Virtuozzo 7 : readykernel-patch (VZA-2019-074)

High Nessus Plugin ID 133459

Synopsis

The remote Virtuozzo host is missing a security update.

Description

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability :

- [3.10.0-693.17.1.vz7.43.10 to 3.10.0-957.12.2.vz7.96.21] vhost-net: guest to host kernel escape during migration. A buffer overflow vulnerability was found in the networking virtualization functionality (vhost-net) that could be abused during live migration of virtual machines. A privileged guest user may pass descriptors with invalid length to the host when live migration is underway to crash the host kernel or, potentially, escalate their privileges on the host.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the readykernel patch.

See Also

https://virtuozzosupport.force.com/s/article/VZA-2019-074

https://access.redhat.com/security/vulnerabilities/kernel-vhost

https://bugzilla.redhat.com/show_bug.cgi?id=1750727

http://www.nessus.org/u?c710ce43

http://www.nessus.org/u?ceda4f0c

http://www.nessus.org/u?edcc8fe1

http://www.nessus.org/u?f85a6977

http://www.nessus.org/u?379d6400

http://www.nessus.org/u?e76c0fcc

http://www.nessus.org/u?d19b762a

http://www.nessus.org/u?54ae3570

http://www.nessus.org/u?04dd07ac

http://www.nessus.org/u?2176b0a1

Plugin Details

Severity: High

ID: 133459

File Name: Virtuozzo_VZA-2019-074.nasl

Version: 1.2

Type: local

Published: 2020/02/04

Updated: 2020/02/07

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:virtuozzo:virtuozzo:readykernel, cpe:/o:virtuozzo:virtuozzo:7

Required KB Items: Host/local_checks_enabled, Host/Virtuozzo/release, Host/Virtuozzo/rpm-list, Host/readykernel-info

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/09/23

Reference Information

CVE: CVE-2019-14835