Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Two unpatched vulnerabilities are found in Linux Kernel. Both are NULL pointer deference issues that can be used by local attackers to induce DoS condition.
IMPACT: MEDIUM
PUBLISH DATE: 27-11-2018
OVERVIEW
Two vulnerabilities in the arch/x86/kvm/lapic.c and vcpu_scan_ioapic in Linux Kernel can be exploited by local malicious attackers to induce Denial of Service on target system. The flaws have not been patched by the vendor.
ANALYSIS
A kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel’s 4.19.2 and earlier versions lets local users to cause a denial of service (NULL pointer dereference and BUG). The condition is induced via crafted system calls that reach a situation where the apic map is uninitialized.
The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced. This patch fixes it by checking whether or not apic map is NULL and bailing out immediately if that is the case.
The second flaw, tracked as CVE-2018-19407 is found in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.
The flaw is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) fails to initialize correctly.
Using crafted system calls that reach a situation where ioapic is uninitialized, a malicious attacker may launch a Denial of Service attack on the target system.
The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed.
AFFECTED PRODUCTS
Linux kernel 4.19.2 and earlier versions.
UPDATES
Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream. Whereas, no official updates or patches have been released by the vendor yet.
If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.