CVE-2018-12904
published 2018-06-27CVE-2018-12904: In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially…
PriorityP424medium4.9CVSS 3.0
AVLACHPRNUINSUCLILAL
EXPLOIT
EPSS
1.18%
63.9th percentile
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | linux | < linux 4.16.16-1 (bookworm) | linux 4.16.16-1 (bookworm) |
| linux | linux_kernel | < 4.17.2 | 4.17.2 |
| linux | linux_kernel | >= 0 < 4.16.16-1 | 4.16.16-1 |
| linux | linux_kernel | >= 0 < 4.16.16-1 | 4.16.16-1 |
| linux | linux_kernel | >= 0 < 4.16.16-1 | 4.16.16-1 |
| linux | linux_kernel | >= 0 < 4.16.16-1 | 4.16.16-1 |
| linux | linux_kernel | >= 0 < 4.15.0-33.36 | 4.15.0-33.36 |
CVSS provenance
nvdv3.04.9MEDIUMCVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
vendor_ubuntu5.5MEDIUM
vendor_debian4.9MEDIUM
vendor_redhat4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vx6h-cqmq-qj84: In arch/x86/kvm/vmx
ghsa_unreviewed·2022-05-13
CVE-2018-12904 [MEDIUM] GHSA-vx6h-cqmq-qj84: In arch/x86/kvm/vmx
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
OSV
linux-azure, linux-oem, linux-gcp vulnerabilities
osv·2018-08-28·CVSS 5.5
CVE-2018-1000200 [MEDIUM] linux-azure, linux-oem, linux-gcp vulnerabilities
linux-azure, linux-oem, linux-gcp vulnerabilities
It was discovered that, when attempting to handle an out-of-memory
situation, a null pointer dereference could be triggered in the Linux
kernel in some circumstances. A local attacker could use this to cause a
denial of service (system crash). (CVE-2018-1000200)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker could
use this to construct a malicious xfs image that, when mounted, could cause
a denial of service (system crash). (CVE-2018-10323)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate xattr information. An attacker could use
this to construct a malicious xfs image that, when mounted, could c
OSV
linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities
osv·2018-08-24·CVSS 5.5
CVE-2018-1000200 [MEDIUM] linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities
linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities
It was discovered that, when attempting to handle an out-of-memory
situation, a null pointer dereference could be triggered in the Linux
kernel in some circumstances. A local attacker could use this to cause a
denial of service (system crash). (CVE-2018-1000200)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker could
use this to construct a malicious xfs image that, when mounted, could cause
a denial of service (system crash). (CVE-2018-10323)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate xattr information. An attacker could use
this to construct a malicious xfs image that, wh
OSV
linux-hwe vulnerabilities
osv·2018-08-24·CVSS 5.5
CVE-2018-10002 [MEDIUM] linux-hwe vulnerabilities
linux-hwe vulnerabilities
USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu
16.04 LTS.
It was discovered that, when attempting to handle an out-of-memory
situation, a null pointer dereference could be triggered in the Linux
kernel in some circumstances. A local attacker could use this to cause a
denial of service (system crash). (CVE-2018-1000200)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker could
use this to construct a malicious xfs image that, when mounted, could cause
a denial of service (system crash). (CVE-2018-10323)
Wen Xu discovered tha
OSV
CVE-2018-12904: In arch/x86/kvm/vmx
osv·2018-06-27·CVSS 4.9
CVE-2018-12904 [MEDIUM] CVE-2018-12904: In arch/x86/kvm/vmx
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
Ubuntu
Linux kernel (Azure, GCP, OEM) vulnerabilities
vendor_ubuntu·2018-08-28·CVSS 5.5
CVE-2018-1000200 [MEDIUM] Linux kernel (Azure, GCP, OEM) vulnerabilities
Title: Linux kernel (Azure, GCP, OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that, when attempting to handle an out-of-memory
situation, a null pointer dereference could be triggered in the Linux
kernel in some circumstances. A local attacker could use this to cause a
denial of service (system crash). (CVE-2018-1000200)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker could
use this to construct a malicious xfs image that, when mounted, could cause
a denial of service (system crash). (CVE-2018-10323)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate xattr information. An attacker could u
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2018-08-24·CVSS 5.5
CVE-2018-1000200 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that, when attempting to handle an out-of-memory
situation, a null pointer dereference could be triggered in the Linux
kernel in some circumstances. A local attacker could use this to cause a
denial of service (system crash). (CVE-2018-1000200)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker could
use this to construct a malicious xfs image that, when mounted, could cause
a denial of service (system crash). (CVE-2018-10323)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate xattr information. An attacker could use
this to constru
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2018-08-24·CVSS 5.5
CVE-2018-1000200 [MEDIUM] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu
16.04 LTS.
It was discovered that, when attempting to handle an out-of-memory
situation, a null pointer dereference could be triggered in the Linux
kernel in some circumstances. A local attacker could use this to cause a
denial of service (system crash). (CVE-2018-1000200)
Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker could
use this to construct a malicious xfs image that, when mounted, could
Red Hat
kernel: kvm: nVMX: missing privilege check allows privilege escalation in nested virtualization
vendor_redhat·2018-06-12·CVSS 4.9
CVE-2018-12904 [MEDIUM] CWE-284 kernel: kvm: nVMX: missing privilege check allows privilege escalation in nested virtualization
kernel: kvm: nVMX: missing privilege check allows privilege escalation in nested virtualization
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
Statement: This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-alt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) -
Debian
CVE-2018-12904: linux - In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualizat...
vendor_debian·2018·CVSS 4.9
CVE-2018-12904 [MEDIUM] CVE-2018-12904: linux - In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualizat...
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.
Scope: local
bookworm: resolved (fixed in 4.16.16-1)
bullseye: resolved (fixed in 4.16.16-1)
forky: resolved (fixed in 4.16.16-1)
sid: resolved (fixed in 4.16.16-1)
trixie: resolved (fixed in 4.16.16-1)
No detection rules found.
Bugzilla
CVE-2018-12904 kernel: kvm: nVMX: missing privilege check allows privilege escalation in nested virtualization
bugzilla·2018-06-26·CVSS 4.9
CVE-2018-12904 [MEDIUM] CVE-2018-12904 kernel: kvm: nVMX: missing privilege check allows privilege escalation in nested virtualization
CVE-2018-12904 kernel: kvm: nVMX: missing privilege check allows privilege escalation in nested virtualization
It was found that KVM virtualizing another hypervisor as L1 VM does not verify that VMX instructions from L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0. This means that a normal user space program running in the L1 VM can trigger KVMs VMX emulation which gives a large number of privilege escalation vectors. This issue happens only if L2 guest is running, since VMX emulation code checks for the guests CR4.VMXE value.
This allows attacker in L2 guest to break out e.g. by exploiting a bug in L1 qemu process and using this bug for privilege escalation on the L1 system.
Bug report:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1589
U
Bugzilla
CVE-2018-12904 kernel: kvm: Missing privilege check allows privilege escalation in nested virtualization scenario [fedora-all]
bugzilla·2018-06-26·CVSS 4.9
CVE-2018-12904 [MEDIUM] CVE-2018-12904 kernel: kvm: Missing privilege check allows privilege escalation in nested virtualization scenario [fedora-all]
CVE-2018-12904 kernel: kvm: Missing privilege check allows privilege escalation in nested virtualization scenario [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOT
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=727ba748e110b4de50d142edca9d6a9b7e6111d8https://bugs.chromium.org/p/project-zero/issues/detail?id=1589https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.2https://github.com/torvalds/linux/commit/727ba748e110b4de50d142edca9d6a9b7e6111d8https://usn.ubuntu.com/3752-1/https://usn.ubuntu.com/3752-2/https://usn.ubuntu.com/3752-3/https://www.exploit-db.com/exploits/44944/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=727ba748e110b4de50d142edca9d6a9b7e6111d8https://bugs.chromium.org/p/project-zero/issues/detail?id=1589https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.2https://github.com/torvalds/linux/commit/727ba748e110b4de50d142edca9d6a9b7e6111d8https://usn.ubuntu.com/3752-1/https://usn.ubuntu.com/3752-2/https://usn.ubuntu.com/3752-3/https://www.exploit-db.com/exploits/44944/
2018-06-27
Published