Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0268 Important: rhev-hypervisor security and bug fix update 25 March 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rhev-hypervisor Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2010-0437 CVE-2010-0427 CVE-2010-0426 CVE-2010-0419 CVE-2010-0415 CVE-2010-0297 CVE-2010-0008 CVE-2010-0007 CVE-2010-0003 CVE-2009-4308 CVE-2009-3722 Reference: ESB-2010.0264 ESB-2010.0253 ESB-2010.0204 ESB-2010.0139 ESB-2010.0122 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2010-0172.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: rhev-hypervisor security and bug fix update Advisory ID: RHSA-2010:0172-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0172.html Issue date: 2010-03-24 CVE Names: CVE-2009-3722 CVE-2010-0008 CVE-2010-0297 CVE-2010-0419 ===================================================================== 1. Summary: An updated rhev-hypervisor package that fixes multiple security issues and several bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEV Hypervisor 2.1 - noarch 3. Description: The rhev-hypervisor package provides a Red Hat Enterprise Virtualization (RHEV) Hypervisor ISO disk image. The RHEV Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: RHEV Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008) A flaw was found in the way the x86 emulator in KVM loaded segment selectors (used for memory segmentation and protection) into segment registers. In some guest system configurations, an unprivileged guest user could leverage this flaw to crash the guest or possibly escalate their privileges within the guest. (CVE-2010-0419) The KVM x86 emulator implementation was missing a check for the Current Privilege Level (CPL) while accessing debug registers. An unprivileged user in a guest could leverage this flaw to crash the guest. (CVE-2009-3722) A flaw was found in the USB passthrough handling code in KVM. A specially-crafted USB packet sent from inside a guest could be used to trigger a buffer overflow in the usb_host_handle_control() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to cause a denial of service (guest hang or crash) or possibly escalate their privileges within the host. (CVE-2010-0297) This updated package provides updated components that include fixes for security issues; however, these issues have no security impact for RHEV Hypervisor. These fixes are for kernel issues CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0415, and CVE-2010-0437; and sudo issues CVE-2010-0426 and CVE-2010-0427. This update also fixes the following bugs: * the required storage device driver was not detected correctly by mkdumprd when using multipath devices. When RHEV Hypervisor was installed on a multipath device, kdump was unable to mount the logical volume to store the kernel core dump; therefore, the core dump would not be recorded. With this update, multipath support has been added to the mkdumprd tool, which resolves this issue. (BZ#569459) As RHEV Hypervisor is based on KVM, the bug fixes from KVM updates RHSA-2010:0126 and RHBA-2010:0158 have been included in this update: https://rhn.redhat.com/errata/RHSA-2010-0126.html https://rhn.redhat.com/errata/RHBA-2010-0158.html Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 531660 - CVE-2009-3722 KVM: Check cpl before emulating debug register access 555658 - CVE-2010-0008 kernel: sctp remote denial of service 557025 - CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow 563463 - CVE-2010-0419 kvm: emulator privilege escalation segment selector check 6. Package List: RHEV Hypervisor 2.1: Source: rhev-hypervisor-5.4-2.1.10.el5_4rhev2_1.src.rpm noarch: rhev-hypervisor-5.4-2.1.10.el5_4rhev2_1.noarch.rpm rhev-hypervisor-pxe-5.4-2.1.10.el5_4rhev2_1.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3722.html https://www.redhat.com/security/data/cve/CVE-2010-0008.html https://www.redhat.com/security/data/cve/CVE-2010-0297.html https://www.redhat.com/security/data/cve/CVE-2010-0419.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLqjmLXlSAg2UNWIIRAv20AJ9KIB7Wv8yha5PnvDDJ+95XQ56DTwCeLp3+ Od0SvQ/UvooXCUnCGQfDoL4= =TjN9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLqqc2/iFOrG6YcBERApLXAKCfQ4PhFSLaGH6H26Kz4zDRoRO4DQCgjBD3 TH4xytXHOwOt2MlSthS+KxQ= =Z3dL -----END PGP SIGNATURE-----