CVE-2021-29657
KVM nested_svm_vmrun Double Fetch
Severity Score
7.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a756. This occurs because of a TOCTOU race condition associated with a VMCB12 double fetch in nested_svm_vmrun.
El archivo arch/x86/kvm/svm/nested.c en el kernel de Linux versiones anteriores a 5.11.12, presenta un uso de memoria previamente liberada en el que un invitado KVM de AMD puede omitir el control de acceso en los MSR del SO anfitrión cuando se presentan invitados anidados, también se conoce como CID-a58d9166a756. Esto ocurre debido a una condición de carrera TOCTOU asociada con un doble fetch VMCB12 en la función nested_svm_vmrun
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-03-31 CVE Reserved
- 2021-05-12 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-10-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
- CWE-416: Use After Free
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/163324/KVM-nested_svm_vmrun-Double-Fetch.html | Third Party Advisory |
|
| https://security.netapp.com/advisory/ntap-20210902-0008 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://bugs.chromium.org/p/project-zero/issues/detail?id=2177 | 2024-08-03 | |
| https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.12 | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a58d9166a756a0f4a6618e4f593232593d6df134 | 2023-05-19 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10 < 5.10.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10 < 5.10.28" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.11 < 5.11.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.11.12" | - |
Affected
| ||||||