CVE-2022-2196 - OpenCVE

A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Linux	Linux Kernel
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5	Mailing List Patch Vendor Advisory
https://kernel.dance/#2e7eab81425a	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Google

Published: 2023-01-09T10:59:53.099Z

Updated: 2023-05-03T00:07:00

Reserved: 2022-06-24T13:29:09.969Z

Link: CVE-2022-2196

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-01-09T11:15:10.583

Modified: 2023-08-18T18:56:16.323

Link: CVE-2022-2196

JSON object: View

Redhat Information

No data.

CWE

CWE-1188

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-2196", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2022-06-24T13:29:09.969Z", "datePublished": "2023-01-09T10:59:53.099Z", "dateUpdated": "2023-05-03T00:07:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "KVM", "product": "Linux Kernel", "repo": "https://git.kernel.org/", "vendor": "Linux", "versions": [{"lessThan": "2e7eab81425a", "status": "affected", "version": "0", "versionType": "git"}, {"lessThan": "6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2022-10-18T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. <span style=\"background-color: rgb(255, 255, 255);\">L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB <span style=\"background-color: rgb(255, 255, 255);\">after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a</span></span><br>"}], "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a\n"}], "impacts": [{"capecId": "CAPEC-30", "descriptions": [{"lang": "en", "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-01-09T10:59:53.099Z"}, "references": [{"url": "https://kernel.dance/#2e7eab81425a"}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}], "source": {"discovery": "INTERNAL"}, "title": "Speculative execution attacks in KVM VMX", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D73442D9-8AEA-46EF-BDFE-A7DA3F4256CB", "versionEndExcluding": "5.4.233", "versionStartIncluding": "5.4.47", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D059EB4-CC70-4B73-A918-FCD19DD26EEF", "versionEndExcluding": "5.7", "versionStartIncluding": "5.6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A90F1F96-608E-46B6-848B-CAAA543D8E77", "versionEndExcluding": "5.10.170", "versionStartIncluding": "5.7.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0845BF9E-3498-4C4E-AE1E-2F4FD31B440E", "versionEndExcluding": "5.15.96", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5FED97E-E13D-4287-892D-F8A8C081B5EA", "versionEndExcluding": "6.1.14", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a\n"}, {"lang": "es", "value": "Existe una regresi\u00f3n en el kernel de Linux dentro de KVM: nVMX que permiti\u00f3 ataques de ejecuci\u00f3n especulativa. L2 puede llevar a cabo ataques Spectre v2 en L1 debido a que L1 piensa que no necesita retpolines o IBPB despu\u00e9s de ejecutar L2 debido a que KVM (L0) anuncia soporte eIBRS en L1. Un atacante en L2 con ejecuci\u00f3n de c\u00f3digo puede ejecutar c\u00f3digo en una rama indirecta en la m\u00e1quina host. Recomendamos actualizar al Kernel 6.2 o al commit anterior 2e7eab81425a"}], "id": "CVE-2022-2196", "lastModified": "2023-08-18T18:56:16.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.7, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2023-01-09T11:15:10.583", "references": [{"source": "cve-coordination@google.com", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://kernel.dance/#2e7eab81425a"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1188"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}