Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Black Hat: Mind Your Hypervisors, Says Security Researcher

Security Researcher Explains How Vulnerable Hypervisors Put Enterprises At Risk

Hypervisors have become an important part of enterprise environments and while they should normally reduce the attack surface, experts warn that they can be plagued by security vulnerabilities that could be leveraged by malicious actors.

Security Researcher Explains How Vulnerable Hypervisors Put Enterprises At Risk

Hypervisors have become an important part of enterprise environments and while they should normally reduce the attack surface, experts warn that they can be plagued by security vulnerabilities that could be leveraged by malicious actors.

Hypervisors, also known as virtualization managers, enable organizations to run multiple operating systems on a single system and manages how each of the operating system instances is allocated the resources (processor and memory) it needs to function properly.

Rafal Wojtczuk, a researcher from Bromium who specializes in kernel and virtualization security, has taken the stage at the Black Hat USA 2014 security conference in Las Vegas to present “the lessons learned from eight years of breaking hypervisors.”

Wojtczuk says serious hypervisor vulnerabilities are relatively rare, but they do exist. In fact, in March 2014, the researcher discovered a total of four vulnerabilities affecting Oracle’s VM VirtualBox, which have been fixed by the company with the July 2014 critical patch update (CPU).

The researcher discovered a memory corruption issue in vbsfBuildFullPath, a data leak via VMMDevHGCMParmType_LinAddr_Out, a shared folder directory traversal flaw, and a frontend to kernel escalation on the host. The first three vulnerabilities can be exploited by an attacker who has kernel privileges in the virtual machine, while the fourth can be leveraged by an unprivileged user on the host to escalate to the host’s kernel.

In addition to describing the root cause of the vulnerabilities, many of which he believes could have been easily avoided, Wojtczuk also provided information on the methods that can be used to mitigate such security holes and reduce the attack surface of hypervisors.

In his presentation at Black Hat, Wojtczuk pointed out the vectors, or the weak spots, that can be leveraged in attacks against hypervisors.

Advertisement. Scroll to continue reading.

“Any code that processes attacker-controlled input is potentially vulnerable. The core of the hypervisor (the code near the vmexit handler), device model, additional privileged hypervisor-related services are all attack vectors,” Wojtczuk told SecurityWeek in an interview prior to his Black Hat presntation.

According to the expert, if a hypervisor is used to isolate untrusted code running in a virtual machine from the rest of the system, successful exploitation of a hypervisor vulnerability breaks this isolation, and provides an attacker access to all the resources available to the hypervisor. Indirectly, this gives the attacker full control over the targeted machine.

“While the compromise of the hypervisor core immediately provides full control over the system, the compromise of other components should be considered fatal as well (although it might require an additional privilege elevation attack),” Wojtczuk explained.

Wojtczuk has also tested the DeepSafe hypervisor from McAfee (an Intel company), which was designed with security in mind. The researcher claims that he managed to find a way to exploit it and gain full control over the hypervisor because McAfee hasn’t made use of Intel’s Virtualization Technology for Directed I/O (VT-d) to protect it against direct memory access (DMA) attacks. He believes McAfee is well aware of this issue, but for some reason, possibly because they think it’s unlikely to be exploited, they’ve chosen to ignore it.

The researcher says he’s not aware of any attacks exploiting hypervisor vulnerabilities, and it’s difficult to gain a complete view of what’s happening in the wild. However, he points out that a well-funded government agency could be capable of putting such flaws to good use.

While hypervisors are useful for the isolation of less secure operating systems, the researcher believes that those responsible for designing and implementing such solutions should be aware of the fact that there is an attack surface. They should also be aware of the methods that can be used to harden these products, and apply them.

As for organizations that use hypervisors, Wojtczuk provides the following recommendations: “Beware that vulnerabilities do happen, be prepared to patch. Beware that different hypervisors have different security postures. Ask the vendor for hints to reduce attack surface (for instance how to tweak the configuration to turn off unneeded hypervisor-related services/functionality).”

Related Reading: A Deep Dive Into Hyperjacking

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.