CVE-2014-0055

Vulnerability

The flaw resides in the get_rx_bufs() function in drivers/vhost/net.c within the vhost-net subsystem of the Linux kernel [1][2]. The function does not properly handle errors returned by vhost_get_vq_desc(), leaving the code path vulnerable to unexpected states. This issue affects the Linux kernel package for Red Hat Enterprise Linux 6 prior to version 2.6.32-431.11.2.el6 [1]. Red Hat Enterprise Linux 5 and Red Hat MRG 2 are not affected [4].

Exploitation

An attacker requires privileged access within a guest virtual machine (guest OS user) [2][4]. No further authentication or write access is specified. The attacker triggers the vulnerable code path by sending unspecified vectors that cause vhost_get_vq_desc() to return an error, which get_rx_bufs() fails to handle gracefully. The exact sequence of steps is not detailed in the available references, but the result is a crash of the host operating system [2][4].

Impact

Successful exploitation leads to a denial of service (DoS) by crashing the host OS kernel [1][2][4]. This results in a loss of availability for all virtual machines running on the host. No information disclosure, privilege escalation, or remote code execution is described.

Mitigation

The vulnerability is fixed in Red Hat Enterprise Linux 6 by updating the kernel to version 2.6.32-431.11.2.el6 [1]. The fix was released in Red Hat Security Advisory RHSA-2014:0328 on March 26, 2014 [1]. For Fedora, kernel versions 3.13.8-200.fc20 and 3.13.9-100.fc19 contain the fix [4]. No workarounds are documented in the supplied references.