CVE-2019-14835

Description

A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v3.0•HIGH•Score: 7.2CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.07%• Percentile: 22%

Techniques & Countermeasures

• CWE-120•Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 16.04 | 18.04 | 19.04

• debian•debian_linux

  8.0 | 9.0 | 10.0

• fedoraproject•fedora

  29 | 30

• huawei•imanager_neteco

  v600r009c00 | v600r009c10spc200

• huawei•imanager neteco 6000

  v600r008c10spc300 | v600r008c20

• huawei•manageone

  6.5.0 | 6.5.0.spc100.b210 | 6.5.1rc1.b060 | 6.5.1rc1.b080 | 6.5.rc2.b050

• linux kernel•linux kernel

  from version 2.6.34 to 5.2.x

• linux•linux_kernel

  ≥ 2.6.34, < 3.16.74 | ≥ 4.4, < 4.4.193 | ≥ 4.9, < 4.9.193 | ≥ 4.14, < 4.14.144 | ≥ 4.19, < 4.19.73 | ≥ 5.2, < 5.2.15 | 5.3

• netapp•aff_a700s

  na

• netapp•data_availability_services

  na

• netapp•h300e_firmware

  na

• netapp•h300s_firmware

  na

• netapp•h410c_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e_firmware

  na

• netapp•h500s_firmware

  na

• netapp•h610s_firmware

  na

• netapp•h700e_firmware

  na

• netapp•h700s_firmware

  na

• netapp•hci_management_node

  na

• netapp•service_processor

  na

• netapp•solidfire

  na

• netapp•steelstore_cloud_integrated_storage

  na

• opensuse•leap

  15.0 | 15.1

• redhat•enterprise_linux

  8.0

• redhat•enterprise_linux_desktop

  6.0 | 7.0

• redhat•enterprise_linux_eus

  7.5 | 7.6 | 7.7

• redhat•enterprise_linux_for_real_time

  7 | 8

• redhat•enterprise_linux_server

  6.0 | 7.0 | 7.6

• redhat•enterprise_linux_server_aus

  6.5 | 6.6 | 7.2 | 7.3 | 7.4 | 7.6 | 7.7

• redhat•enterprise_linux_server_tus

  7.2 | 7.3 | 7.4 | 7.6 | 7.7

• redhat•enterprise_linux_workstation

  6.0 | 7.0

• redhat•openshift_container_platform

  3.11

• redhat•virtualization

  4.0

• redhat•virtualization_host

  4.0

References (40)

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835
• https://www.openwall.com/lists/oss-security/2019/09/17/1
• https://usn.ubuntu.com/4135-2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQFY6JYFIQ2VFQ7QCSXPWTUL5ZDNCJL5/
• https://access.redhat.com/errata/RHSA-2019:2827
• https://access.redhat.com/errata/RHSA-2019:2828
• https://access.redhat.com/errata/RHSA-2019:2830
• https://access.redhat.com/errata/RHSA-2019:2829
• https://access.redhat.com/errata/RHSA-2019:2854
• https://access.redhat.com/errata/RHSA-2019:2862
• https://access.redhat.com/errata/RHSA-2019:2863
• https://access.redhat.com/errata/RHSA-2019:2866
• https://access.redhat.com/errata/RHSA-2019:2864
• https://access.redhat.com/errata/RHSA-2019:2865
• https://access.redhat.com/errata/RHSA-2019:2867
• https://access.redhat.com/errata/RHSA-2019:2869
• http://packetstormsecurity.com/files/154572/Kernel-Live-Patch-Security-Notice-LSN-0056-1.html
• http://www.openwall.com/lists/oss-security/2019/09/24/1
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
• https://access.redhat.com/errata/RHSA-2019:2889
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
• https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
• https://seclists.org/bugtraq/2019/Sep/41
• https://www.debian.org/security/2019/dsa-4531
• https://access.redhat.com/errata/RHSA-2019:2900
• https://access.redhat.com/errata/RHSA-2019:2901
• https://access.redhat.com/errata/RHSA-2019:2899
• https://access.redhat.com/errata/RHSA-2019:2924
• https://usn.ubuntu.com/4135-1/
• https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3QNMPENPFEGVTOFPSNOBL7JEIJS25P/
• http://www.openwall.com/lists/oss-security/2019/10/03/1
• http://www.openwall.com/lists/oss-security/2019/10/09/3
• http://www.openwall.com/lists/oss-security/2019/10/09/7
• https://access.redhat.com/errata/RHBA-2019:2824
• http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html
• https://security.netapp.com/advisory/ntap-20191031-0005/
• https://seclists.org/bugtraq/2019/Nov/11
• http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html
• http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-qemu-en