Virtual machine escape

From HandWiki - Reading time: 5 min

Short description: Method of compromising a host OS though the VM

In computer security, virtual machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system.[1] A virtual machine is a "completely isolated guest operating system installation within a normal host operating system".[2] In 2008, a vulnerability (CVE-2008-0923) in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4.[3][4] A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS (commercial penetration testing tool).[5] Cloudburst was presented in Black Hat USA 2009.[6]

Previous known vulnerabilities

  • CVE-2007-4993 Xen pygrub: Command injection in grub.conf file.
  • CVE-2007-1744 Directory traversal vulnerability in shared folders feature for VMware
  • CVE-2008-0923 Directory traversal vulnerability in shared folders feature for VMware
  • CVE-2008-1943 Xen Para Virtualized Frame Buffer backend buffer overflow.
  • CVE-2009-1244 Cloudburst: VM display function in VMware
  • CVE-2011-1751 QEMU-KVM: PIIX4 emulation does not check if a device is hotpluggable before unplugging[7]
  • CVE-2012-0217 The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier
  • CVE-2014-0983 Oracle VirtualBox 3D acceleration multiple memory corruption
  • CVE-2015-3456 VENOM: buffer-overflow in QEMU's virtual floppy disk controller
  • CVE-2015-7504 QEMU-KVM: Heap overflow in pcnet_receive function.[8]
  • CVE-2015-7835 Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests
  • CVE-2016-6258 Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.
  • CVE-2016-7092 Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests
  • CVE-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine
  • CVE-2017-0075 Hyper-V Remote Code Execution Vulnerability
  • CVE-2017-0109 Hyper-V Remote Code Execution Vulnerability
  • CVE-2017-4903 VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts[9]
  • CVE-2017-4934 VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host[10]
  • CVE-2017-4936 VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS[10]
  • CVE-2018-2698 Oracle VirtualBox: shared memory interface by the VGA allows read and writes on the host OS[11]
  • CVE-2018-6981 VMware ESXi, Workstation, Fusion: Uninitialized stack memory usage in the vmxnet3 virtual network adapter.[12]
  • CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091: "Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • CVE-2019-0719, CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, CVE-2019-1398 Windows Hyper-V Remote Code Execution Vulnerability
  • CVE-2019-18420, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425: Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) [13]
  • CVE-2019-5183 (critical), CVE-2019-5124, CVE-2019-5146, CVE-2019-5147: Windows 10 and VMWare Workstation using AMD Radeon graphics cards using Adrenalin driver: attacker in guest system can use pixel shader to cause memory error on the host system, injecting malicious code to the host system and execute it.[14]
  • CVE-2018-12130, CVE-2019-11135, CVE-2020-0548: ZombieLoad, ZombieLoad v2, Vector Register Sampling (VRS), Microarchitectural Data Sampling (MDS), Transactional Asynchronous Abort (TAA), CacheOut, L1D Eviction Sampling (L1DES): L1 cache side attacks on CPU level allow virtual machines to read memory outside of their sandbox[15]
  • CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971: VMware ESXi, Workstation Pro / Player, Fusion Pro, Cloud Foundation: Vulnerabilities in SVGA, graphics shader, USB driver, xHCI/EHCI, PVNVRAM, and vmxnet3 can cause virtual machine escape[16]

See also

References

  1. "What is VM Escape? - The Lone Sysadmin". 22 September 2007. http://lonesysadmin.net/2007/09/22/what-is-vm-escape/. 
  2. "Virtual Machines: Virtualization vs. Emulation". http://www.griffincaprio.com/blog/2006/08/virtual-machines-virtualization-vs-emulation.html. Retrieved 2011-03-11. 
  3. "Path Traversal vulnerability in VMware's shared folders implementation". 18 May 2016. http://www.coresecurity.com/content/advisory-vmware. 
  4. Dignan, Larry. "Researcher: Critical vulnerability found in VMware's desktop apps - ZDNet". http://www.zdnet.com/blog/security/researcher-critical-vulnerability-found-in-vmwares-desktop-apps/902. 
  5. "Security Monitoring News, Analysis, Discussion, & Community". http://www.darkreading.com/security-services/167801101/security/application-security/217701908/hacking-tool-lets-a-vm-break-out-and-attack-its-host.html. 
  6. "Black Hat ® Technical Security Conference: USA 2009 // Briefings". https://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html. 
  7. "DEFCON 19: Virtunoid: Breaking out of KVM". Nelson Elhage. https://nelhage.com/talks/kvm-defcon-2011.pdf. 
  8. "VM escape - QEMU Case Study". Mehdi Talbi & Paul Fariello. http://phrack.org/papers/vm-escape-qemu-case-study.html. 
  9. "VMSA-2017-0006". https://www.vmware.com/security/advisories/VMSA-2017-0006.html. 
  10. 10.0 10.1 "VMSA-2017-0018.1". https://www.vmware.com/security/advisories/VMSA-2017-0018.html. 
  11. "CVE-2018-2698". 24 January 2018. https://www.exploit-db.com/exploits/43878. 
  12. "Chaos Communication Congress 2019: The Great Escape of ESXi". 28 December 2019. https://media.ccc.de/v/36c3-10505-the_great_escape_of_esxi. 
  13. "CVE-2019-18420 to 18425". https://www.heise.de/security/meldung/Patches-beheben-Schwachstellen-in-Xen-und-Citrix-Hypervisor-4578330.html. 
  14. "CVE-2019-0964 (critical), CVE-2019-5124, CVE-2019-5146, CVE-2019-5147". https://www.heise.de/security/meldung/Sicherheitsupdate-AMD-Treiber-und-VMware-koennen-ein-gefaehrlicher-Cocktail-sein-4643294.html. 
  15. Mantle, Mark (2020-01-28). "Sicherheitslücken in Intel-CPUs: Modifizierte Angriffe erfordern BIOS-Updates" (in German). https://www.heise.de/news/Sicherheitsluecken-in-Intel-CPUs-Modifizierte-Angriffe-erfordern-BIOS-Updates-4647081.html?wt_mc=rss.red.security.security.atom.beitrag.beitrag. 
  16. "CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971". https://www.vmware.com/security/advisories/VMSA-2020-0015.html. 

External links




Licensed under CC BY-SA 3.0 | Source: https://handwiki.org/wiki/Virtual_machine_escape
18 views | Status: cached on July 22 2024 11:14:57
↧ Download this article as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF