CVE-2015-2877

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 03-03-2017 12:59

Last modified: - 26-10-2022 01:44

Total changes: - 4

Description

** DISPUTED ** Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Low

Attack complexity

Local

Attack vector

None

Availability

Low

Confidentiality

None

Integrity

Low

Privileges required

Unchanged

Scope

None

User interaction

3.3

Base score

1.8

1.4

Exploitability score

Impact score

Verification logic

Reference

https://www.usenix.org/system/files/conference/woot15/woot15-paper-barresi.pdf
https://www.kb.cert.org/vuls/id/BLUU-9ZAHZH
https://www.kb.cert.org/vuls/id/BGAR-A2CNKG
https://bugzilla.redhat.com/show_bug.cgi?id=1252096
76256-Third Party Advisory, VDB Entry
VU#935424-Third Party Advisory, US Government Resource
http://www.antoniobarresi.com/files/cain_advisory.txt

Keywords

CVE-2015-2877

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2015-2877

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures