CVE-2021-32845 - OpenCVE

HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, the implementation of `qnotify` at `pci_vtrnd_notify` fails to check the return value of `vq_getchain`. This leads to `struct iovec iov;` being uninitialized and used to read memory in `len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len);` when an attacker is able to make `vq_getchain` fail. This issue may lead to a guest crashing the host causing a denial of service and, under certain circumstance, memory corruption. This issue is fixed in commit 41272a980197917df8e58ff90642d14dec8fe948.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mobyproject	Hyperkit

Configuration 1 [-]

cpe:2.3:a:mobyproject:hyperkit:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/moby/hyperkit/commit/41272a980197917df8e58ff90642d14dec8fe948
https://github.com/moby/hyperkit/pull/313
https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-02-17T00:00:00

Updated: 2024-08-03T23:33:56.108Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32845

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-02-17T23:15:11.963

Modified: 2023-06-26T17:47:09.283

Link: CVE-2021-32845

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-32845", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T23:33:56.108Z", "dateReserved": "2021-05-12T00:00:00", "datePublished": "2023-02-17T00:00:00"}, "containers": {"cna": {"title": "Moby HyperKit uninitialized memory use vtrnd pci_vtrnd_notify", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-17T00:00:00"}, "descriptions": [{"lang": "en", "value": "HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, the implementation of `qnotify` at `pci_vtrnd_notify` fails to check the return value of `vq_getchain`. This leads to `struct iovec iov;` being uninitialized and used to read memory in `len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len);` when an attacker is able to make `vq_getchain` fail. This issue may lead to a guest crashing the host causing a denial of service and, under certain circumstance, memory corruption. This issue is fixed in commit 41272a980197917df8e58ff90642d14dec8fe948."}], "affected": [{"vendor": "moby", "product": "hyperkit", "versions": [{"version": "0.20210107", "status": "affected", "lessThanOrEqual": "0.20210107", "versionType": "custom"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/"}, {"url": "https://github.com/moby/hyperkit/pull/313"}, {"url": "https://github.com/moby/hyperkit/commit/41272a980197917df8e58ff90642d14dec8fe948"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-908 Use of Uninitialized Resource", "cweId": "CWE-908"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "GHSL-2021-056", "defect": ["GHSL-2021-056"], "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.108Z"}, "title": "CVE Program Container", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/", "tags": ["x_transferred"]}, {"url": "https://github.com/moby/hyperkit/pull/313", "tags": ["x_transferred"]}, {"url": "https://github.com/moby/hyperkit/commit/41272a980197917df8e58ff90642d14dec8fe948", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobyproject:hyperkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AE32831-24E2-44FD-939C-E6F799A5D632", "versionEndIncluding": "0.20210107", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, the implementation of `qnotify` at `pci_vtrnd_notify` fails to check the return value of `vq_getchain`. This leads to `struct iovec iov;` being uninitialized and used to read memory in `len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len);` when an attacker is able to make `vq_getchain` fail. This issue may lead to a guest crashing the host causing a denial of service and, under certain circumstance, memory corruption. This issue is fixed in commit 41272a980197917df8e58ff90642d14dec8fe948."}], "id": "CVE-2021-32845", "lastModified": "2023-06-26T17:47:09.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-02-17T23:15:11.963", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/moby/hyperkit/commit/41272a980197917df8e58ff90642d14dec8fe948"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/moby/hyperkit/pull/313"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-908"}], "source": "security-advisories@github.com", "type": "Secondary"}]}