CVE-2024-45005 – A vulnerability in the Linux kernel's KVM subsy... (How to Fix)

Q: What is the severity of CVE-2024-45005?

CVE-2024-45005 has a CVSS score of 5.5 (MEDIUM). A vulnerability in the Linux kernel's KVM subsystem for s390 architecture allows a guest VM to trigger a host kernel warning when GISA (Guest Information Save Area) is disabled. This occurs due to an uninitialized value being passed to virt_to_phys() when GISA is turned off via kernel parameter or sysfs. The issue affects Linux systems running KVM virtualization on IBM s390 architecture.

📋 TL;DR

A vulnerability in the Linux kernel's KVM subsystem for s390 architecture allows a guest VM to trigger a host kernel warning when GISA (Guest Information Save Area) is disabled. This occurs due to an uninitialized value being passed to virt_to_phys() when GISA is turned off via kernel parameter or sysfs. The issue affects Linux systems running KVM virtualization on IBM s390 architecture.

💻 Affected Systems

Products:

Linux kernel

Versions: Linux kernel versions before fixes in stable releases (specific commits: 027ac3c5092561bccce09b314a73a1c167117ef6, 051c0a558154174cfcea301a386e4c91ade83ce1, 5a44bb061d04b0306f2aa8add761d86d152b9377)

Operating Systems: Linux distributions running on IBM s390/s390x architecture

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when GISA is disabled via 'kvm.use_gisa=0' kernel parameter or sysfs setting. Default configuration has GISA enabled.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Host kernel warning/panic leading to denial of service for KVM guests, potentially disrupting virtualization services.

🟠

Likely Case

KVM guest startup failures with kernel warnings in host logs, causing guest unavailability.

🟢

If Mitigated

No impact if GISA is enabled (default) or KVM is not used on s390 systems.

🌐 Internet-Facing: LOW - Requires local access to start KVM guests on affected s390 systems.

🏢 Internal Only: MEDIUM - Can disrupt virtualization services in s390 environments where KVM is used.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires ability to start KVM guests on affected system.

Exploitation requires local access to start KVM guests. No remote exploitation vector identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel stable releases containing fixes from the referenced commits

Vendor Advisory: https://git.kernel.org/stable/c/027ac3c5092561bccce09b314a73a1c167117ef6

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. Reboot system. 3. Verify kernel version and that GISA functionality works correctly.

🔧 Temporary Workarounds

Enable GISA

linux

Ensure GISA is enabled by removing 'kvm.use_gisa=0' from kernel parameters and setting sysfs attribute to Y

echo Y > /sys/module/kvm/parameters/use_gisa
Remove 'kvm.use_gisa=0' from kernel boot parameters in /etc/default/grub or bootloader config

🧯 If You Can't Patch

Keep GISA enabled (default setting) by not using 'kvm.use_gisa=0' parameter
Monitor host kernel logs for 'unhandled validity intercept' warnings and investigate any KVM guest startup failures

🔍 How to Verify

Check if Vulnerable:

Check if GISA is disabled: cat /sys/module/kvm/parameters/use_gisa. If 'N' and running vulnerable kernel version, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is updated and test starting KVM guests with GISA disabled should not produce kernel warnings.

📡 Detection & Monitoring

Log Indicators:

kernel: kvm: unhandled validity intercept 0x1011
kernel: WARNING: CPU: 0 PID: at arch/s390/kvm/intercept.c:101 kvm_handle_sie_intercept

SIEM Query:

source="kernel" AND "unhandled validity intercept" AND "kvm_handle_sie_intercept"

📊 Metadata

CVE ID: CVE-2024-45005

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-908

Published: September 4, 2024

Last Updated: October 9, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45005, you might also want to check these: