CVE-2019-19339

kpatch: hw: incomplete fix for CVE-2018-12207

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change.

Se detectó que la actualización de Red Hat Enterprise Linux 8 kpatch no incluía la corrección completa para CVE-2018-12207. Se detectó un defecto en la forma en que las CPU Intel manejan la incoherencia entre las traducciones de direcciones de memoria virtual a física en la memoria caché local de la CPU y las entradas de la estructura de paginación del software del sistema. Un usuario invitado con privilegios puede utilizar este defecto para inducir un error de comprobación de máquina de hardware en el procesador host, lo que resulta en un escenario de DoS grave al detener el procesador. El software del sistema como OS O Virtual Machine Monitor (VMM) utiliza el sistema de memoria virtual para almacenar las instrucciones y los datos del programa en la memoria. El sistema de memoria virtual utiliza estructuras de paginación como tablas de páginas y directorios de página para administrar la memoria del sistema. La unidad de administración de memoria (MMU) del procesador utiliza entradas de estructura de paginación para traducir las direcciones de memoria virtual del programa a direcciones de memoria física. El procesador almacena estas traducciones de direcciones en su búfer de caché local llamado - Búfer de búsqueda de traducción (TLB). TLB tiene dos partes, una para instrucciones y otra para direcciones de datos. El software del sistema puede modificar sus entradas de estructura de paginación para cambiar las asignaciones de direcciones O ciertos atributos como el tamaño de página, etc. Tras tales alteraciones de la estructura de paginación en la memoria, el software del sistema debe invalidar las traducciones de direcciones correspondientes en la memoria caché TLB del procesador. Pero antes de que se lleve a cabo esta invalidación de TLB, un usuario invitado con privilegios puede desencadenar una operación de obtención de instrucciones, que podría usar una traducción de dirección virtual a física de la instrucción TLB (ITLB) ya almacenada en caché, pero ahora no válida. De este modo, se accede a una dirección de memoria física no válida y se detiene el procesador debido al error de comprobación de máquina (MCE) en el cambio de tamaño de página.

It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207.

A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor.

System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor's Memory Management Unit (MMU) uses Paging structure entries to translate program's virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses.

System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor's TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-11-27 CVE Reserved
2019-12-17 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-805: Buffer Access with Incorrect Length Value

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19339	2020-10-19
https://access.redhat.com/security/cve/CVE-2019-19339	2019-12-17
https://bugzilla.redhat.com/show_bug.cgi?id=1782199	2019-12-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				8.1 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "8.1"		-		Affected