CVE-2017-12154

Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register.

La función prepare_vmcs02 en arch/x86/kvm/vmx.c en el kernel de Linux hasta la versión 4.13.3 no asegura que los controles L0 vmcs02 "CR8-load exiting" y "CR8-store exiting" existan en casos en los que L1 omite el control vmcs12 "use TPR shadow". Esto permite que los usuarios invitados del sistema operativo obtengan acceso de lectura y escritura al registro CR8 del hardware.

Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

Attack Vector

Adjacent

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-01 CVE Reserved
2017-09-26 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control

CAPEC

References (12)

URL	Tag	Source
http://www.securityfocus.com/bid/100856	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51aa68e7d57e3217192d88ce90fd5b8ef29ec94f	2023-02-12
https://bugzilla.redhat.com/show_bug.cgi?id=1491224	2019-07-30
https://github.com/torvalds/linux/commit/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f	2023-02-12
https://www.spinics.net/lists/kvm/msg155414.html	2023-02-12

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3981	2023-02-12
https://access.redhat.com/errata/RHSA-2018:0676	2023-02-12
https://access.redhat.com/errata/RHSA-2018:1062	2023-02-12
https://access.redhat.com/errata/RHSA-2019:1946	2023-02-12
https://usn.ubuntu.com/3698-1	2023-02-12
https://usn.ubuntu.com/3698-2	2023-02-12
https://access.redhat.com/security/cve/CVE-2017-12154	2019-07-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.13.3 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.13.3"		-		Affected