Vulnerabilities > CVE-2009-4031 - Improper Input Validation vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1659.NASL description Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive last seen 2020-06-01 modified 2020-06-02 plugin id 63909 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63909 title RHEL 5 : kvm (RHSA-2009:1659) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2009:1659. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(63909); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:14"); script_cve_id("CVE-2009-4031"); script_xref(name:"RHSA", value:"2009:1659"); script_name(english:"RHEL 5 : kvm (RHSA-2009:1659)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive 'cache=none' option (the default setting when not specified otherwise). This could cause guest operating system installations to take hours. With this update, performance patches have been backported so that using the qcow2 image format with the 'cache=none' option no longer causes performance issues. (BZ#520693) * when using the virtual vm8086 mode, bugs in the emulated hardware task switching implementation may have, in some situations, caused older guest operating systems to malfunction. (BZ#532031) * Windows Server 2003 guests (32-bit) with more than 4GB of memory may have crashed during reboot when using the default qemu-kvm CPU settings. (BZ#532043) * with Red Hat Enterprise Virtualization, guests continued to run after encountering disk read errors. This could have led to their file systems becoming corrupted (but not the host's), notably in environments that use networked storage. With this update, the qemu-kvm -drive 'werror=stop' option now applies not only to write errors but also to read errors: When using this option, guests will pause on disk read and write errors. By default, guests managed by Red Hat Enterprise Virtualization use the 'werror=stop' option. This option is not used by default for guests managed by libvirt. (BZ#537334, BZ#540406) * the para-virtualized block driver (virtio-blk) silently ignored read errors when accessing disk images. With this update, the driver correctly signals the read error to the guest. (BZ#537334) All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note: The procedure in the Solution section must be performed before this update will take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2009-4031" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2009:1659" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kmod-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm-qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kvm-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/29"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2009:1659"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kmod-kvm-83-105.el5_4.13")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kvm-83-105.el5_4.13")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kvm-qemu-img-83-105.el5_4.13")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kvm-tools-83-105.el5_4.13")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kmod-kvm / kvm / kvm-qemu-img / kvm-tools"); } }NASL family SuSE Local Security Checks NASL id SUSE_11_2_KERNEL-100317.NASL description This update of the openSUSE 11.2 kernel contains a lot of bug and security fixes. Following security issues were fixed: CVE-2010-0622: The wake_futex_pi function in kernel/futex.c in the Linux kernel does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. CVE-2010-0623: The futex_lock_pi function in kernel/futex.c in the Linux kernel does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem. CVE-2010-0415: The do_pages_move function in mm/migrate.c in the Linux kernel does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 45128 published 2010-03-23 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45128 title openSUSE Security Update : kernel (kernel-2146) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kernel-2146. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(45128); script_version("1.9"); script_cvs_date("Date: 2019/10/25 13:36:38"); script_cve_id("CVE-2009-4031", "CVE-2010-0410", "CVE-2010-0415", "CVE-2010-0622", "CVE-2010-0623"); script_name(english:"openSUSE Security Update : kernel (kernel-2146)"); script_summary(english:"Check for the kernel-2146 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of the openSUSE 11.2 kernel contains a lot of bug and security fixes. Following security issues were fixed: CVE-2010-0622: The wake_futex_pi function in kernel/futex.c in the Linux kernel does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. CVE-2010-0623: The futex_lock_pi function in kernel/futex.c in the Linux kernel does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem. CVE-2010-0415: The do_pages_move function in mm/migrate.c in the Linux kernel does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set. CVE-2010-0410: drivers/connector/connector.c in the Linux kernel allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages. CVE-2009-4031: The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support. This update also contains a large rollup of fixes for the rt2860 and rt3090 wireless drivers from the mainline kernel." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=474773" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=492961" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=510449" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=544760" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=555747" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=558269" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=561078" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=565962" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=566634" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=568319" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=570314" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=574654" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=576927" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=577747" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=577753" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=578064" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=578222" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=578550" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=578708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=579076" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=579219" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=579439" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=579989" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=580799" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=581271" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=581718" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=582552" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=582907" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=584320" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(20, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source-vanilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-desktop"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-source-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-source-vanilla-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-syms-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-base-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-devel-2.6.31.12-0.2.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-default-1.1_2.6.31.12_0.2-6.9.15") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-desktop-1.1_2.6.31.12_0.2-6.9.15") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-debug / kernel-debug-base / kernel-debug-devel / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2009-13098.NASL description Update to kernel 2.6.27.41: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.39 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.40 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.41 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43125 published 2009-12-14 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43125 title Fedora 10 : kernel-2.6.27.41-170.2.117.fc10 (2009-13098) NASL family Scientific Linux Local Security Checks NASL id SL_20091209_KVM_ON_SL5_4.NASL description CVE-2009-4031 kernel: KVM: x86 emulator: limit instructions to 15 bytes On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : - performance problems occurred when using the qcow2 image format with the qemu-kvm -drive last seen 2020-06-01 modified 2020-06-02 plugin id 60704 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60704 title Scientific Linux Security Update : kvm on SL5.4 x86_64 NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1659.NASL description Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive last seen 2020-06-01 modified 2020-06-02 plugin id 43811 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43811 title CentOS 5 : kvm (CESA-2009:1659) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1962.NASL description Several vulnerabilities have been discovered in kvm, a full virtualization system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3638 It was discovered an Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function. This allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. - CVE-2009-3722 It was discovered that the handle_dr function in the KVM subsystem does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. - CVE-2009-4031 It was discovered that the do_insn_fetch function in the x86 emulator in the KVM subsystem tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support. last seen 2020-06-01 modified 2020-06-02 plugin id 44827 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44827 title Debian DSA-1962-1 : kvm - several vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1659.NASL description From Red Hat Security Advisory 2009:1659 : Updated kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. On x86 platforms, the do_insn_fetch() function did not limit the amount of instruction bytes fetched per instruction. Users in guest operating systems could leverage this flaw to cause large latencies on SMP hosts that could lead to a local denial of service on the host operating system. This update fixes this issue by imposing the architecturally-defined 15 byte length limit for instructions. (CVE-2009-4031) This update also fixes the following bugs : * performance problems occurred when using the qcow2 image format with the qemu-kvm -drive last seen 2020-06-01 modified 2020-06-02 plugin id 67971 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67971 title Oracle Linux 5 : kvm (ELSA-2009-1659) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-894-1.NASL description Amerigo Wang and Eric Sesterhenn discovered that the HFS and ext4 filesystems did not correctly check certain disk structures. If a user were tricked into mounting a specially crafted filesystem, a remote attacker could crash the system or gain root privileges. (CVE-2009-4020, CVE-2009-4308) It was discovered that FUSE did not correctly check certain requests. A local attacker with access to FUSE mounts could exploit this to crash the system or possibly gain root privileges. Ubuntu 9.10 was not affected. (CVE-2009-4021) It was discovered that KVM did not correctly decode certain guest instructions. A local attacker in a guest could exploit this to trigger high scheduling latency in the host, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-4031) It was discovered that the OHCI fireware driver did not correctly handle certain ioctls. A local attacker could exploit this to crash the system, or possibly gain root privileges. Ubuntu 6.06 was not affected. (CVE-2009-4138) Tavis Ormandy discovered that the kernel did not correctly handle O_ASYNC on locked files. A local attacker could exploit this to gain root privileges. Only Ubuntu 9.04 and 9.10 were affected. (CVE-2009-4141) Neil Horman and Eugene Teo discovered that the e1000 and e1000e network drivers did not correctly check the size of Ethernet frames. An attacker on the local network could send specially crafted traffic to bypass packet filters, crash the system, or possibly gain root privileges. (CVE-2009-4536, CVE-2009-4538) It was discovered that last seen 2020-06-01 modified 2020-06-02 plugin id 44399 published 2010-02-05 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44399 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-894-1)
Oval
| accepted | 2013-04-29T04:11:24.775-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:11089 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause a denial of service (increased scheduling latency) on the host OS via unspecified manipulations related to SMP support. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 37130 CVE ID: CVE-2009-4031 Linux Kernel是开放源码操作系统Linux所使用的内核。 在x86平台上,x86模拟器上的arch/x86/kvm/emulate.c文件的do_insn_fetch()函数没有限制每次指令可获取的指令字节数。guest操作系统中的用户可以利用这个漏洞在SMP主机上造成很大的延迟,导致主机操作系统上本地拒绝服务。 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commit;h=e42d9b8141d1f54ff72ad3850bb110c95a5f3b88 RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2009:1692-01)以及相应补丁: RHSA-2009:1692-01:Important: rhev-hypervisor security and bug fix update 链接:https://www.redhat.com/support/errata/RHSA-2009-1692.html |
| id | SSV:19333 |
| last seen | 2017-11-19 |
| modified | 2010-03-24 |
| published | 2010-03-24 |
| reporter | Root |
| title | Linux kernel 2.6.x KVM超大SMP指令本地拒绝服务漏洞 |
References
- http://www.openwall.com/lists/oss-security/2009/11/25/1
- http://www.openwall.com/lists/oss-security/2009/11/25/3
- http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.32-rc8-next-20091125.gz
- https://bugzilla.redhat.com/show_bug.cgi?id=541160
- http://www.securityfocus.com/bid/37130
- https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00777.html
- http://secunia.com/advisories/37720
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00006.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11089
- http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git%3Ba=commit%3Bh=e42d9b8141d1f54ff72ad3850bb110c95a5f3b88