MarketVirtual machine escape
Company Profile

Virtual machine escape

In computer security, virtual machine escape is the process of a program breaking out of the virtual machine (VM) on which it is running and interacting with the host operating system. In theory, a virtual machine is a "completely isolated guest operating system installation within a normal host operating system", but this isn't always the case in practice.

Previous known vulnerabilities
• Xen pygrub: Command injection in grub.conf file. • Directory traversal vulnerability in shared folders feature for VMware • Directory traversal vulnerability in shared folders feature for VMware • Xen Para Virtualized Frame Buffer backend buffer overflow. • Cloudburst: VM display function in VMware • QEMU-KVM: PIIX4 emulation does not check if a device is hotpluggable before unplugging • The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier • Oracle VirtualBox 3D acceleration multiple memory corruption • VENOM: buffer-overflow in QEMU's virtual floppy disk controller • QEMU-KVM: Heap overflow in pcnet_receive function. • Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests • Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. • Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests • CVE-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine • Hyper-V Remote Code Execution Vulnerability • Hyper-V Remote Code Execution Vulnerability • VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts • VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host • VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS • VMware ESXi, Workstation, Fusion: Uninitialized stack memory usage in the vmxnet3 virtual network adapter. • : "Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM) • , , , , Windows Hyper-V Remote Code Execution Vulnerability • : Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) • (critical), : Windows 10 and VMWare Workstation using AMD Radeon graphics cards using Adrenalin driver: attacker in guest system can use pixel shader to cause memory error on the host system, injecting malicious code to the host system and execute it. • : ZombieLoad, ZombieLoad v2, Vector Register Sampling (VRS), Microarchitectural Data Sampling (MDS), Transactional Asynchronous Abort (TAA), CacheOut, L1D Eviction Sampling (L1DES): L1 cache side attacks on CPU level allow virtual machines to read memory outside of their sandbox • CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971: VMware ESXi, Workstation Pro / Player, Fusion Pro, Cloud Foundation: Vulnerabilities in SVGA, graphics shader, USB driver, xHCI/EHCI, PVNVRAM, and vmxnet3 can cause virtual machine escape ==See also==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com