathias Krause discovered a few issues in the Data Center Bridging (DCB) netlink interface. Local users can gain access to sensitive kernel memory. - CVE-2013-3222 Mathias Krause discovered an issue in the Asynchronous Transfer Mode (ATM) protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3223 Mathias Krause discovered an issue in the Amateur Radio AX.25 protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3224 Mathias Krause discovered an issue in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory. - CVE-2013-3225 Mathias Krause discovered an issue in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3228 Mathias Krause discovered an issue in the IrDA (infrared) subsystem support. Local users can gain access to sensitive kernel memory. - CVE-2013-3229 Mathias Krause discovered an issue in the IUCV support on s390 systems. Local users can gain access to sensitive kernel memory. - CVE-2013-3231 Mathias Krause discovered an issue in the ANSI/IEEE 802.2 LLC type 2 protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3234 Mathias Krause discovered an issue in the Amateur Radio X.25 PLP (Rose) protocol support. Local users can gain access to sensitive kernel memory. - CVE-2013-3235 Mathias Krause discovered an issue in the Transparent Inter Process Communication (TIPC) protocol support. Local users can gain access to sensitive kernel memory.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 66431
    published 2013-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66431
    title Debian DSA-2668-1 : linux-2.6 - privilege escalation/denial of service/information leak
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1577-1.NASL
    description A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Ben Hutchings reported a flaw in the Linux kernel with some network drivers that support TSO (TCP segment offload). A local or peer user could exploit this flaw to to cause a denial of service. (CVE-2012-3412) Jay Fenlason and Doug Ledford discovered a bug in the Linux kernel implementation of RDS sockets. A local unprivileged user could potentially use this flaw to read privileged information from the kernel. (CVE-2012-3430) A flaw was discovered in the madvise feature of the Linux kernel's memory subsystem. An unprivileged local use could exploit the flaw to cause a denial of service (crash the system). (CVE-2012-3511)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 62238
    published 2012-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62238
    title USN-1577-1 : linux-ti-omap4 vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2037-1.NASL
    description A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Multiple integer overflow flaws where discovered in the Alchemy LCD frame- buffer drivers in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges. (CVE-2013-4511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 71204
    published 2013-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71204
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-2037-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0676.NASL
    description From Red Hat Security Advisory 2012:0676 : Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. (CVE-2012-1601) A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121) This update also fixes the following bug : * An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver. (BZ#816207) All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68527
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68527
    title Oracle Linux 5 : kvm (ELSA-2012-0676)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0743.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities. (CVE-2012-2123, Important) * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-2136, Important) * A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. (CVE-2012-2137, Important) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_none_or_clear_bad(), when called with mmap_sem in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. (CVE-2012-1179, Moderate) * A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host. (CVE-2012-2121, Moderate) * A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition was found in the Linux kernel's memory management subsystem in the way pmd_populate() and pte_offset_map_lock() interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2373, Moderate) Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 59562
    published 2012-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59562
    title RHEL 6 : kernel (RHSA-2012:0743)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1474-1.NASL
    description A flaw was discovered in the Linux kernel's KVM (kernel virtual machine). An administrative user in the guest OS could leverage this flaw to cause a denial of service in the host OS. (CVE-2012-2121) Schacher Raindel discovered a flaw in the Linux kernel's memory handling when hugetlb is enabled. An unprivileged local attacker could exploit this flaw to cause a denial of service and potentially gain higher privileges. (CVE-2012-2133) Stephan Mueller reported a flaw in the Linux kernel's dl2k network driver's handling of ioctls. An unprivileged local user could leverage this flaw to cause a denial of service. (CVE-2012-2313) Timo Warns reported multiple flaws in the Linux kernel's hfsplus filesystem. An unprivileged local user could exploit these flaws to gain root system priviliges. (CVE-2012-2319) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of cliprect on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2383) Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of buffer_count on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2384)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 59496
    published 2012-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59496
    title USN-1474-1 : linux-ti-omap4 vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-6344.NASL
    description Fixes CVEs : CVE-2012-2119 CVE-2012-2123 CVE-2012-2121 Also fixes some fail to boot issues on various Dell machines. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 58836
    published 2012-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58836
    title Fedora 17 : kernel-3.3.2-8.fc17 (2012-6344)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-6406.NASL
    description Fixes CVEs : CVE-2012-2123 CVE-2012-2121 CVE-2012-2119 Also fixes a boot regression on some Dell machines Linux 3.3.2 There was a regression at the DVB core, affecting applications that require the DVB status before having a lock. In order to allow a broader test (including my environment). All new patches from the upstream media tree up to Apr, 10 got backported plus the fix patches, in order to have, among other things, the az6007 and af9035 drivers backported. Various bugfixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-20
    plugin id 58881
    published 2012-04-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58881
    title Fedora 15 : kernel-2.6.43.2-6.fc15 (2012-6406)
redhat via4
advisories
  • bugzilla
    id 814149
    title CVE-2012-2121 kvm: device assignment page leak
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment kmod-kvm is earlier than 0:83-249.el5_8.4
          oval oval:com.redhat.rhsa:tst:20120676010
        • comment kmod-kvm is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465005
      • AND
        • comment kmod-kvm-debug is earlier than 0:83-249.el5_8.4
          oval oval:com.redhat.rhsa:tst:20120676008
        • comment kmod-kvm-debug is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20110028007
      • AND
        • comment kvm is earlier than 0:83-249.el5_8.4
          oval oval:com.redhat.rhsa:tst:20120676002
        • comment kvm is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465003
      • AND
        • comment kvm-qemu-img is earlier than 0:83-249.el5_8.4
          oval oval:com.redhat.rhsa:tst:20120676004
        • comment kvm-qemu-img is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465007
      • AND
        • comment kvm-tools is earlier than 0:83-249.el5_8.4
          oval oval:com.redhat.rhsa:tst:20120676006
        • comment kvm-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465009
    rhsa
    id RHSA-2012:0676
    released 2012-05-21
    severity Moderate
    title RHSA-2012:0676: kvm security and bug fix update (Moderate)
  • rhsa
    id RHSA-2012:0743
rpms
  • kmod-kvm-0:83-249.el5_8.4
  • kmod-kvm-debug-0:83-249.el5_8.4
  • kvm-0:83-249.el5_8.4
  • kvm-qemu-img-0:83-249.el5_8.4
  • kvm-tools-0:83-249.el5_8.4
  • kernel-0:2.6.32-220.23.1.el6
  • kernel-bootwrapper-0:2.6.32-220.23.1.el6
  • kernel-debug-0:2.6.32-220.23.1.el6
  • kernel-debug-devel-0:2.6.32-220.23.1.el6
  • kernel-devel-0:2.6.32-220.23.1.el6
  • kernel-doc-0:2.6.32-220.23.1.el6
  • kernel-firmware-0:2.6.32-220.23.1.el6
  • kernel-headers-0:2.6.32-220.23.1.el6
  • kernel-kdump-0:2.6.32-220.23.1.el6
  • kernel-kdump-devel-0:2.6.32-220.23.1.el6
  • perf-0:2.6.32-220.23.1.el6
  • python-perf-0:2.6.32-220.23.1.el6
refmap via4
confirm
mlist [oss-security] 20120419 Re: CVE request -- kernel: kvm: device assignment page leak
sectrack 1027083
secunia 50732
ubuntu
  • USN-1577-1
  • USN-2036-1
  • USN-2037-1
Last major update 13-01-2014 - 23:17
Published 17-05-2012 - 07:00
Last modified 04-01-2018 - 21:29
Back to Top