CVE-2018-18021

kernel: Privilege escalation on arm64 via KVM hypervisor

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.

arch/arm64/kvm/guest.c en KVM en el kernel de Linux en versiones anteriores a la 4.18.12 en la plataforma arm64 gestiona de manera incorrecta la llamada IOCTL KVM_SET_ON_REG. Esto puede ser explotado por atacantes que puedan crear máquinas virtuales. Un atacante puede redireccionar de forma arbitraria el flujo de control del hipervisor (con control de registro total). Un atacante también puede provocar una denegación de servicio (pánico del hipervisor) mediante una devolución de excepción ilegal. Esto ocurre debido a las restricciones insuficientes sobre el acceso del espacio de usuario al archivo de registro core y, además, debido a que la validación PSTATE.M no evita los modos de ejecución no planeados.

A vulnerability was discovered in the Linux kernel that allows an attacker to escalate privileges with using a 64-bit ARM architecture. A local attacker with permission to create KVM-based virtual machines can both panic the hypervisor by triggering an illegal exception return (resulting in a DoS) and to redirect execution elsewhere within the hypervisor with full register control, instead of causing a return to the guest.

M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service. It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service or execute arbitrary code in the host. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-10-07 CVE Reserved
2018-10-07 CVE Published
2024-08-05 CVE Updated
2025-04-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (15)

URL	Tag	Source
http://www.securityfocus.com/bid/105550	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2a3f93459d689d990b3ecfbe782fec89b97d3279	2019-04-03
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d26c25a9d19b5976b319af528886f89cf455692d	2019-04-03
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.12	2019-04-03
https://github.com/torvalds/linux/commit/2a3f93459d689d990b3ecfbe782fec89b97d3279	2019-04-03
https://github.com/torvalds/linux/commit/d26c25a9d19b5976b319af528886f89cf455692d	2019-04-03
https://www.openwall.com/lists/oss-security/2018/10/02/2	2019-04-03

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:3656	2019-04-03
https://usn.ubuntu.com/3821-1	2019-04-03
https://usn.ubuntu.com/3821-2	2019-04-03
https://usn.ubuntu.com/3931-1	2019-04-03
https://usn.ubuntu.com/3931-2	2019-04-03
https://www.debian.org/security/2018/dsa-4313	2019-04-03
https://access.redhat.com/security/cve/CVE-2018-18021	2018-11-26
https://bugzilla.redhat.com/show_bug.cgi?id=1635475	2018-11-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 4.18.12 Search vendor "Linux" for product "Linux Kernel" and version " < 4.18.12"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected