Executive Summary

Summary
Title New kvm packages fix several vulnerabilities
Informations
Name DSA-2010 First vendor Publication 2010-03-10
Vendor Debian Last vendor Modification 2010-03-10
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:N/I:N/A:C)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Several local vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-0298 & CVE-2010-0306

Gleb Natapov discovered issues in the KVM subsystem where missing permission checks (CPL/IOPL) permit a user in a guest system to denial of service a guest (system crash) or gain escalated privileges with the guest.

CVE-2010-0309

Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service (crash) of the host system.

CVE-2010-0419

Paolo Bonzini found a bug in KVM that can be used to bypass proper permission checking while loading segment selectors. This potentially allows privileged guest users to execute privileged instructions on the host system.

For the stable distribution (lenny), this problem has been fixed in version 72+dfsg-5~lenny5.

For the testing distribution (squeeze), and the unstable distribution (sid), these problems will be addressed within the linux-2.6 package.

We recommend that you upgrade your kvm package.

Original Source

Url : http://www.debian.org/security/2010/dsa-2010

CWE : Common Weakness Enumeration

% Id Name
75 % CWE-264 Permissions, Privileges, and Access Controls
25 % CWE-16 Configuration

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10139
 
Oval ID: oval:org.mitre.oval:def:10139
Title: The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.
Description: The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0419
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10953
 
Oval ID: oval:org.mitre.oval:def:10953
Title: The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.
Description: The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0306
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11095
 
Oval ID: oval:org.mitre.oval:def:11095
Title: The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.
Description: The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0309
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11335
 
Oval ID: oval:org.mitre.oval:def:11335
Title: The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.
Description: The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0298
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18623
 
Oval ID: oval:org.mitre.oval:def:18623
Title: DSA-2010-1 kvm - several vulnerabilities
Description: Several local vulnerabilities have been discovered in kvm, a full virtualization system.
Family: unix Class: patch
Reference(s): DSA-2010-1
CVE-2010-0298
CVE-2010-0306
CVE-2010-0309
CVE-2010-0419
 Version: 7
Platform(s): Debian GNU/Linux 5.0
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22115
 
Oval ID: oval:org.mitre.oval:def:22115
Title: RHSA-2010:0126: kvm security and bug fix update (Important)
Description: The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.
Family: unix Class: patch
Reference(s): RHSA-2010:0126-01
CESA-2010:0126
CVE-2009-3722
CVE-2010-0419
 Version: 29
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22169
 
Oval ID: oval:org.mitre.oval:def:22169
Title: RHSA-2010:0088: kvm security and bug fix update (Important)
Description: The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.
Family: unix Class: patch
Reference(s): RHSA-2010:0088-02
CESA-2010:0088
CVE-2010-0297
CVE-2010-0298
CVE-2010-0306
CVE-2010-0309
 Version: 55
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22934
 
Oval ID: oval:org.mitre.oval:def:22934
Title: ELSA-2010:0088: kvm security and bug fix update (Important)
Description: The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.
Family: unix Class: patch
Reference(s): ELSA-2010:0088-02
CVE-2010-0297
CVE-2010-0298
CVE-2010-0306
CVE-2010-0309
 Version: 21
Platform(s): Oracle Linux 5
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23079
 
Oval ID: oval:org.mitre.oval:def:23079
Title: ELSA-2010:0126: kvm security and bug fix update (Important)
Description: The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.
Family: unix Class: patch
Reference(s): ELSA-2010:0126-01
CVE-2009-3722
CVE-2010-0419
 Version: 13
Platform(s): Oracle Linux 5
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27791
 
Oval ID: oval:org.mitre.oval:def:27791
Title: DEPRECATED: ELSA-2010-0126 -- kvm security and bug fix update (important)
Description: [kvm-83-105.0.1.el5_4.27] - Add kvm-add-oracle-workaround-for-libvirt-bug.patch [kvm-83-105.el5_4.27] - kvm-kernel-KVM-VMX-Check-cpl-before-emulating-debug-register-ac.patch [bz#563516] - Resolves: bz#563516 (KVM: Check cpl before emulating debug register access [rhel-5.4.z]) [kvm-83-105.el5_4.26] - kvm-kernel-KVM-Don-t-check-access-permission-when-loading-segme.patch [bz#563464] - kvm-kernel-KVM-Disable-move-to-segment-registers-and-jump-far-i.patch [bz#563464] - Resolves: bz#563464 (EMBARGOED CVE-2010-0419 kvm: emulator privilege escalation segment selector check [rhel-5.4.z]) [kvm-83-105.el5_4.25] - kvm-virtio-blk-Fix-reads-turned-into-writes-after-read-e.patch [bz#562776] - kvm-virtio-blk-Handle-bdrv_aio_read-write-NULL-return.patch [bz#562776] - Resolves: bz#562776 (Guest image corruption after RHEV-H update to 5.4-2.1.3.el5_4rhev2_1) [kvm-83-105.el5_4.24] - Apply bz#561022 patches again (undo the reverts from kvm-83-105.el5_4.23) - kvm-qemu-add-routines-for-atomic-16-bit-accesses-take-2.patch [bz#561022] - kvm-qemu-virtio-atomic-access-for-index-values-take-2.patch [bz#561022] - Resolves: bz#561022 (QEMU terminates without warning with virtio-net and SMP enabled) [kvm-83-105.el5_4.23] - Revert bz#561022 patches by now, until they get better testing - kvm-Revert-qemu-virtio-atomic-access-for-index-values.patch [bz#561022] - kvm-Revert-qemu-add-routines-for-atomic-16-bit-accesses.patch [bz#561022] - Related: bz#561022 (QEMU terminates without warning with virtio-net and SMP enabled)
Family: unix Class: patch
Reference(s): ELSA-2010-0126
CVE-2009-3722
CVE-2010-0419
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27907
 
Oval ID: oval:org.mitre.oval:def:27907
Title: DEPRECATED: ELSA-2010-0088 -- kvm security and bug fix update (important)
Description: [kvm-83-105.0.1.el5_4.22] - Add kvm-add-oracle-workaround-for-libvirt-bug.patch
Family: unix Class: patch
Reference(s): ELSA-2010-0088
CVE-2010-0297
CVE-2010-0298
CVE-2010-0306
CVE-2010-0309
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7147
 
Oval ID: oval:org.mitre.oval:def:7147
Title: DSA-2010 kvm -- privilege escalation/denial of service
Description: Several local vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems: Gleb Natapov discovered issues in the KVM subsystem where missing permission checks permit a user in a guest system to denial of service a guest or gain escalated privileges with the guest. Marcelo Tosatti fixed an issue in the PIT emulation code in the KVM subsystem that allows privileged users in a guest domain to cause a denial of service of the host system. Paolo Bonzini found a bug in KVM that can be used to bypass proper permission checking while loading segment selectors. This potentially allows privileged guest users to execute privileged instructions on the host system.
Family: unix Class: patch
Reference(s): DSA-2010
CVE-2010-0298
CVE-2010-0306
CVE-2010-0309
CVE-2010-0419
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): kvm
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Os 1

OpenVAS Exploits

Date Description
2010-06-07 Name : Ubuntu Update for Linux kernel vulnerabilities USN-947-1
File : nvt/gb_ubuntu_USN_947_1.nasl
2010-06-07 Name : Ubuntu Update for linux regression USN-947-2
File : nvt/gb_ubuntu_USN_947_2.nasl
2010-03-22 Name : Ubuntu Update for Linux kernel vulnerabilities USN-914-1
File : nvt/gb_ubuntu_USN_914_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
62845 KVM 83 x86 Emulator SMP Segment Register Selector Local Privilege Escalation
62215 Linux Kernel KVM x86 Code Emulation Functionality CPL / IOPL Local Privilege ...
62112 Linux Kernel KVM Guest arch/x86/kvm/i8254.c pit_ioport_read() Function Local DoS

Information Assurance Vulnerability Management (IAVM)

Date Description
2010-03-04 IAVM : 2010-A-0037 - Multiple Vulnerabilities in Linux Kernel
Severity : Category I - VMSKEY : V0022704

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0088.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0126.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0088.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0126.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100209_kvm_on_SL5_4.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100301_kvm_on_SL5_4.nasl - Type : ACT_GATHER_INFO
2010-06-04 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-947-1.nasl - Type : ACT_GATHER_INFO
2010-06-04 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-947-2.nasl - Type : ACT_GATHER_INFO
2010-03-17 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-914-1.nasl - Type : ACT_GATHER_INFO
2010-03-11 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2010.nasl - Type : ACT_GATHER_INFO
2010-03-04 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0126.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1996.nasl - Type : ACT_GATHER_INFO
2010-02-10 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0088.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:29:17
  • Multiple Updates