Vulnerability CVE-2018-1087


Published: 2018-05-15

Description:
kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

Vendor: Debian
Product: Debian linux 
Version: 9.0; 8.0;
Vendor: Redhat
Product: Enterprise linux server eus 
Version:
7.5
7.4
7.3
Product: Enterprise linux server aus 
Version:
7.4
7.3
7.2
Product: Enterprise linux server tus 
Version:
7.4
7.3
7.2
Product: Enterprise linux 
Version: 7.0;
Product: Enterprise linux server 
Version: 7.0;
Product: Enterprise linux desktop 
Version: 7.0;
Product: Enterprise linux workstation 
Version: 7.0;
Product: Enterprise linux virtualization 
Version: 4.0;
Vendor: Linux
Product: Linux kernel 
Version: 4.17; 4.16;
Vendor: Canonical
Product: Ubuntu linux 
Version:
17.10
16.04
14.04

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.openwall.com/lists/oss-security/2018/05/08/5
http://www.securityfocus.com/bid/104127
http://www.securitytracker.com/id/1040862
https://access.redhat.com/errata/RHSA-2018:1318
https://access.redhat.com/errata/RHSA-2018:1345
https://access.redhat.com/errata/RHSA-2018:1347
https://access.redhat.com/errata/RHSA-2018:1348
https://access.redhat.com/errata/RHSA-2018:1355
https://access.redhat.com/errata/RHSA-2018:1524
https://access.redhat.com/security/vulnerabilities/pop_ss
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1087
https://usn.ubuntu.com/3641-1/
https://usn.ubuntu.com/3641-2/
https://www.debian.org/security/2018/dsa-4196

Related CVE
CVE-2018-5122
A potential integer overflow in the "DoCrypt" function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. This vulnerability affects Firefox < 58.
CVE-2018-5119
The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. This could allow access to content that should be restricted in reader view. This vulnerability affects Firefox < 5...
CVE-2018-5118
The screenshot images displayed in the Activity Stream page displayed when a new tab is opened is created from the meta tags of websites. An issue was discovered where the page could attempt to create these images through "file:" URLs from the local ...
CVE-2018-5116
WebExtensions with the "ActiveTab" permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, ...
CVE-2018-5115
If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in use...
CVE-2018-5114
If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. This vulnerability affects Fir...
CVE-2018-5113
The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerabi...
CVE-2018-5112
Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension...

Copyright 2018, cxsecurity.com

 

Back to Top