Vulnerability Details : CVE-2018-18021
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
Vulnerability category: Input validationDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2018-18021
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 27 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-18021
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
3.6
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:P |
3.9
|
4.9
|
NIST |
7.1
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2018-18021
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-18021
-
https://access.redhat.com/errata/RHSA-2018:3656
RHSA-2018:3656 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/105550
Linux Kernel 'arch/arm64/kvm/guest.c' Local Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2a3f93459d689d990b3ecfbe782fec89b97d3279
kernel/git/torvalds/linux.git - Linux kernel source treePatch
-
https://usn.ubuntu.com/3821-2/
USN-3821-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3931-1/
USN-3931-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://usn.ubuntu.com/3821-1/
USN-3821-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/3931-2/
USN-3931-2: Linux kernel (HWE) vulnerabilities | Ubuntu security notices
-
https://www.openwall.com/lists/oss-security/2018/10/02/2
oss-security - arm64 Linux kernel: Privilege escalation by taking control of the KVM hypervisorMailing List;Patch;Third Party Advisory
-
https://github.com/torvalds/linux/commit/d26c25a9d19b5976b319af528886f89cf455692d
arm64: KVM: Tighten guest core register access from userspace · torvalds/linux@d26c25a · GitHubPatch
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d26c25a9d19b5976b319af528886f89cf455692d
kernel/git/torvalds/linux.git - Linux kernel source treePatch
-
https://github.com/torvalds/linux/commit/2a3f93459d689d990b3ecfbe782fec89b97d3279
arm64: KVM: Sanitize PSTATE.M when being set from userspace · torvalds/linux@2a3f934 · GitHubPatch
-
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.12
Patch
-
https://www.debian.org/security/2018/dsa-4313
Debian -- Security Information -- DSA-4313-1 linuxThird Party Advisory
Products affected by CVE-2018-18021
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*