Login
Login

Virtual machine escape

{{Short description|Method of compromising a host OS though the VM}}

In computer security, virtual machine escape (VM escape) is the process of a program breaking out of the virtual machine (VM) on which it is running and interacting with the host operating system.{{cite web|url=http://lonesysadmin.net/2007/09/22/what-is-vm-escape/|title=What is VM Escape? - The Lone Sysadmin|date=22 September 2007|publisher=|access-date=23 October 2011|archive-date=9 December 2011|archive-url=https://web.archive.org/web/20111209072601/http://lonesysadmin.net/2007/09/22/what-is-vm-escape/|url-status=live}} In theory, a virtual machine is a "completely isolated guest operating system installation within a normal host operating system",{{Cite web |url=http://www.griffincaprio.com/blog/2006/08/virtual-machines-virtualization-vs-emulation.html |title=Virtual Machines: Virtualization vs. Emulation |accessdate=2011-03-11 |archive-date=2014-07-15 |archive-url=https://web.archive.org/web/20140715083736/http://www.griffincaprio.com/blog/2006/08/virtual-machines-virtualization-vs-emulation.html |url-status=dead }} but this isn't always the case in practice.

For example, in 2008, a vulnerability ({{CVE|2008-0923}}) in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4.{{cite web|url=http://www.coresecurity.com/content/advisory-vmware|title=Path Traversal vulnerability in VMware's shared folders implementation|date=18 May 2016|publisher=}}{{cite web|url=http://www.zdnet.com/blog/security/researcher-critical-vulnerability-found-in-vmwares-desktop-apps/902|archive-url=https://web.archive.org/web/20141129022733/http://www.zdnet.com/blog/security/researcher-critical-vulnerability-found-in-vmwares-desktop-apps/902|url-status=dead|archive-date=November 29, 2014|title=Researcher: Critical vulnerability found in VMware's desktop apps - ZDNet|first=Larry|last=Dignan|website=ZDNet |publisher=}} A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS (a commercial penetration testing tool).{{cite web|url=http://www.darkreading.com/security-services/167801101/security/application-security/217701908/hacking-tool-lets-a-vm-break-out-and-attack-its-host.html|title=Security Monitoring News, Analysis, Discussion, & Community|website=Dark Reading|access-date=2011-10-23|archive-date=2011-07-19|archive-url=https://web.archive.org/web/20110719003235/http://www.darkreading.com/security-services/167801101/security/application-security/217701908/hacking-tool-lets-a-vm-break-out-and-attack-its-host.html|url-status=dead}} Cloudburst was presented at Black Hat USA 2009.{{cite web|url=https://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html|title=Black Hat ® Technical Security Conference: USA 2009 // Briefings|website=www.blackhat.com}}

Previous known vulnerabilities

  • {{CVE|2007-4993}} Xen pygrub: Command injection in grub.conf file.
  • {{CVE|2007-1744}} Directory traversal vulnerability in shared folders feature for VMware
  • {{CVE|2008-0923|link=no}} Directory traversal vulnerability in shared folders feature for VMware
  • {{CVE|2008-1943|link=no}} Xen Para Virtualized Frame Buffer backend buffer overflow.
  • {{CVE|2009-1244|link=no}} Cloudburst: VM display function in VMware
  • {{CVE|2011-1751|link=no}} QEMU-KVM: PIIX4 emulation does not check if a device is hotpluggable before unplugging{{cite web|url=https://nelhage.com/talks/kvm-defcon-2011.pdf|title=DEFCON 19: Virtunoid: Breaking out of KVM|publisher=Nelson Elhage|access-date=2024-12-24|archive-date=2024-12-04|archive-url=https://web.archive.org/web/20241204094623/https://nelhage.com/talks/kvm-defcon-2011.pdf|url-status=live}}
  • {{CVE|2012-0217|link=no}} The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier
  • {{CVE|2014-0983|link=no}} Oracle VirtualBox 3D acceleration multiple memory corruption
  • {{CVE|2015-3456|link=no}} VENOM: buffer-overflow in QEMU's virtual floppy disk controller
  • {{CVE|2015-7504|link=no}} QEMU-KVM: Heap overflow in pcnet_receive function.{{cite web|url=http://phrack.org/papers/vm-escape-qemu-case-study.html|title=VM escape - QEMU Case Study|publisher=Mehdi Talbi & Paul Fariello}}
  • {{CVE|2015-7835|link=no}} Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests
  • {{CVE|2016-6258|link=no}} Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.
  • {{CVE|2016-7092|link=no}} Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests
  • CVE-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine
  • {{CVE|2017-0075|link=no}} Hyper-V Remote Code Execution Vulnerability
  • {{CVE|2017-0109|link=no}} Hyper-V Remote Code Execution Vulnerability
  • {{CVE|2017-4903|link=no}} VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts{{cite web|url=https://www.vmware.com/security/advisories/VMSA-2017-0006.html|title=VMSA-2017-0006|website=VMware|access-date=2017-04-01|archive-date=2017-04-01|archive-url=https://web.archive.org/web/20170401145718/https://www.vmware.com/security/advisories/VMSA-2017-0006.html|url-status=live}}
  • {{CVE|2017-4934|link=no}} VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host{{cite web|url=https://www.vmware.com/security/advisories/VMSA-2017-0018.html|title=VMSA-2017-0018.1|website=VMware|access-date=2017-11-17|archive-date=2017-11-18|archive-url=https://web.archive.org/web/20171118221958/https://www.vmware.com/security/advisories/VMSA-2017-0018.html|url-status=live}}
  • {{CVE|2017-4936|link=no}} VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS
  • {{CVE|2018-2698|link=no}} Oracle VirtualBox: shared memory interface by the VGA allows read and writes on the host OS{{cite web|title=CVE-2018-2698|url=https://www.exploit-db.com/exploits/43878|website=exploit-db.com: Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape|date=24 January 2018|access-date=24 December 2024|archive-date=10 December 2024|archive-url=https://web.archive.org/web/20241210021925/https://www.exploit-db.com/exploits/43878|url-status=live}}
  • {{CVE|2018-6981|link=no}} VMware ESXi, Workstation, Fusion: Uninitialized stack memory usage in the vmxnet3 virtual network adapter.{{cite web|url=https://media.ccc.de/v/36c3-10505-the_great_escape_of_esxi|title=Chaos Communication Congress 2019: The Great Escape of ESXi|website=media.ccc.de|date=28 December 2019 }}
  • {{CVE|2018-12126|2018-12130|2018-12127|2019-11091|link=no}}: "Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • {{CVE|2019-0719|link=no}}, {{CVE|2019-0721|link=no}}, {{CVE|2019-1389|link=no}}, {{CVE|2019-1397|link=no}}, {{CVE|2019-1398|link=no}} Windows Hyper-V Remote Code Execution Vulnerability
  • {{CVE|2019-18420|2019-18421|2019-18422|2019-18423|2019-18424|2019-18425|link=no}}: Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) {{cite web|url=https://www.heise.de/security/meldung/Patches-beheben-Schwachstellen-in-Xen-und-Citrix-Hypervisor-4578330.html|title=CVE-2019-18420 to 18425|website=Patches beheben Schwachstellen in Xen und Citrix Hypervisor|date=5 November 2019|access-date=5 November 2019|archive-date=5 November 2019|archive-url=https://web.archive.org/web/20191105201428/https://www.heise.de/security/meldung/Patches-beheben-Schwachstellen-in-Xen-und-Citrix-Hypervisor-4578330.html|url-status=live}}
  • {{CVE|2019-5183|link=no}} (critical), {{CVE|2019-5124|2019-5146|2019-5147|link=no}}: Windows 10 and VMWare Workstation using AMD Radeon graphics cards using Adrenalin driver: attacker in guest system can use pixel shader to cause memory error on the host system, injecting malicious code to the host system and execute it.{{cite web|url=https://www.heise.de/security/meldung/Sicherheitsupdate-AMD-Treiber-und-VMware-koennen-ein-gefaehrlicher-Cocktail-sein-4643294.html|title=CVE-2019-0964 (critical), CVE-2019-5124, CVE-2019-5146, CVE-2019-5147|website=Sicherheitsupdate: AMD-Treiber und VMware|date=22 January 2020|access-date=22 January 2020|archive-date=22 January 2020|archive-url=https://web.archive.org/web/20200122194645/https://www.heise.de/security/meldung/Sicherheitsupdate-AMD-Treiber-und-VMware-koennen-ein-gefaehrlicher-Cocktail-sein-4643294.html|url-status=live}}
  • {{CVE|2018-12130|2019-11135|2020-0548|link=no}}: ZombieLoad, ZombieLoad v2, Vector Register Sampling (VRS), Microarchitectural Data Sampling (MDS), Transactional Asynchronous Abort (TAA), CacheOut, L1D Eviction Sampling (L1DES): L1 cache side attacks on CPU level allow virtual machines to read memory outside of their sandbox{{cite web |last=Mantle |first=Mark |date=2020-01-28 |title=Sicherheitslücken in Intel-CPUs: Modifizierte Angriffe erfordern BIOS-Updates |url=https://www.heise.de/news/Sicherheitsluecken-in-Intel-CPUs-Modifizierte-Angriffe-erfordern-BIOS-Updates-4647081.html?wt_mc=rss.red.security.security.atom.beitrag.beitrag |access-date=2024-01-10 |website=Heise |language=German |archive-date=2024-01-10 |archive-url=https://web.archive.org/web/20240110124209/https://www.heise.de/news/Sicherheitsluecken-in-Intel-CPUs-Modifizierte-Angriffe-erfordern-BIOS-Updates-4647081.html?wt_mc=rss.red.security.security.atom.beitrag.beitrag |url-status=live }}
  • CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971: VMware ESXi, Workstation Pro / Player, Fusion Pro, Cloud Foundation: Vulnerabilities in SVGA, graphics shader, USB driver, xHCI/EHCI, PVNVRAM, and vmxnet3 can cause virtual machine escape{{cite web|url=https://www.vmware.com/security/advisories/VMSA-2020-0015.html|title=CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971|website=VMWare Advisory VMSA-2020-0015.1}}

See also

References

{{reflist}}

External links

  • {{CVE|2008-0923}}
  • [http://www.securitytube.net/video/716 Cloudburst (Hacking 3D And Breaking Out Of Vmware) Blackhat 2009] (Video)
  • https://technet.microsoft.com/library/security/MS17-008

Category:Virtualization

Category:Computer security exploits