Vulnerability CVE-2021-3653: Information

Description

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3653
Published: Sept. 29, 2021
Modified: May 16, 2023
Error type identifier: CWE-862

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
kernel-image-mpsisyphus5.13.12-alt16.8.8-alt1ALT-PU-2021-2564-1283260Fixed
kernel-image-mpp106.1.19-alt16.1.19-alt1ALT-PU-2023-4894-3327092Fixed
kernel-image-rpi-defsisyphus5.10.63-alt15.15.92-alt2ALT-PU-2021-3000-1286593Fixed
kernel-image-rpi-defp105.10.63-alt15.15.92-alt2ALT-PU-2021-3002-1286629Fixed
kernel-image-rpi-defp95.10.63-alt15.10.81-alt1ALT-PU-2021-3007-1286644Fixed
kernel-image-rpi-unsisyphus5.15.6-alt16.6.23-alt1ALT-PU-2021-3563-1292137Fixed
kernel-image-rpi-unp105.15.6-alt16.1.77-alt1ALT-PU-2021-3573-1292365Fixed
kernel-image-rtsisyphus5.10.65-alt1.rt536.1.90-alt2.rt30ALT-PU-2021-2901-1285536Fixed
kernel-image-rtp105.10.78-alt1.rt565.10.216-alt1.rt108ALT-PU-2021-3477-1291174Fixed
kernel-image-std-debugsisyphus5.10.61-alt16.1.91-alt1ALT-PU-2021-2640-1283957Fixed
kernel-image-std-defsisyphus5.10.61-alt16.1.91-alt1ALT-PU-2021-2643-1283960Fixed
kernel-image-std-defp105.10.61-alt15.10.216-alt1ALT-PU-2021-2661-1283961Fixed
kernel-image-std-defp95.4.143-alt15.4.275-alt1ALT-PU-2021-2662-1283953Fixed
kernel-image-std-defp84.9.281-alt0.M80P.14.9.337-alt0.M80P.1ALT-PU-2021-2699-1283976Fixed
kernel-image-std-defc9f25.10.61-alt0.c9f5.10.214-alt0.c9f.2ALT-PU-2021-2691-1283965Fixed
kernel-image-std-kvmsisyphus5.10.62-alt15.10.176-alt1ALT-PU-2021-2748-1284862Fixed
kernel-image-un-defsisyphus5.13.13-alt16.6.31-alt1ALT-PU-2021-2644-1283968Fixed
kernel-image-un-defsisyphus_riscv645.19.16-alt2.rv646.6.29-alt1.0.portALT-PU-2022-6777-1-Fixed
kernel-image-un-defp105.13.13-alt16.1.85-alt1ALT-PU-2021-2658-1283970Fixed
kernel-image-un-defp95.10.61-alt15.10.216-alt2ALT-PU-2021-2659-1283967Fixed
kernel-image-un-defp84.19.205-alt0.M80P.14.19.310-alt0.M80P.1ALT-PU-2021-2698-1283971Fixed
kernel-image-un-defc10f15.13.13-alt16.1.85-alt0.c10f.1ALT-PU-2021-2658-1283970Fixed
kernel-image-xenomaip104.19.229-alt1.cip67.214.19.252-alt1.cip78.23ALT-PU-2022-2096-1301830Fixed
linux-toolsp105.14-alt26.1-alt0.p10.1ALT-PU-2021-3073-1286088Fixed
linux-toolsc10f15.14-alt25.15-alt1ALT-PU-2021-3073-1286088Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.openwall.com/lists/oss-security/2021/08/16/1
  • Mailing List
  • Patch
  • Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1983686
  • Issue Tracking
  • Patch
  • Third Party Advisory
[debian-lts-announce] 20211015 [SECURITY] [DLA 2785-1] linux-4.19 security update
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20211216 [SECURITY] [DLA 2843-1] linux security update
  • Mailing List
  • Third Party Advisory
http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html
  • Exploit
  • Third Party Advisory
  • VDB Entry

    1. Configuration 1

      cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*
      cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*
      cpe:2.3:o:linux:linux_kernel:5.14:rc3:*:*:*:*:*:*
      cpe:2.3:o:linux:linux_kernel:5.14:rc4:*:*:*:*:*:*
      cpe:2.3:o:linux:linux_kernel:5.14:rc5:*:*:*:*:*:*
      cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      4.15
      End excliding
      4.19.205
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      4.20
      End excliding
      5.4.142
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      5.5
      End excliding
      5.10.60
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      5.11
      End excliding
      5.13.12
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      2.6.30
      End excliding
      4.4.282
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      4.5
      End excliding
      4.9.281
      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
      Start including
      4.10
      End excliding
      4.14.245

      Configuration 2

      cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

      Configuration 3

      cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top