Impact: Important Public Date: 2019-09-17 CWE: CWE-120 Bugzilla: 1750727: CVE-2019-14835 kernel: vhost-net: guest to host kernel escape during migration A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.
Find out more about CVE-2019-14835 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat Product Security is aware of this issue. Updates will be released as they become available.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.2 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
Attack Vector | Local |
Attack Complexity | High |
Privileges Required | High |
User Interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | redhat-virtualization-host | Affected |
Red Hat Enterprise Linux 8 | kernel | Affected |
Red Hat Enterprise Linux 8 | kernel-rt | Affected |
Red Hat Enterprise Linux 7 | kernel-alt | Affected |
Red Hat Enterprise Linux 7 | kernel | Affected |
Red Hat Enterprise Linux 7 | kernel-rt | Affected |
Red Hat Enterprise Linux 6 | kernel | Affected |
Red Hat Enterprise Linux 5 | kernel | Not affected |
Option #1 Disabling vhost-net
Vhost-net functionality can be disabled on per-guest basis. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-network_configuration-disabling_vhost_net.
Alternatively, the kernel module named 'vhost_net' which contains the affected code can be blacklisted using the standard blacklisting techniques. See https://access.redhat.com/solutions/41278 for how to blacklist a kernel module.
Guests utilizing vhost-net functionality need to be rebooted for the changes to take effect.
Option #2 Disabling guest migration
The issue is only exploitable from the guest when migration is underway, so avoiding migration by either disabling automatic migration completely or not migrating the guests manually is an effective way to avoid exploitation.