US-CERT warns of guest-to-host VM escape vulnerability

US-CERT warns of guest-to-host VM escape vulnerability

Summary: The vulnerability affects 64-bit operating systems and virtualization software running on Intel CPU hardware.

TOPICS: Virtualization

The U.S. Computer Emergency Readiness Team (CERT) has issued an alert for a dangerous guest-to-host virtual machine escape vulnerability affecting virtualization software from multiple vendors.

The vulnerability, which affects 64-bit operating systems and virtualization software running on Intel CPU hardware, exposes users to local privilege escalation attack or a guest-to-host virtual machine escape.

From the advisory:follow Ryan Naraine on twitter

A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation.

Affected vendors include Intel Corp., FreeBSD, Microsoft, NetBSD, Oracle, RedHat, SUSE Linux and Xen.

The US-CERT advisory contains a full list of affected software and links to vendor-supplied patches.

VMWare says its products are not affected by this issue.

* Photo credit: Flickr/OakleyOriginals (CC 2.0)

Topic: Virtualization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • If you wanted to get page hits

    you should have just included Intel Corp, Microsoft, Oracle, and Xen. ;)
    William Farrel
  • AMD cpus, OSX not included in warning

    If you have an AMD cpu, no matter what OS, you are not affected by this.

    Apple OSX seems to have the vulnerability in BSD covered. It's not apparent what effect using Boot Camp to run Windows or any other affected OS has though.
    • Boot Camp

      Boot Camp runs Windows natively so it wouldn't be affected.
      Big Sparky
  • Non-Programmer

    Can anyone tell me what this means in plain speak? I have a Windows7 Laptop 64-bit with Intel on my network, how vulnerable is that computer and the rest of my network? Is anything exploiting this yet? Any help would be appreciated. Thanks in advance.
    • @JimmieTheSaint

      This was taken directly from the links to the report above: (They're in blue..)..

      "An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
      This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2.
      Systems with AMD or ARM-based CPUs are not affected by this vulnerability..."

      So unless someone has your Logon and is on your network at home, you're probably safe..
      True Patriot
      • @True Patriot

        Thank You, I appreciate your help.
  • Basically, NOBODY knows what this means

    To us 'normal people,' this means ABSOLUTELY NOTHING:

    "A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means..."

    This needs to be put into PLAIN ENGLISH - NOBODY (no 'average human') knows what a "ring3 attacker" or "stack switch" or any such stuff.

    Try *PLAIN ENGLISH*. Wouldn't that be nice? Thanks.
    • Isn't it OBVIOUS?

      See.. when you're talking about a "ring 3 attacker", you're OBVIOUSLY talking about a 3-ring circus, at which the lion escaped from ring2 and attacked some clown named "kernel" during the show in the third ring.. OBVIOUSLY, Kernel is going to run OUT of the ring, (therefore, he's in no ring, or "ring 0".... It's really simple!! :-)

      No - Really... What you need to know is that if you're running one of the listed virtualization products, AND you let someone you dont trust use your computer, AND he's a clown named Kernel, you MIGHT have to worry.. otherwise, leave it to the uber-geeks.. you'd understand if you needed to know..
      • Exactly - actually, I [am] an 'uber-geek'

        Thus I was mainly being 'tongue-in-cheek'. [all rhyme intended]
        I suppose the lion that escaped ignored the 'Snow Leopard' and, instead, went for the "Kernel's" fried chicken (KFC) - and, since ring0 is not a combo, the ring3 attacker naturally waited until the 3rd ring before the acoustic-coupled modem fully synchronized, causing the stack switch to occur. And if the circus owner wore a condom to begin with, the 'general protection fault' would have been avoided.
      • Oh, I thought ...

        Oh, I thought Ring0 attacked Kernel Sanders with a stack of paper plates. Thanks for clearing that up for me.
    • Simple explanation

      It basically means that activity within a virtual machine running on an affected hypervisor could potentially crash the hypervisor or run arbitrary code at the hypervisor layer - Not a desirable thing.
    • This is written in obscure language...

      To put it more simply, this vulnerability allows hackers to force an exception that is handled in kernel mode, which allows the hacker to bypass OS User security. This could result in privilege escalation, allowing a hacker to completely take over, or at least take down the entire host system
    • Whay should NOBODY understand this

      ZDNet is targeted fr a public that is often interested andknowldigeble about IT technology (and often not that good in plain English) and this is clear to them - or they are at least more or less feeling what it is about and based on that in combination with some research [might even be a Wiki/Google serach] to find-out and understand the specific details they didn't fully understand.
      And how did you come to that "basicly nobody" understand thisL did a check among al large group of ZDNet subscribers?
      To many it is quite clear and the partial sentence " a specially crafted frame' is basic termonolgy in hack/security attack world. No need to be a ubergeek to understand that. ( a real ubergeek might be able to test it out with some additinal info about the vulnerability). If you are clueless what the guy is talkin' about ignodr his post..
    • @bitdoctor

      All you had to do was ask someone to explain it to you. I did that just above and got a clear answer.
  • Cybercafes

    Cybercafes might be affected if they are using thin clients, schools, computer labs, etc.
    • Cybercafes vulnerable for attacks

      Although (in general) environments where virtual workstations are used via thing clients might indeed be vulnerable for these attackes - to chose a cybercafe as the example in the title is a strange choice as a cybercafe is per definition an unsafe place where one shoulnd't access sensitive apps/data (making the potential abuse/unsafeness of the used environment risky): people accessing sensitive data from a cybercafe should be shot anyway. Those actions should be reserved for the national spy services (after copying dossiers on national security issues to a USB stick [of course un-encrypted] and then leave that stick in ones taxi in Yemen or Iran.
      And then of course everyone should also make sure to always use everywhere your same username/password credentials on all your sites/resources: otherwise hackers have to spend time to crack each set of credentials your use...
  • Hack Hack Cough

    Now somebody needs to at least come out of the geek closet for at least long enough to give normals a hand. So from what I gather from all the expensive lingo is if you allow someone into your machine to help you with a problem either fake or otherwise you may be in trouble. A typical way is through hidden error reports sent to a service installed on your machine before you bought it. You get a Ph. call and IF you let them in via a hack poof your infected. Not all that uncommon these days and a new one is popping up every hour. In short Microsoft has known about this for a while now but can't shut them down. Hope that helps a little.
    • No need to let anyone in

      It's enough to execute someone else's program -- exactly how malware enters. This time however, because of the CPU bug, no "protection" offered by the OS can help.
  • Really Really Simple (RRS) explanation

    ([i]Edit to include info from Techsoco below, thanks!)[/i]
    What it means:
    All user code runs in ring 3 and important OS code runs in ring 0. Rings are geek speak for protection levels like at the Pentagon. Most powerful do-anything code runs at ring 0. Letting an outsider run code at ring 0 is bad.

    I believe what they are saying is this.
    It is possible for someone with local access and credentials to set a trap [specifically craft a stack frame to be executed by ring0 (kernel)].
    The trap will be sprung after a purposely forced error [after a general protection exception (#GP)].
    In Intel CPUs, when the virtual machine handles the problem it does so before it has properly switched switched modes back to being safe at ring 3, but while it is still at ring 0. The trap [stack frame code] put there by the attacker is then run with full privileges and can do anything.

    See message by Techsoco pointing out that this is not limited to virtual machines. The advisory is framed this way to point out that it is a method that can be exploited to bypass the protection normally expected from a virtual machine.
  • News Flash - Not just a problem for virtual machines.

    If you read this carefully, this vulnerability is NOT LIMITED TO VIRTUAL MACHINES.

    The virtual machine breaking out of its cage is just an example. Even your regular laptop running Windows etc could be affected (and more likely to be exploited).

    On any system that uses the privileged execution levels (basically any modern OS), being able to escalate to a more privileged level is a huge problem. If a virus exploits this, it could do anything to your computer that your OS can do.

    I wish I could break it down more since so many people have trouble understanding this. Really, all I can say is it is not really good and you should patch your systems, EVEN if your are NOT running virtual machines. The article emphasizes virtual machines so much, but it affects much more than just virtual machines. See the actual advisory, linked to in the article, for more information.

    Stay patched!