Nested Guests: CVE-2019-7221

Earlier this month, twin KVM bugs found by Google’s Project Zero team were released publicly: CVE-2019-7221, a use-after-free vulnerability, and CVE-2019-7222, a memory leak that can assist exploitation of the former vulnerability.

Why is it cool? If successfully exploited, CVE-2019-7221 can give an attacker a guest-to-host escape and root privileges on that host. It’s a nasty bug!

Yes, but: Both bugs require the Nested Guests feature to be enabled. While the kernel has nested virtualization enabled by default since October 2018, deployment of nested KVM virtualization setups is not widespread, as it is not enabled by default in major distributions such as Debian, Ubuntu, or Red Hat. The Linux KVM org itself calls the Nested Guests feature “working but experimental,” which certainly sounds like production usage should be really low. AWS EC2 doesn’t appear to even support nested virtualization yet (GCP does). There is also, as of today, no current public exploit available, eliminating the script kiddie threat.

The background: A use-after-free happens when a program continues to access memory after that memory has been freed and reused elsewhere, which can result in memory corruption and allow for code execution. In this case, the Linux kernel KVM hypervisor did not consistently manage timers when performing operations in a nested virtualization deployment. Because of this, a timer could be freed, and subsequently used by code that still had a reference to it, resulting in a denial of service (kernel crash) or potentially, elevation of privilege.

And that second bug? The Linux KVM hypervisor did not consistently initialize exception structures. The kvm_read_guest_virt would not initialize the structure either, and if kvm_read_guest_virt returned with an error, that uninitialized stack data from the host would be returned to the guest VM. This could result in the disclosure of kernel memory addresses to the guest, which could be used as part of a broader privilege escalation attack — for instance, using CVE-2019-7221.

The bottom line: Not unlike a vampire at your door, unless you’ve welcomed the Nested Guests feature as a guest within your Linux production environment, there’s no reason to panic. If you do use the Nested Guests feature, you should handle this vulnerability as you would any kernel vulnerability affecting your systems — patch them! That way, you’ll be showing these uninvited guests the door.