CVE-2018-1087 : kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel

kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.

Published 2018-05-15 16:29:00

Updated 2019-10-09 23:38:05

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2018-1087

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 7.2
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.3
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.2
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Virtualization » Version: 4.0
cpe:2.3:o:redhat:enterprise_linux_virtualization:4.0:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 4.16
cpe:2.3:o:linux:linux_kernel:4.16:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 4.17 Update RC3
cpe:2.3:o:linux:linux_kernel:4.17:rc3:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 4.17 Update RC1
cpe:2.3:o:linux:linux_kernel:4.17:rc1:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 4.17 Update RC2
cpe:2.3:o:linux:linux_kernel:4.17:rc2:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 4.16 Update RC7
cpe:2.3:o:linux:linux_kernel:4.16:rc7:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 17.10
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-1087

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 33 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-1087

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	AV:L/AC:L/Au:N/C:P/I:P/A:P	3.9	6.4	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.0	HIGH	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.1	5.9	Red Hat, Inc.
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-1087

CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2018-1087

http://www.securitytracker.com/id/1040862

Linux Kernel KVM Hypervisor Debug Exception Handling Flaw Lets Local Guest Users Deny Service or Gain Elevated Privileges on the Guest System - SecurityTracker
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2018:1345

RHSA-2018:1345 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3641-2/

USN-3641-2: Linux kernel vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1355

RHSA-2018:1355 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1087

1566837 – (CVE-2018-1087) CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value
Issue Tracking
https://www.debian.org/security/2018/dsa-4196

Debian -- Security Information -- DSA-4196-1 linux
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1318

RHSA-2018:1318 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2018:1524

RHSA-2018:1524 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3641-1/

USN-3641-1: Linux kernel vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/security/vulnerabilities/pop_ss

POP SS debug exception - CVE-2018-8897 [Moderate] & CVE-2018-1087 [Important] - Red Hat Customer Portal
Third Party Advisory
http://www.securityfocus.com/bid/104127

Linux Kernel CVE-2018-1087 Local Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2018:1348

RHSA-2018:1348 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2018/05/08/5

oss-security - CVE-2018-1087: KVM incorrectly handles #DB exceptions while deferred by MOV SS/POP SS
Mailing List
https://access.redhat.com/errata/RHSA-2018:1347

RHSA-2018:1347 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-1087

Products affected by CVE-2018-1087

Exploit prediction scoring system (EPSS) score for CVE-2018-1087

CVSS scores for CVE-2018-1087

CWE ids for CVE-2018-1087

References for CVE-2018-1087