CVE-2020-10702 - Vulnerability Details - OpenCVE

A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qemu	Qemu
Redhat	Advanced Virtualization

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Advanced Virtualization for RHEL 8.2.1
virt:8.2-8020120200707202843.11e3e113	cpe:/a:redhat:advanced_virtualization:8.2::el8	RHBA-2020:3172	2020-07-28T00:00:00Z
virt-devel:8.2-8020120200707202843.11e3e113	cpe:/a:redhat:advanced_virtualization:8.2::el8	RHBA-2020:3172	2020-07-28T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702
https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de0b1bae6461f67243282555475f88b2384a1eb9
https://nvd.nist.gov/vuln/detail/CVE-2020-10702
https://security.netapp.com/advisory/ntap-20200724-0007/
https://www.cve.org/CVERecord?id=CVE-2020-10702

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-06-04T17:31:05

Updated: 2024-08-04T11:06:11.188Z

Reserved: 2020-03-20T00:00:00

Link: CVE-2020-10702

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-06-04T18:15:14.157

Modified: 2024-11-21T04:55:53.200

Link: CVE-2020-10702

Redhat

Severity : Low

Publid Date: 2020-04-02T00:00:00Z

Links: CVE-2020-10702 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "qemu", "vendor": "The QEMU Project", "versions": [{"status": "affected", "version": ">= 4.0.0, < 5.0.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-325", "description": "CWE-325", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-24T13:06:12", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de0b1bae6461f67243282555475f88b2384a1eb9"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200724-0007/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10702", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "qemu", "version": {"version_data": [{"version_value": ">= 4.0.0, < 5.0.0"}]}}]}, "vendor_name": "The QEMU Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU."}]}, "impact": {"cvss": [[{"vectorString": "5.5/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-325"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702"}, {"name": "https://git.qemu.org/?p=qemu.git;a=commit;h=de0b1bae6461f67243282555475f88b2384a1eb9", "refsource": "CONFIRM", "url": "https://git.qemu.org/?p=qemu.git;a=commit;h=de0b1bae6461f67243282555475f88b2384a1eb9"}, {"name": "https://security.netapp.com/advisory/ntap-20200724-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200724-0007/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:06:11.188Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de0b1bae6461f67243282555475f88b2384a1eb9"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200724-0007/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10702", "datePublished": "2020-06-04T17:31:05", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:06:11.188Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A7F74C7-9616-459C-B749-5C95C9C96EA3", "versionEndExcluding": "5.0.0", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en QEMU en la implementaci\u00f3n del soporte Pointer Authentication (PAuth) para ARM introducido en la versi\u00f3n 4.0 y corregido en la versi\u00f3n 5.0.0. Un fallo general del proceso de generaci\u00f3n de firmas caus\u00f3 que cada puntero aplicado por PAuth se firmara con la misma firma. Un atacante local podr\u00eda obtener la firma de un puntero protegido y abusar de este fallo para omitir la protecci\u00f3n de PAuth para todos los programas que se ejecutan en QEMU"}], "id": "CVE-2020-10702", "lastModified": "2024-11-21T04:55:53.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-04T18:15:14.157", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702"}, {"source": "secalert@redhat.com", "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de0b1bae6461f67243282555475f88b2384a1eb9"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200724-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10702"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de0b1bae6461f67243282555475f88b2384a1eb9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200724-0007/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-325"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Xingman Chen and Yuan Li (NISL, Tsinghua University) for reporting this issue.", "affected_release": [{"advisory": "RHBA-2020:3172", "cpe": "cpe:/a:redhat:advanced_virtualization:8.2::el8", "package": "virt:8.2-8020120200707202843.11e3e113", "product_name": "Advanced Virtualization for RHEL 8.2.1", "release_date": "2020-07-28T00:00:00Z"}, {"advisory": "RHBA-2020:3172", "cpe": "cpe:/a:redhat:advanced_virtualization:8.2::el8", "package": "virt-devel:8.2-8020120200707202843.11e3e113", "product_name": "Advanced Virtualization for RHEL 8.2.1", "release_date": "2020-07-28T00:00:00Z"}], "bugzilla": {"description": "qemu: weak signature generation in Pointer Authentication support for ARM", "id": "1809948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1809948"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-325", "details": ["A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.", "A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU."], "name": "CVE-2020-10702", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kvm", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "xen", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Affected", "package_name": "virt:8.1/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Out of support scope", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}], "public_date": "2020-04-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10702\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10702"], "statement": "Several packages are unaffected because they do not include support for Pointer Authentication. These include:\n* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux for ARM 64 7\n* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8\n* `qemu-kvm-rhev` as shipped with Red Hat OpenStack Platform 10 and 13", "threat_severity": "Low", "upstream_fix": "qemu 5.0.0"}