CVE-2014-3690 — MEDIUM (5.5)

Q: How severe is CVE-2014-3690?

CVE-2014-3690 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3690?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server, Opensuse Evergreen, Suse Linux Enterprise Real Time Extension.

Vulnerability Description

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	< 3.17.2
Novell	Suse Linux Enterprise Desktop	12.0
Novell	Suse Linux Enterprise Server	11
Opensuse	Evergreen	11.4
Suse	Linux Enterprise Real Time Extension	11
Suse	Linux Enterprise Software Development Kit	12
Suse	Linux Enterprise Workstation Extension	12
Redhat	Enterprise Linux	5.0
Debian	Debian Linux	7.0
Canonical	Ubuntu Linux	12.04

Related Weaknesses (CWE)

CWE-400

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00035.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0290.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0782.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0864.htmlThird Party Advisory
http://secunia.com/advisories/60174Broken Link
http://www.debian.org/security/2014/dsa-3060Third Party Advisory
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.2Mailing ListPatchVendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:058Broken Link
http://www.openwall.com/lists/oss-security/2014/10/21/4Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/10/29/7Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/70691Third Party AdvisoryVDB Entry

FAQ

What is CVE-2014-3690?

CVE-2014-3690 is a vulnerability with a CVSS score of 5.5 (MEDIUM). arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows...

How severe is CVE-2014-3690?

CVE-2014-3690 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3690?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server, Opensuse Evergreen, Suse Linux Enterprise Real Time Extension.