Intel KVM Virtualization Hit By Vulnerability Over Unfinished Code

At least not another hardware vulnerability, but CVE-2020-2732 appears to stem from unfinished code within the Intel VMX code for the Linux kernel's Kernel-based Virtual Machine (KVM) support.

CVE-2020-2732 as of writing isn't yet public but we've been closely monitoring it since seeing a peculiar patch series earlier today and not finding much information on it.

Sent out as notice "FYI" were three patches for CVE-2020-2732. Those patches were already mailed in as part of KVM fixes targeting the current Linux 5.6 kernel cycle and quickly pulled in by Linus Torvalds. Linux 5.6 Git is now protected from CVE-2020-2732 and should be back-ported to stable kernels soon.

The patches were summed up as, "vmx_check_intercept is not yet fully implemented by KVM on Intel processors, causing e.g. the I/O or MSR interception bitmaps not to be checked. In general we can just disallow instruction emulation on behalf of L1, but this series also implements I/O port checks."

The vmx_check_intercept function within the Linux kernel even has a "TODO: check more intercepts..." but it appears that this vulnerability stems from the fact this function wasn't checking all intercepts and as such could end up emulating instructions disallowed by the virtualization hypervisor as the behavior until now was to continue in the default code path.

So the fix is to disable emulating instructions by default until the code is finished. The series also goes on to add checks for I/O bitmaps. Details though on CVE-2020-2732 are light though until the disclosure is made public. For what it's worth, the patches for this KVM issue were out of Google and CVE-2020-2732 was reserved back on 10 December 2019.

Update: More information and the patches are being back-ported.