CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
40.4%
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1202 advisory.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.
Security Fix(es):
* A flaw was found in the implementation of the fill buffer, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer.
(CVE-2018-12130)
* Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer. (CVE-2018-12126)
* Microprocessors use a load port subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPUs pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. (CVE-2018-12127)
* Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11091)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2019:1202. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(193996);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");
script_cve_id(
"CVE-2018-12126",
"CVE-2018-12127",
"CVE-2018-12130",
"CVE-2019-11091"
);
script_xref(name:"IAVA", value:"2019-A-0166");
script_xref(name:"RHSA", value:"2019:1202");
script_xref(name:"CEA-ID", value:"CEA-2019-0324");
script_xref(name:"CEA-ID", value:"CEA-2019-0547");
script_name(english:"RHEL 7 : qemu-kvm-rhev (RHSA-2019:1202)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for qemu-kvm-rhev.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2019:1202 advisory.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of
architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines
that use KVM in environments managed by Red Hat products.
Security Fix(es):
* A flaw was found in the implementation of the fill buffer, a mechanism used by modern CPUs when a
cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page
fault, the execution will continue speculatively with incorrect data from the fill buffer while the data
is fetched from higher level caches. This response time can be measured to infer data in the fill buffer.
(CVE-2018-12130)
* Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of
writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore
Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into
these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed
processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use
this flaw to read private data resident within the CPU's processor store buffer. (CVE-2018-12126)
* Microprocessors use a load port subcomponent to perform load operations from memory or IO. During
a load operation, the load port receives data from the memory or IO subsystem and then provides the data
to the CPU registers and operations in the CPUs pipelines. Stale load operations results are stored in
the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an
attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a
timing side-channel. (CVE-2018-12127)
* Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated
user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11091)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/vulnerabilities/mds");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1646781");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1646784");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1667782");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1705312");
# https://access.redhat.com/security/data/csaf/v2/advisories/2019/rhsa-2019_1202.json
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79379a4a");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:1202");
script_set_attribute(attribute:"solution", value:
"Update the RHEL qemu-kvm-rhev package based on the guidance in RHSA-2019:1202.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11091");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(226, 385);
script_set_attribute(attribute:"vendor_severity", value:"Important");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/07");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-img-rhev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common-rhev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools-rhev");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'repo_relative_urls': [
'content/dist/rhel/client/7/7Client/x86_64/openstack-tools/14/debug',
'content/dist/rhel/client/7/7Client/x86_64/openstack-tools/14/os',
'content/dist/rhel/client/7/7Client/x86_64/openstack-tools/14/source/SRPMS',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack-deployment-tools/14/debug',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack-deployment-tools/14/os',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack-deployment-tools/14/source/SRPMS',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack-devtools/14/debug',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack-devtools/14/os',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack-devtools/14/source/SRPMS',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack/14/debug',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack/14/os',
'content/dist/rhel/power-9/7/7Server/ppc64le/openstack/14/source/SRPMS',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/14/debug',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/14/os',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-deployment-tools/14/source/SRPMS',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-devtools/14/debug',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-devtools/14/os',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack-devtools/14/source/SRPMS',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack/14/debug',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack/14/os',
'content/dist/rhel/power-le/7/7Server/ppc64le/openstack/14/source/SRPMS',
'content/dist/rhel/server/7/7Server/x86_64/openstack-deployment-tools/14/debug',
'content/dist/rhel/server/7/7Server/x86_64/openstack-deployment-tools/14/os',
'content/dist/rhel/server/7/7Server/x86_64/openstack-deployment-tools/14/source/SRPMS',
'content/dist/rhel/server/7/7Server/x86_64/openstack-devtools/14/debug',
'content/dist/rhel/server/7/7Server/x86_64/openstack-devtools/14/os',
'content/dist/rhel/server/7/7Server/x86_64/openstack-devtools/14/source/SRPMS',
'content/dist/rhel/server/7/7Server/x86_64/openstack-tools/14/debug',
'content/dist/rhel/server/7/7Server/x86_64/openstack-tools/14/os',
'content/dist/rhel/server/7/7Server/x86_64/openstack-tools/14/source/SRPMS',
'content/dist/rhel/server/7/7Server/x86_64/openstack/14/debug',
'content/dist/rhel/server/7/7Server/x86_64/openstack/14/os',
'content/dist/rhel/server/7/7Server/x86_64/openstack/14/source/SRPMS',
'content/dist/rhel/workstation/7/7Workstation/x86_64/openstack-tools/14/debug',
'content/dist/rhel/workstation/7/7Workstation/x86_64/openstack-tools/14/os',
'content/dist/rhel/workstation/7/7Workstation/x86_64/openstack-tools/14/source/SRPMS'
],
'pkgs': [
{'reference':'qemu-img-rhev-2.12.0-18.el7_6.5', 'cpu':'ppc64le', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-img-rhev-2.12.0-18.el7_6.5', 'cpu':'x86_64', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-kvm-common-rhev-2.12.0-18.el7_6.5', 'cpu':'ppc64le', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-kvm-common-rhev-2.12.0-18.el7_6.5', 'cpu':'x86_64', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-kvm-rhev-2.12.0-18.el7_6.5', 'cpu':'ppc64le', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-kvm-rhev-2.12.0-18.el7_6.5', 'cpu':'x86_64', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-kvm-tools-rhev-2.12.0-18.el7_6.5', 'cpu':'ppc64le', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'},
{'reference':'qemu-kvm-tools-rhev-2.12.0-18.el7_6.5', 'cpu':'x86_64', 'release':'7', 'el_string':'el7_6', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'openstack-'}
]
}
];
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
foreach var pkg ( constraint_array['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
_release &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get();
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu-img-rhev / qemu-kvm-common-rhev / qemu-kvm-rhev / etc');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091
www.nessus.org/u?79379a4a
access.redhat.com/errata/RHSA-2019:1202
access.redhat.com/security/updates/classification/#important
access.redhat.com/security/vulnerabilities/mds
bugzilla.redhat.com/show_bug.cgi?id=1646781
bugzilla.redhat.com/show_bug.cgi?id=1646784
bugzilla.redhat.com/show_bug.cgi?id=1667782
bugzilla.redhat.com/show_bug.cgi?id=1705312
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
40.4%