Virtual machine escape

In computer security, virtual machine escape (VM escape) is the process of a program breaking out of the virtual machine (VM) on which it is running and interacting with the host operating system. ^[1] In theory, a virtual machine is a "completely isolated guest operating system installation within a normal host operating system", ^[2] but this isn't always the case in practice.

For example, in 2008, a vulnerability (CVE - 2008-0923) in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. ^{[3] [4]} A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS (a commercial penetration testing tool). ^[5] Cloudburst was presented at Black Hat USA 2009. ^[6]

Previous known vulnerabilities

• CVE - 2007-4993 Xen pygrub: Command injection in grub.conf file.
• CVE- 2007-1744 Directory traversal vulnerability in shared folders feature for VMware
• CVE- 2008-0923 Directory traversal vulnerability in shared folders feature for VMware
• CVE- 2008-1943 Xen Para Virtualized Frame Buffer backend buffer overflow.
• CVE- 2009-1244 Cloudburst: VM display function in VMware
• CVE- 2011-1751 QEMU-KVM: PIIX4 emulation does not check if a device is hotpluggable before unplugging ^[7]
• CVE- 2012-0217 The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier
• CVE- 2014-0983 Oracle VirtualBox 3D acceleration multiple memory corruption
• CVE- 2015-3456 VENOM: buffer-overflow in QEMU's virtual floppy disk controller
• CVE- 2015-7504 QEMU-KVM: Heap overflow in pcnet_receive function. ^[8]
• CVE- 2015-7835 Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests
• CVE- 2016-6258 Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.
• CVE- 2016-7092 Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests
• CVE-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine
• CVE- 2017-0075 Hyper-V Remote Code Execution Vulnerability
• CVE- 2017-0109 Hyper-V Remote Code Execution Vulnerability
• CVE- 2017-4903 VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts ^[9]
• CVE- 2017-4934 VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host ^[10]
• CVE- 2017-4936 VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS ^[10]
• CVE- 2018-2698 Oracle VirtualBox: shared memory interface by the VGA allows read and writes on the host OS ^[11]
• CVE- 2018-6981 VMware ESXi, Workstation, Fusion: Uninitialized stack memory usage in the vmxnet3 virtual network adapter. ^[12]
• CVE- 2018-12126 ,CVE- 2018-12130 ,CVE- 2018-12127 ,CVE- 2019-11091: "Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
• CVE- 2019-0719, CVE- 2019-0721, CVE- 2019-1389, CVE- 2019-1397, CVE- 2019-1398 Windows Hyper-V Remote Code Execution Vulnerability
• CVE- 2019-18420 ,CVE- 2019-18421 ,CVE- 2019-18422 ,CVE- 2019-18423 ,CVE- 2019-18424 ,CVE- 2019-18425: Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) ^[13]
• CVE- 2019-5183 (critical), CVE- 2019-5124 ,CVE- 2019-5146 ,CVE- 2019-5147: Windows 10 and VMWare Workstation using AMD Radeon graphics cards using Adrenalin driver: attacker in guest system can use pixel shader to cause memory error on the host system, injecting malicious code to the host system and execute it. ^[14]
• CVE- 2018-12130 ,CVE- 2019-11135 ,CVE- 2020-0548: ZombieLoad, ZombieLoad v2, Vector Register Sampling (VRS), Microarchitectural Data Sampling (MDS), Transactional Asynchronous Abort (TAA), CacheOut, L1D Eviction Sampling (L1DES): L1 cache side attacks on CPU level allow virtual machines to read memory outside of their sandbox ^[15]
• CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971: VMware ESXi, Workstation Pro / Player, Fusion Pro, Cloud Foundation: Vulnerabilities in SVGA, graphics shader, USB driver, xHCI/EHCI, PVNVRAM, and vmxnet3 can cause virtual machine escape ^[16]

See also

• Hyperjacking

References

1. "What is VM Escape? - The Lone Sysadmin". 22 September 2007. Archived from the original on 9 December 2011. Retrieved 23 October 2011.
2. "Virtual Machines: Virtualization vs. Emulation". Archived from the original on 2014-07-15. Retrieved 2011-03-11.
3. "Path Traversal vulnerability in VMware's shared folders implementation". 18 May 2016.
4. Dignan, Larry. "Researcher: Critical vulnerability found in VMware's desktop apps - ZDNet". ZDNet . Archived from the original on November 29, 2014.
5. "Security Monitoring News, Analysis, Discussion, & Community". Dark Reading. Archived from the original on 2011-07-19. Retrieved 2011-10-23.
6. "Black Hat ® Technical Security Conference: USA 2009 // Briefings". www.blackhat.com.
7. "DEFCON 19: Virtunoid: Breaking out of KVM" (PDF). Nelson Elhage. Archived (PDF) from the original on 2024-12-04. Retrieved 2024-12-24.
8. "VM escape - QEMU Case Study". Mehdi Talbi & Paul Fariello.
9. "VMSA-2017-0006". VMware. Archived from the original on 2017-04-01. Retrieved 2017-04-01.
10. "VMSA-2017-0018.1". VMware. Archived from the original on 2017-11-18. Retrieved 2017-11-17.
11. "CVE-2018-2698". exploit-db.com: Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape. 24 January 2018. Archived from the original on 10 December 2024. Retrieved 24 December 2024.
12. "Chaos Communication Congress 2019: The Great Escape of ESXi". media.ccc.de. 28 December 2019.
13. "CVE-2019-18420 to 18425". Patches beheben Schwachstellen in Xen und Citrix Hypervisor. 5 November 2019. Archived from the original on 5 November 2019. Retrieved 5 November 2019.
14. "CVE-2019-0964 (critical), CVE-2019-5124, CVE-2019-5146, CVE-2019-5147". Sicherheitsupdate: AMD-Treiber und VMware. 22 January 2020. Archived from the original on 22 January 2020. Retrieved 22 January 2020.
15. Mantle, Mark (2020-01-28). "Sicherheitslücken in Intel-CPUs: Modifizierte Angriffe erfordern BIOS-Updates". Heise (in German). Archived from the original on 2024-01-10. Retrieved 2024-01-10.
16. "CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971". VMWare Advisory VMSA-2020-0015.1.

External links

• CVE - 2008-0923
• Cloudburst (Hacking 3D And Breaking Out Of Vmware) Blackhat 2009 (Video)
• https://technet.microsoft.com/library/security/MS17-008