CVE-2019-14821
Published: 1 October 2019
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.
From the Ubuntu Security Team
Matt Delco discovered that the KVM hypervisor implementation in the Linux kernel did not properly perform bounds checking when handling coalesced MMIO write operations. A local attacker with write access to /dev/kvm could use this to cause a denial of service (system crash).
Notes
| Author | Note |
|---|---|
| tyhicks | An attacker needs write access to the /dev/kvm device file to exploit this flaw. By default, Ubuntu users don't have privileges to write to /dev/kvm. This is true even when libvirt is installed and in use. |
Mitigation
Ensure that untrusted users cannot write to the /dev/kvm device
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-66.75)
|
| disco |
Released
(5.0.0-32.34)
|
|
| eoan |
Not vulnerable
(5.3.0-17.18)
|
|
| focal |
Not vulnerable
(5.4.0-9.12)
|
|
| trusty |
Ignored
(was needed ESM criteria)
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.4.0-166.195)
|
|
|
Patches: Introduced by 5f94c1741bdc7a336553122036e8a779e616ccbf |
||
|
linux-aws Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1052.54)
|
| disco |
Released
(5.0.0-1019.21)
|
|
| eoan |
Not vulnerable
(5.3.0-1003.3)
|
|
| focal |
Not vulnerable
(5.4.0-1005.5)
|
|
| trusty |
Released
(4.4.0-1056.60)
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.4.0-1096.107)
|
|
|
linux-aws-5.0 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1021.24~18.04.1)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-1052.54~16.04.1)
|
|
|
linux-azure Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1023.24~18.04.1)
|
| disco |
Released
(5.0.0-1023.24)
|
|
| eoan |
Not vulnerable
(5.3.0-1002.2)
|
|
| focal |
Not vulnerable
(5.4.0-1006.6)
|
|
| trusty |
Released
(4.15.0-1061.66~14.04.1)
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-1061.66)
|
|
|
linux-azure-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.3.0-1007.8~18.04.1)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1023.24~18.04.1)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-1061.66)
|
|
|
linux-gcp Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1021.21~18.04.1)
|
| disco |
Released
(5.0.0-1021.21)
|
|
| eoan |
Not vulnerable
(5.3.0-1003.3)
|
|
| focal |
Not vulnerable
(5.4.0-1005.5)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-1047.50)
|
|
|
linux-gcp-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.3.0-1008.9~18.04.1)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gcp-edge Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1021.21~18.04.1)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1046.49)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.0 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1023.23~18.04.2)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.3.0-1011.12~18.04.1)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-32.34~18.04.2)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-66.75~16.04.1)
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(was pending \[5.3.0-19.20~18.04.2\] now end-of-life)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-66.75~16.04.1)
|
|
|
linux-kvm Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1048.48)
|
| disco |
Released
(5.0.0-1020.21)
|
|
| eoan |
Not vulnerable
(5.3.0-1003.3)
|
|
| focal |
Not vulnerable
(5.4.0-1004.4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.4.0-1060.67)
|
|
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Released
(4.4.0-166.195~14.04.1)
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1059.68)
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Released
(4.15.0-1059.68)
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Ignored
(was needs-triage now end-of-life)
|
|
|
linux-oem-5.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| eoan |
Does not exist
|
|
| focal |
Not vulnerable
(5.4.0-1002.4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem-osp1 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1025.28)
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Released
(5.0.0-1025.28)
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1027.30)
|
| disco |
Ignored
(was pending \[5.0.0-1005.9\] now end-of-life)
|
|
| eoan |
Not vulnerable
(5.3.0-1002.2)
|
|
| focal |
Not vulnerable
(5.4.0-1005.5)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.15.0-1027.30~16.04.1)
|
|
|
linux-oracle-5.0 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1007.12~18.04.1)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oracle-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.3.0-1011.12~18.04.1)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1049.53)
|
| disco |
Released
(5.0.0-1020.20)
|
|
| eoan |
Not vulnerable
(5.3.0-1006.7)
|
|
| focal |
Not vulnerable
(5.4.0-1004.4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.4.0-1124.133)
|
|
|
linux-raspi2-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.3.0-1017.19~18.04.1)
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1066.73)
|
| disco |
Released
(5.0.0-1024.25)
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.4~rc1)
|
|
| xenial |
Released
(4.4.0-1128.136)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
- https://www.openwall.com/lists/oss-security/2019/09/20/1
- https://ubuntu.com/security/notices/USN-4157-1
- https://ubuntu.com/security/notices/USN-4162-1
- https://ubuntu.com/security/notices/USN-4163-1
- https://ubuntu.com/security/notices/USN-4157-2
- https://ubuntu.com/security/notices/USN-4162-2
- https://ubuntu.com/security/notices/USN-4163-2
- NVD
- Launchpad
- Debian