Virtual machine escape explained
In computer security, virtual machine (VM) escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system.[1] In theory, a virtual machine is a "completely isolated guest operating system installation within a normal host operating system".[2] In 2008, a vulnerability in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4.[3] [4] A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS (commercial penetration testing tool).[5] Cloudburst was presented in Black Hat USA 2009.[6]
Previous known vulnerabilities
- Xen pygrub: Command injection in grub.conf file.
- Directory traversal vulnerability in shared folders feature for VMware
- Directory traversal vulnerability in shared folders feature for VMware
- Xen Para Virtualized Frame Buffer backend buffer overflow.
- Cloudburst: VM display function in VMware
- QEMU-KVM: PIIX4 emulation does not check if a device is hotpluggable before unplugging[7]
- The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier
- Oracle VirtualBox 3D acceleration multiple memory corruption
- VENOM: buffer-overflow in QEMU's virtual floppy disk controller
- QEMU-KVM: Heap overflow in pcnet_receive function.[8]
- Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests
- Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.
- Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests
- CVE-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine
- Hyper-V Remote Code Execution Vulnerability
- Hyper-V Remote Code Execution Vulnerability
- VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts[9]
- VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host[10]
- VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS[10]
- Oracle VirtualBox: shared memory interface by the VGA allows read and writes on the host OS[11]
- VMware ESXi, Workstation, Fusion: Uninitialized stack memory usage in the vmxnet3 virtual network adapter.[12]
"Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
- ,,,, Windows Hyper-V Remote Code Execution Vulnerability
Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) [13]
- (critical), : Windows 10 and VMWare Workstation using AMD Radeon graphics cards using Adrenalin driver: attacker in guest system can use pixel shader to cause memory error on the host system, injecting malicious code to the host system and execute it.[14]
ZombieLoad, ZombieLoad v2, Vector Register Sampling (VRS), Microarchitectural Data Sampling (MDS), Transactional Asynchronous Abort (TAA), CacheOut, L1D Eviction Sampling (L1DES): L1 cache side attacks on CPU level allow virtual machines to read memory outside of their sandbox[15]
- CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971: VMware ESXi, Workstation Pro / Player, Fusion Pro, Cloud Foundation: Vulnerabilities in SVGA, graphics shader, USB driver, xHCI/EHCI, PVNVRAM, and vmxnet3 can cause virtual machine escape[16]
See also
External links
-
- https://technet.microsoft.com/library/security/MS17-008
Notes and References
- Web site: What is VM Escape? - The Lone Sysadmin. 22 September 2007.
- Web site: Virtual Machines: Virtualization vs. Emulation . 2011-03-11 . 2014-07-15 . https://web.archive.org/web/20140715083736/http://www.griffincaprio.com/blog/2006/08/virtual-machines-virtualization-vs-emulation.html . dead .
- Web site: Path Traversal vulnerability in VMware's shared folders implementation. 18 May 2016.
- Web site: Researcher: Critical vulnerability found in VMware's desktop apps - ZDNet. https://web.archive.org/web/20141129022733/http://www.zdnet.com/blog/security/researcher-critical-vulnerability-found-in-vmwares-desktop-apps/902. dead. November 29, 2014. Larry. Dignan. .
- Web site: Security Monitoring News, Analysis, Discussion, & Community. Dark Reading. 2011-10-23. 2011-07-19. https://web.archive.org/web/20110719003235/http://www.darkreading.com/security-services/167801101/security/application-security/217701908/hacking-tool-lets-a-vm-break-out-and-attack-its-host.html. dead.
- Web site: Black Hat ® Technical Security Conference: USA 2009 // Briefings. www.blackhat.com.
- Web site: DEFCON 19: Virtunoid: Breaking out of KVM. Nelson Elhage.
- Web site: VM escape - QEMU Case Study. Mehdi Talbi & Paul Fariello.
- Web site: VMSA-2017-0006. VMware.
- Web site: VMSA-2017-0018.1. VMware.
- Web site: CVE-2018-2698. exploit-db.com: Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape. 24 January 2018 .
- Web site: Chaos Communication Congress 2019: The Great Escape of ESXi. media.ccc.de. 28 December 2019 .
- Web site: CVE-2019-18420 to 18425. Patches beheben Schwachstellen in Xen und Citrix Hypervisor. 5 November 2019 .
- Web site: CVE-2019-0964 (critical), CVE-2019-5124, CVE-2019-5146, CVE-2019-5147. Sicherheitsupdate: AMD-Treiber und VMware . 22 January 2020 .
- Web site: Mantle . Mark . 2020-01-28 . Sicherheitslücken in Intel-CPUs: Modifizierte Angriffe erfordern BIOS-Updates . 2024-01-10 . Heise . German.
- Web site: CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971. VMWare Advisory VMSA-2020-0015.1.