CVE-2020-27777

A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.

CVSS v3 6.7 MEDIUM
CVSS v2.0 7.2 HIGH

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1900844	Issue Tracking Patch Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=bd59380c5ba4147dcbaad3e582b55ccfd120b764	Exploit Patch Vendor Advisory
https://www.openwall.com/lists/oss-security/2020/10/09/1	Exploit Mailing List Patch Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/11/23/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:openshift_container_platform:4.4:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.5:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

History

No history.

Information

Published : 2020-12-15 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-27777

Mitre link : CVE-2020-27777

CVE.ORG link : CVE-2020-27777

JSON object : View

Products Affected

redhat

openshift_container_platform
enterprise_linux

linux

linux_kernel

CWE

CWE-862

Missing Authorization

{"id": "CVE-2020-27777", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2020-12-15T17:15:14.333", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1900844", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=bd59380c5ba4147dcbaad3e582b55ccfd120b764", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://www.openwall.com/lists/oss-security/2020/10/09/1", "tags": ["Exploit", "Mailing List", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://www.openwall.com/lists/oss-security/2020/11/23/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la manera en que RTAS manejaba los accesos a la memoria en el espacio de usuario para la comunicaci\u00f3n del kernel. En un sistema invitado bloqueado (generalmente debido al arranque seguro) que se ejecuta en la parte superior de los hipervisores PowerVM o KVM (plataforma pseries), un usuario root como local podr\u00eda usar este fallo para aumentar a\u00fan m\u00e1s sus privilegios a los de un kernel en ejecuci\u00f3n"}], "lastModified": "2023-10-05T14:29:57.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E937D66-38EE-44AF-9561-1993C02F24DD", "versionEndExcluding": "4.14.204"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61F20A9F-6DA5-4498-AF1E-B63EA84CA3C8", "versionEndExcluding": "4.19.155", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AAD5B8FD-0B39-4703-BEAD-416748572631", "versionEndExcluding": "5.4.75", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5920FDB4-0E83-4A68-A361-6CE1CB05000F", "versionEndExcluding": "5.9.5", "versionStartIncluding": "5.5"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44C5E433-229C-4BB9-8481-8A74AFA8DB8E"}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D432C063-0805-4151-A819-508FE8954101"}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B62E762-2878-455A-93C9-A5DB430D7BB5"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D8B549B-E57B-4DFE-8A13-CAB06B5356B3"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}