Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Black Hat: Mind Your Hypervisors, Says Security Researcher

Security Researcher Explains How Vulnerable Hypervisors Put Enterprises At Risk

Hypervisors have become an important part of enterprise environments and while they should normally reduce the attack surface, experts warn that they can be plagued by security vulnerabilities that could be leveraged by malicious actors.

Security Researcher Explains How Vulnerable Hypervisors Put Enterprises At Risk

Hypervisors have become an important part of enterprise environments and while they should normally reduce the attack surface, experts warn that they can be plagued by security vulnerabilities that could be leveraged by malicious actors.

Hypervisors, also known as virtualization managers, enable organizations to run multiple operating systems on a single system and manages how each of the operating system instances is allocated the resources (processor and memory) it needs to function properly.

Rafal Wojtczuk, a researcher from Bromium who specializes in kernel and virtualization security, has taken the stage at the Black Hat USA 2014 security conference in Las Vegas to present “the lessons learned from eight years of breaking hypervisors.”

Wojtczuk says serious hypervisor vulnerabilities are relatively rare, but they do exist. In fact, in March 2014, the researcher discovered a total of four vulnerabilities affecting Oracle’s VM VirtualBox, which have been fixed by the company with the July 2014 critical patch update (CPU).

The researcher discovered a memory corruption issue in vbsfBuildFullPath, a data leak via VMMDevHGCMParmType_LinAddr_Out, a shared folder directory traversal flaw, and a frontend to kernel escalation on the host. The first three vulnerabilities can be exploited by an attacker who has kernel privileges in the virtual machine, while the fourth can be leveraged by an unprivileged user on the host to escalate to the host’s kernel.

In addition to describing the root cause of the vulnerabilities, many of which he believes could have been easily avoided, Wojtczuk also provided information on the methods that can be used to mitigate such security holes and reduce the attack surface of hypervisors.

In his presentation at Black Hat, Wojtczuk pointed out the vectors, or the weak spots, that can be leveraged in attacks against hypervisors.

“Any code that processes attacker-controlled input is potentially vulnerable. The core of the hypervisor (the code near the vmexit handler), device model, additional privileged hypervisor-related services are all attack vectors,” Wojtczuk told SecurityWeek in an interview prior to his Black Hat presntation.

According to the expert, if a hypervisor is used to isolate untrusted code running in a virtual machine from the rest of the system, successful exploitation of a hypervisor vulnerability breaks this isolation, and provides an attacker access to all the resources available to the hypervisor. Indirectly, this gives the attacker full control over the targeted machine.

“While the compromise of the hypervisor core immediately provides full control over the system, the compromise of other components should be considered fatal as well (although it might require an additional privilege elevation attack),” Wojtczuk explained.

Wojtczuk has also tested the DeepSafe hypervisor from McAfee (an Intel company), which was designed with security in mind. The researcher claims that he managed to find a way to exploit it and gain full control over the hypervisor because McAfee hasn’t made use of Intel’s Virtualization Technology for Directed I/O (VT-d) to protect it against direct memory access (DMA) attacks. He believes McAfee is well aware of this issue, but for some reason, possibly because they think it’s unlikely to be exploited, they’ve chosen to ignore it.

The researcher says he’s not aware of any attacks exploiting hypervisor vulnerabilities, and it’s difficult to gain a complete view of what’s happening in the wild. However, he points out that a well-funded government agency could be capable of putting such flaws to good use.

While hypervisors are useful for the isolation of less secure operating systems, the researcher believes that those responsible for designing and implementing such solutions should be aware of the fact that there is an attack surface. They should also be aware of the methods that can be used to harden these products, and apply them.

As for organizations that use hypervisors, Wojtczuk provides the following recommendations: “Beware that vulnerabilities do happen, be prepared to patch. Beware that different hypervisors have different security postures. Ask the vendor for hints to reduce attack surface (for instance how to tweak the configuration to turn off unneeded hypervisor-related services/functionality).”

Related Reading: A Deep Dive Into Hyperjacking

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.