copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2009.1354 - [UNIX/Linux][RedHat] kvm: Increased ...
 

ESB-2009.1354 - [UNIX/Linux][RedHat] kvm: Increased privileges - Existing account
Date: 30 September 2009
References: ESB-2009.1393  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1354
                Important: kvm security and bug fix update
                             30 September 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kvm
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 5
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Increased Privileges -- Existing Account
                   Denial of Service    -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-3290  

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2009-1465.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running kvm check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: kvm security and bug fix update
Advisory ID:       RHSA-2009:1465-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2009-1465.html
Issue date:        2009-09-29
CVE Names:         CVE-2009-3290 
=====================================================================

1. Summary:

Updated kvm packages that fix one security issue and several bugs are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Multi OS (v. 5 client) - x86_64
RHEL Virtualization (v. 5 server) - x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for
the standard Red Hat Enterprise Linux kernel.

The kvm_emulate_hypercall() implementation was missing a check for the
Current Privilege Level (CPL). A local, unprivileged user in a virtual
machine could use this flaw to cause a local denial of service or escalate
their privileges within that virtual machine. (CVE-2009-3290)

This update also fixes the following bugs:

* non-maskable interrupts (NMI) were not supported on systems with AMD
processors. As a consequence, Windows Server 2008 R2 guests running with
more than one virtual CPU assigned on systems with AMD processors would
hang at the Windows shut down screen when a restart was attempted. This
update adds support for NMI filtering on systems with AMD processors,
allowing clean restarts of Windows Server 2008 R2 guests running with
multiple virtual CPUs. (BZ#520694)

* significant performance issues for guests running 64-bit editions of
Windows. This update improves performance for guests running 64-bit
editions of Windows. (BZ#521793)

* Windows guests may have experienced time drift. (BZ#521794)

* removing the Red Hat VirtIO Ethernet Adapter from a guest running Windows
Server 2008 R2 caused KVM to crash. With this update, device removal should
not cause this issue. (BZ#524557)

All KVM users should upgrade to these updated packages, which contain
backported patches to resolve these issues. Note: The procedure in the
Solution section must be performed before this update takes effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

The following procedure must be performed before this update takes effect:

1. Stop all KVM guest virtual machines.

2. Either reboot the hypervisor machine or, as the root user, remove (using
"modprobe -r [module]") and reload (using "modprobe [module]") all of the
following modules which are currently running (determined using "lsmod"):
kvm, ksm, kvm-intel or kvm-amd.

3. Restart the KVM guest virtual machines.

5. Bugs fixed (http://bugzilla.redhat.com/):

520694 - NMI filtering for AMD (Windows 2008 R2 KVM guest can not restart when set it as multiple cpus)
521793 - windows 64 bit does vmexit on each cr8 access.
521794 - rtc-td-hack stopped working. Time drifts in windows
524124 - CVE-2009-3290 kernel: KVM: x86: Disallow hypercalls for guest callers in rings > 0
524557 - QEMU crash (during virtio-net WHQL tests for Win2008 R2)

6. Package List:

RHEL Desktop Multi OS (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kvm-83-105.el5_4.7.src.rpm

x86_64:
kmod-kvm-83-105.el5_4.7.x86_64.rpm
kvm-83-105.el5_4.7.x86_64.rpm
kvm-debuginfo-83-105.el5_4.7.x86_64.rpm
kvm-qemu-img-83-105.el5_4.7.x86_64.rpm
kvm-tools-83-105.el5_4.7.x86_64.rpm

RHEL Virtualization (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kvm-83-105.el5_4.7.src.rpm

x86_64:
kmod-kvm-83-105.el5_4.7.x86_64.rpm
kvm-83-105.el5_4.7.x86_64.rpm
kvm-debuginfo-83-105.el5_4.7.x86_64.rpm
kvm-qemu-img-83-105.el5_4.7.x86_64.rpm
kvm-tools-83-105.el5_4.7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3290
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKwjL+XlSAg2UNWIIRAqNAAJ49kD0ZXnry24TTWuwcPryiP57fyQCdH8ti
jVVIrtZL3kSy1/zfUBjWWd0=
=D9md
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKwqR8NVH5XJJInbgRAkrnAJ9vClEP4c3m7YllYavFjxXVWQ79NwCfciFg
HRCVhiNjJokFCRrJ2bZilsY=
=qjhH
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=11728