HOME > ADVISORIES


   ADVISORY

 

CERT-In Advisory CIAD-2010-12
Multiple Vulnerabilities in Linux Kernel

Original Issue Date: February 24, 2010

Severity Rating:Medium

System Affected

  • Linux Kernel versions prior to 2.6.32-rc4

Overview

Multiple vulnerabilities have been reported in the Linux Kernel, which could be exploited by a local user to cause a DoS (Denial of Service) or gain elevated privileges.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

1. 'usb_host_handle_control()' Buffer overflow Vulnerability
    (CVE-2010-0297)

This vulnerability occurs in the USB pass-through handling code in the 'usb_host_handle_control()' function, which runs under the QEMU-KVM ( Kernel-based Virtual Machine ) context of the host. An attacker could exploit this vulnerability to cause a buffer overflow resulting guest OS to crash or gain elevated privileges by sending specially crafted USB packet. Successful exploits will completely compromise affected computers and could allow a attacker cause Denial of Service (DoS) condition.

2. KVM Code Emulation CPL / IOPL Privilege Escalation     Vulnerabilities (CVE-2010-0298 , CVE-2010-0306)

This vulnerability is due to KVM's x86 code emulation functionality not properly checking Current Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest could leverage these vulnerabilitie s to cause a denial of service (DoS) or escalate their privileges within that guest.

Successful exploitation require an SMP guest.

3. KVM "/dev/port" Device Local Denial of Service     Vulnerability (CVE-2010-0309)

This vulnerability is caused due to an error within the "pit_ioport_read()" function in arch/x86/kvm/i8254.c, which can be exploited to crash the KVM host by reading from the "/dev/port" device in a KVM guest. The attacker should require the root privileges in the KVM guest to exploit this vulnerability.
Successful exploitation of this vulnerability could allow an attacker cause Denial of Service (DoS) condition.

Solution

Apply appropriate patches or fixes released by respective vendors :

RedHat
http://rhn.redhat.com/errata/RHSA-2010-0088.html

Vendor Information

RedHat
http://rhn.redhat.com/errata/RHSA-2010-0088.html

References

RedHat
http://rhn.redhat.com/errata/RHSA-2010-0088.html

Secunia
http://secunia.com/advisories/38499
http://secunia.com/advisories/38405/

SecurityFocus
http://www.securityfocus.com/bid/38158
http://www.securityfocus.com/bid/38086

RedHat
https://bugzilla.redhat.com/show_bug.cgi?id=559091
https://bugzilla.redhat.com/show_bug.cgi?id=560654

Xforce
http://xforce.iss.net/xforce/xfdb/56194

Juniper
http://www.juniper.net/security/auto/vulnerabilities/vuln38158.html

VUPEN
http://www.vupen.com/english/advisories/2010/0353

CVE Name
CVE-2010-0297
CVE-2010-0298
CVE-2010-0306
CVE-2010-0309

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003