Vulnerability CVE-2018-12904

Vulnerability Name:

CVE-2018-12904 (CCN-145459)

Assigned:

2018-06-06

Published:

2018-06-06

Updated:

2019-10-03

Summary:

In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of service attacks due to lack of checking of CPL.

CVSS v3 Severity:

4.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
4.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

8.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2018-12904

Source: MISC
Type: Patch, Vendor Advisory
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=727ba748e110b4de50d142edca9d6a9b7e6111d8

Source: MISC
Type: Exploit, Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=1589

Source: CCN
Type: Google Security Research Issue 1589
KVM (nested virtualization): privilege escalation in L1 guest

Source: MISC
Type: Release Notes, Vendor Advisory
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.17.2

Source: XF
Type: UNKNOWN
linux-kernel-cve201812904-priv-esc(145459)

Source: CCN
Type: Linux Kernel GIT Repository
kvm: nVMX: Enforce cpl=0 for VMX instructions

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/torvalds/linux/commit/727ba748e110b4de50d142edca9d6a9b7e6111d8

Source: CCN
Type: Packet Storm Security [06-25-2018]
KVM Nest Virtualization L1 Guest Privilege Escalation

Source: UBUNTU
Type: Third Party Advisory
USN-3752-1

Source: UBUNTU
Type: Third Party Advisory
USN-3752-2

Source: UBUNTU
Type: Third Party Advisory
USN-3752-3

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [06-25-2018]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
44944

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-12904

Vulnerable Configuration:

Configuration 1:

cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:* (Version < 4.17.2)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration CCN 1:

cpe:/o:linux:linux_kernel:4.17.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201812904	V	CVE-2018-12904	2023-02-11
oval:org.opensuse.security:def:3418	P	DirectFB-1.7.1-6.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3565	P	libXrender1-0.9.8-7.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3461	P	cron-4.2-59.10.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3487	P	file-5.22-10.12.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3540	P	krb5-1.12.5-40.37.7 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3408	P	xorg-x11-server-1.19.6-8.18 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3563	P	libXpm4-3.5.11-5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3436	P	atftp-0.7.0-160.8.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3402	P	xf86-video-intel-2.99.917+git781.c8990575-1.27 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3569	P	libXvMC1-1.0.8-7.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3473	P	dnsmasq-2.78-18.9.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3523	P	hplip-3.16.11-1.33 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3560	P	libXi6-1.7.4-18.6.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:4223	P	Security update for libaom (Low)	2021-10-12
oval:org.opensuse.security:def:4207	P	Security update for bluez (Moderate)	2021-07-22
oval:org.opensuse.security:def:51138	P	Security update for fwupdate (Important)	2021-04-09
oval:org.opensuse.security:def:50543	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:52654	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15) (Important)	2020-12-01
oval:org.opensuse.security:def:50955	P	Security update for gettext-runtime (Moderate)	2020-12-01
oval:org.opensuse.security:def:49920	P	python2-cryptography on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50071	P	libicu60_2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51239	P	Security update for ibus (Important)	2020-12-01
oval:org.opensuse.security:def:50439	P	Security update for subversion (Important)	2020-12-01
oval:org.opensuse.security:def:52590	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:50705	P	Security update for clamav (Moderate)	2020-12-01
oval:org.opensuse.security:def:51056	P	Security update for buildah (Moderate)	2020-12-01
oval:org.opensuse.security:def:49940	P	bind on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51206	P	Security update for libqt5-qtbase (Important)	2020-12-01
oval:org.opensuse.security:def:50282	P	Security update for sssd (Moderate)	2020-12-01
oval:org.opensuse.security:def:49919	P	python2-bottle on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51314	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:com.ubuntu.bionic:def:2018129040000000	V	CVE-2018-12904 on Ubuntu 18.04 LTS (bionic) - low.	2018-06-27
oval:com.ubuntu.artful:def:201812904000	V	CVE-2018-12904 on Ubuntu 17.10 (artful) - low.	2018-06-27
oval:com.ubuntu.xenial:def:201812904000	V	CVE-2018-12904 on Ubuntu 16.04 LTS (xenial) - low.	2018-06-27
oval:com.ubuntu.xenial:def:2018129040000000	V	CVE-2018-12904 on Ubuntu 16.04 LTS (xenial) - low.	2018-06-27
oval:com.ubuntu.bionic:def:201812904000	V	CVE-2018-12904 on Ubuntu 18.04 LTS (bionic) - low.	2018-06-27
oval:com.ubuntu.cosmic:def:201812904000	V	CVE-2018-12904 on Ubuntu 18.10 (cosmic) - low.	2018-06-27
oval:com.ubuntu.cosmic:def:2018129040000000	V	CVE-2018-12904 on Ubuntu 18.10 (cosmic) - low.	2018-06-27
oval:com.ubuntu.trusty:def:201812904000	V	CVE-2018-12904 on Ubuntu 14.04 LTS (trusty) - low.	2018-06-27

BACK