CVE-2020-2732

Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.

Se detectó un fallo en la manera en que el hipervisor de KVM manejó la emulación de instrucciones para un invitado L2 cuando la virtualización anidada está habilitada. En algunas circunstancias, un invitado L2 puede engañar al invitado L0 para que acceda a recursos L1 confidenciales que deberían estar inaccesibles para el invitado L2.

A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.

*Credits: N/A

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2019-12-10 CVE Reserved
2020-03-17 CVE Published
2023-03-08 EPSS Updated
2024-09-30 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (15)

URL	Tag	Source
https://linux.oracle.com/errata/ELSA-2020-5540.html	Third Party Advisory
https://linux.oracle.com/errata/ELSA-2020-5542.html	Third Party Advisory
https://linux.oracle.com/errata/ELSA-2020-5543.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html	Mailing List
https://www.openwall.com/lists/oss-security/2020/02/25/3	Mailing List

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec	2020-06-10
https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c	2020-06-10
https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d	2020-06-10
https://www.spinics.net/lists/kvm/msg208259.html	2020-06-10

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1805135	2020-06-10
https://www.debian.org/security/2020/dsa-4667	2020-06-10
https://www.debian.org/security/2020/dsa-4698	2020-06-10
https://access.redhat.com/security/cve/CVE-2020-2732	2020-09-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected