An EPYC escape: Case-study of a KVM breakout

Posted by Felix Wilhelm, Project Zero Introduction KVM for Kernel-based Virtual Machine is the de-facto standard hypervisor for Linux-based cloud environments. Outside of Azure, almost all large-scale cloud and hosting providers are running on top of KVM, turning it into one of the fundamental...

CVE-2021-32399

A flaw was found in the Linux kernel’s handling of the removal of Bluetooth HCI controllers. This flaw allows an attacker with a local account to exploit a race condition, leading to corrupted memory and possible privilege escalation. The highest threat from this vulnerability is to...

SUSE: Security Advisory (SUSE-SU-2018:1784-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2018:1503-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SYS.2.3.A14

Peripheriegeraete SOLLTEN nur nutzbar sein, wenn sie auf einer zentral verwalteten Whitelist gefuehrt sind. Kernelmodule fuer Peripheriegeraete SOLLTEN nur geladen und aktiviert werden, wenn das Geraet auf der Whitelist steht. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might...

CVE-2020-12321

A flaw was found in the firmware of some Intel Bluetooth devices. This may allow an unauthenticated attacker within Bluetooth range to overflow a buffer and corrupt memory leading to a crash or privilege escalation. Mitigation To mitigate these vulnerabilities on the operating system level, disab...

CVE-2020-25662

A Red Hat only CVE-2020-12352 regression issue was found in the way the Linux kernel's Bluetooth stack implementation handled the initialization of stack memory when handling certain AMP packets. This flaw allows a remote attacker in an adjacent range to leak small portions of stack memory on the...

CVE-2020-25661

A Red Hat only CVE-2020-12351 regression issue was found in the way the Linux kernel's Bluetooth implementation handled L2CAP packets with A2MP CID. This flaw allows a remote attacker in an adjacent range to crash the system, causing a denial of service or potentially executing arbitrary code on...

Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management

Summary Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported CVEs. Vulnerability Details CVEID: CVE-2019-19051 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the i2400moprfkillswtoggle function in...

CVE-2020-24490

A heap buffer overflow flaw was found in the way the Linux kernel’s Bluetooth implementation processed extended advertising report events. This flaw allows a remote attacker in an adjacent range to crash the system, causing a denial of service or to potentially execute arbitrary code on the syste...

CVE-2020-12351

A flaw was found in the way the Linux kernel’s Bluetooth implementation handled L2CAP Logical Link Control and Adaptation Protocol packets with A2MP Alternate MAC-PHY Manager Protocol CID Channel Identifier. This flaw allows a remote attacker in an adjacent range to crash the system, causing a...

CVE-2020-26088

A missing capabilities check when creating NFC raw sockets could be used by local attackers to create raw sockets, bypassing security mechanisms allowing them to create or listen to NFC communication frames. Mitigation As the nfc module will be auto-loaded when required, its use can be disabled b...

Authorization Bypass

busybox is vulnerable to authorization bypass. The addprobe function in modutils/modprobe.c allows local users to bypass intended restrictions by loading kernel modules via a / character in the module name, as demonstrated by an ifconfig /usbserial up command or a mount -t /sndpcm none / command...

USN-4451-2: ppp vulnerability

USN-4451-1 fixed a vulnerability in ppp. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker...

USN-4451-2 ppp vulnerability

USN-4451-1 fixed a vulnerability in ppp. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : ppp vulnerability (USN-4451-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4451-1 advisory. Thomas Chauchefoin working with Trend Micros Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker...

USN-4451-1 ppp vulnerability

Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker could use this issue to load arbitrary kernel modules and possibly execute arbitrary code...

The vulnerability of SELinux’s mandatory access control system, combined with Linux Security Modules (LSM) in operating system kernels, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of SELinux’s mandatory access control system, along with the Linux Security Modules LSM modules in the operating system kernel, is related to insufficient verification of data authenticity. Exploiting this vulnerability can allow an attacker to gain unauthorized access to...

CVE-2020-10136

A flaw was found in the IP-in-IP protocol. An unauthenticated attacker can use the IP-in-IP protocol to route network traffic through a vulnerable device, which can lead to spoofing, access control bypasses, and other unexpected network behaviors. Mitigation Systems that have IP in IP kernel...

Privilege Escalation

systemtap is vulnerable to privilege escalation. A race condition was discovered in SystemTap that could allow users in the stapusr group to elevate privileges to that of members of the stapdev group and hence root, bypassing directory confinement restrictions and allowing them to insert arbitrar...