Vulnerabilities > CVE-2009-4031 - Improper Input Validation vulnerability in Linux Kernel

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
linux
CWE-20
nessus

Summary

The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.

Vulnerable Configurations

Part Description Count
OS
Linux
1040

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1659.NASL
    descriptionUpdated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive
    last seen2020-06-01
    modified2020-06-02
    plugin id63909
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63909
    titleRHEL 5 : kvm (RHSA-2009:1659)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2009:1659. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63909);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:14");
    
      script_cve_id("CVE-2009-4031");
      script_xref(name:"RHSA", value:"2009:1659");
    
      script_name(english:"RHEL 5 : kvm (RHSA-2009:1659)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kvm packages that fix one security issue and several bugs are
    now available for Red Hat Enterprise Linux 5.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    KVM (Kernel-based Virtual Machine) is a full virtualization solution
    for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module
    built for the standard Red Hat Enterprise Linux kernel.
    
    On x86 platforms, the do_insn_fetch() function did not limit the
    amount of instruction bytes fetched per instruction. Users in guest
    operating systems could leverage this flaw to cause large latencies on
    SMP hosts that could lead to a local denial of service on the host
    operating system. This update fixes this issue by imposing the
    architecturally-defined 15 byte length limit for instructions.
    (CVE-2009-4031)
    
    This update also fixes the following bugs :
    
    * performance problems occurred when using the qcow2 image format with
    the qemu-kvm -drive 'cache=none' option (the default setting when not
    specified otherwise). This could cause guest operating system
    installations to take hours. With this update, performance patches
    have been backported so that using the qcow2 image format with the
    'cache=none' option no longer causes performance issues. (BZ#520693)
    
    * when using the virtual vm8086 mode, bugs in the emulated hardware
    task switching implementation may have, in some situations, caused
    older guest operating systems to malfunction. (BZ#532031)
    
    * Windows Server 2003 guests (32-bit) with more than 4GB of memory may
    have crashed during reboot when using the default qemu-kvm CPU
    settings. (BZ#532043)
    
    * with Red Hat Enterprise Virtualization, guests continued to run
    after encountering disk read errors. This could have led to their file
    systems becoming corrupted (but not the host's), notably in
    environments that use networked storage. With this update, the
    qemu-kvm -drive 'werror=stop' option now applies not only to write
    errors but also to read errors: When using this option, guests will
    pause on disk read and write errors.
    
    By default, guests managed by Red Hat Enterprise Virtualization use
    the 'werror=stop' option. This option is not used by default for
    guests managed by libvirt. (BZ#537334, BZ#540406)
    
    * the para-virtualized block driver (virtio-blk) silently ignored read
    errors when accessing disk images. With this update, the driver
    correctly signals the read error to the guest. (BZ#537334)
    
    All KVM users should upgrade to these updated packages, which contain
    backported patches to resolve these issues. Note: The procedure in the
    Solution section must be performed before this update will take
    effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-4031"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2009:1659"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(20);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kmod-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm-qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2009:1659";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kmod-kvm-83-105.el5_4.13")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kvm-83-105.el5_4.13")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kvm-qemu-img-83-105.el5_4.13")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kvm-tools-83-105.el5_4.13")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kmod-kvm / kvm / kvm-qemu-img / kvm-tools");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_KERNEL-100317.NASL
    descriptionThis update of the openSUSE 11.2 kernel contains a lot of bug and security fixes. Following security issues were fixed: CVE-2010-0622: The wake_futex_pi function in kernel/futex.c in the Linux kernel does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. CVE-2010-0623: The futex_lock_pi function in kernel/futex.c in the Linux kernel does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem. CVE-2010-0415: The do_pages_move function in mm/migrate.c in the Linux kernel does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id45128
    published2010-03-23
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45128
    titleopenSUSE Security Update : kernel (kernel-2146)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update kernel-2146.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(45128);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2009-4031", "CVE-2010-0410", "CVE-2010-0415", "CVE-2010-0622", "CVE-2010-0623");
    
      script_name(english:"openSUSE Security Update : kernel (kernel-2146)");
      script_summary(english:"Check for the kernel-2146 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of the openSUSE 11.2 kernel contains a lot of bug and
    security fixes.
    
    Following security issues were fixed: CVE-2010-0622: The wake_futex_pi
    function in kernel/futex.c in the Linux kernel does not properly
    handle certain unlock operations for a Priority Inheritance (PI)
    futex, which allows local users to cause a denial of service (OOPS)
    and possibly have unspecified other impact via vectors involving
    modification of the futex value from user space.
    
    CVE-2010-0623: The futex_lock_pi function in kernel/futex.c in the
    Linux kernel does not properly manage a certain reference count, which
    allows local users to cause a denial of service (OOPS) via vectors
    involving an unmount of an ext3 filesystem.
    
    CVE-2010-0415: The do_pages_move function in mm/migrate.c in the Linux
    kernel does not validate node values, which allows local users to read
    arbitrary kernel memory locations, cause a denial of service (OOPS),
    and possibly have unspecified other impact by specifying a node that
    is not part of the kernel's node set.
    
    CVE-2010-0410: drivers/connector/connector.c in the Linux kernel
    allows local users to cause a denial of service (memory consumption
    and system crash) by sending the kernel many NETLINK_CONNECTOR
    messages.
    
    CVE-2009-4031: The do_insn_fetch function in arch/x86/kvm/emulate.c in
    the x86 emulator in the KVM subsystem in the Linux kernel tries to
    interpret instructions that contain too many bytes to be valid, which
    allows guest OS users to cause a denial of service (increased
    scheduling latency) on the host OS via unspecified manipulations
    related to SMP support.
    
    This update also contains a large rollup of fixes for the rt2860 and
    rt3090 wireless drivers from the mainline kernel."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=474773"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=492961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=510449"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=544760"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=555747"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=558269"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=561078"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=565962"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=566634"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=568319"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=570314"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=574654"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=576927"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=577747"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=577753"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=578064"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=578222"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=578550"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=578708"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=579076"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=579219"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=579439"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=579989"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=580799"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=581271"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=581718"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=582552"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=582907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=584320"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(20, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source-vanilla");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-desktop");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/03/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-source-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-source-vanilla-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-syms-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-base-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-devel-2.6.31.12-0.2.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-default-1.1_2.6.31.12_0.2-6.9.15") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-desktop-1.1_2.6.31.12_0.2-6.9.15") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-debug / kernel-debug-base / kernel-debug-devel / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-13098.NASL
    descriptionUpdate to kernel 2.6.27.41: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.39 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.40 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.41 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id43125
    published2009-12-14
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43125
    titleFedora 10 : kernel-2.6.27.41-170.2.117.fc10 (2009-13098)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091209_KVM_ON_SL5_4.NASL
    descriptionCVE-2009-4031 kernel: KVM: x86 emulator: limit instructions to 15 bytes On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : - performance problems occurred when using the qcow2 image format with the qemu-kvm -drive
    last seen2020-06-01
    modified2020-06-02
    plugin id60704
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60704
    titleScientific Linux Security Update : kvm on SL5.4 x86_64
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1659.NASL
    descriptionUpdated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive
    last seen2020-06-01
    modified2020-06-02
    plugin id43811
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43811
    titleCentOS 5 : kvm (CESA-2009:1659)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1962.NASL
    descriptionSeveral vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3638 It was discovered an Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function. This allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. - CVE-2009-3722 It was discovered that the handle_dr function in the KVM subsystem does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. - CVE-2009-4031 It was discovered that the do_insn_fetch function in the x86 emulator in the KVM subsystem tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.
    last seen2020-06-01
    modified2020-06-02
    plugin id44827
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44827
    titleDebian DSA-1962-1 : kvm - several vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1659.NASL
    descriptionFrom Red Hat Security Advisory 2009:1659 : Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive
    last seen2020-06-01
    modified2020-06-02
    plugin id67971
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67971
    titleOracle Linux 5 : kvm (ELSA-2009-1659)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-894-1.NASL
    descriptionAmerigo Wang and Eric Sesterhenn discovered that the HFS and ext4 filesystems did not correctly check certain disk structures. If a user were tricked into mounting a specially crafted filesystem, a remote attacker could crash the system or gain root privileges. (CVE-2009-4020, CVE-2009-4308) It was discovered that FUSE did not correctly check certain requests. A local attacker with access to FUSE mounts could exploit this to crash the system or possibly gain root privileges. Ubuntu 9.10 was not affected. (CVE-2009-4021) It was discovered that KVM did not correctly decode certain guest instructions. A local attacker in a guest could exploit this to trigger high scheduling latency in the host, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-4031) It was discovered that the OHCI fireware driver did not correctly handle certain ioctls. A local attacker could exploit this to crash the system, or possibly gain root privileges. Ubuntu 6.06 was not affected. (CVE-2009-4138) Tavis Ormandy discovered that the kernel did not correctly handle O_ASYNC on locked files. A local attacker could exploit this to gain root privileges. Only Ubuntu 9.04 and 9.10 were affected. (CVE-2009-4141) Neil Horman and Eugene Teo discovered that the e1000 and e1000e network drivers did not correctly check the size of Ethernet frames. An attacker on the local network could send specially crafted traffic to bypass packet filters, crash the system, or possibly gain root privileges. (CVE-2009-4536, CVE-2009-4538) It was discovered that
    last seen2020-06-01
    modified2020-06-02
    plugin id44399
    published2010-02-05
    reporterUbuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44399
    titleUbuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-894-1)

Oval

accepted2013-04-29T04:11:24.775-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionThe do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.
familyunix
idoval:org.mitre.oval:def:11089
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.
version18

Redhat

advisories
bugzilla
id541160
titleCVE-2009-4031 kernel: KVM: x86 emulator: limit instructions to 15 bytes
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentkvm-tools is earlier than 0:83-105.el5_4.13
          ovaloval:com.redhat.rhsa:tst:20091659001
        • commentkvm-tools is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20091465002
      • AND
        • commentkvm-qemu-img is earlier than 0:83-105.el5_4.13
          ovaloval:com.redhat.rhsa:tst:20091659003
        • commentkvm-qemu-img is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20091465008
      • AND
        • commentkvm is earlier than 0:83-105.el5_4.13
          ovaloval:com.redhat.rhsa:tst:20091659005
        • commentkvm is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20091465006
      • AND
        • commentkmod-kvm is earlier than 0:83-105.el5_4.13
          ovaloval:com.redhat.rhsa:tst:20091659007
        • commentkmod-kvm is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20091465004
rhsa
idRHSA-2009:1659
released2009-12-09
severityModerate
titleRHSA-2009:1659: kvm security and bug fix update (Moderate)
rpms
  • kmod-kvm-0:83-105.el5_4.13
  • kvm-0:83-105.el5_4.13
  • kvm-debuginfo-0:83-105.el5_4.13
  • kvm-qemu-img-0:83-105.el5_4.13
  • kvm-tools-0:83-105.el5_4.13
  • rhev-hypervisor-0:5.4-2.1.3.el5_4rhev2_1
  • rhev-hypervisor-pxe-0:5.4-2.1.3.el5_4rhev2_1

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 37130 CVE ID: CVE-2009-4031 Linux Kernel是开放源码操作系统Linux所使用的内核。 在x86平台上,x86模拟器上的arch/x86/kvm/emulate.c文件的do_insn_fetch()函数没有限制每次指令可获取的指令字节数。guest操作系统中的用户可以利用这个漏洞在SMP主机上造成很大的延迟,导致主机操作系统上本地拒绝服务。 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commit;h=e42d9b8141d1f54ff72ad3850bb110c95a5f3b88 RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2009:1692-01)以及相应补丁: RHSA-2009:1692-01:Important: rhev-hypervisor security and bug fix update 链接:https://www.redhat.com/support/errata/RHSA-2009-1692.html
idSSV:19333
last seen2017-11-19
modified2010-03-24
published2010-03-24
reporterRoot
titleLinux kernel 2.6.x KVM超大SMP指令本地拒绝服务漏洞