CVE-2018-1087
Published: 8 May 2018
kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
From the Ubuntu Security Team
Andy Lutomirski discovered that the KVM subsystem of the Linux kernel did not properly emulate the ICEBP instruction following a MOV/POP to SS instruction. A local attacker in a KVM virtual machine could use this to cause a denial of service (guest VM crash) or possibly escalate privileges inside of the virtual machine. This issue only affected the i386 and amd64 architectures.
Notes
| Author | Note |
|---|---|
| tyhicks | Thanks to Andy Lutomirski for help in Linux kernel research and test case |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux Launchpad, Ubuntu, Debian |
artful |
Released
(4.13.0-41.46)
|
| bionic |
Not vulnerable
(landed pre-release in 4.15.0-15.16)
|
|
| trusty |
Released
(3.13.0-147.196)
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.4.0-124.148)
|
|
|
Patches: Introduced by 42dbaa5a057736bf8b5c22aa42dbe975bf1080e5 |
||
|
linux-aws Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(4.15.0-1003.3)
|
|
| trusty |
Released
(4.4.0-1019.19)
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.4.0-1057.66)
|
|
|
linux-azure Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(4.15.0-1004.4)
|
|
| trusty |
Not vulnerable
(4.15.0-1023.24~14.04.1)
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.13.0-1016.19)
|
|
|
linux-euclid Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.4.0-9027.29)
|
|
|
linux-flo Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Ignored
(abandoned)
|
|
|
linux-gcp Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(4.15.0-1003.3)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.13.0-1015.19)
|
|
|
linux-gke Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Ignored
(end of standard support, was needs-triage)
|
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Ignored
(end of life, was needs-triage)
|
|
|
linux-grouper Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.13.0-41.46~16.04.1)
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Released
(4.18.0-8.9~18.04.1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.13.0-41.46~16.04.1)
|
|
|
linux-kvm Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(4.15.0-1004.4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.4.0-1023.28)
|
|
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [end of standard support])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [end of standard support])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [end of standard support])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Released
(4.4.0-124.148~14.04.1)
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-maguro Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-mako Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Ignored
(abandoned)
|
|
|
linux-manta Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Does not exist
|
|
|
linux-oem Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(4.15.0-1002.3)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Released
(4.13.0-1026.29)
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(x86 only)
|
| bionic |
Not vulnerable
(x86 only)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Not vulnerable
(x86 only)
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(x86 only)
|
| bionic |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.16~rc7)
|
|
| xenial |
Not vulnerable
(x86 only)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |