Security Experts:

Black Hat: Mind Your Hypervisors, Says Security Researcher

Security Researcher Explains How Vulnerable Hypervisors Put Enterprises At Risk

Hypervisors have become an important part of enterprise environments and while they should normally reduce the attack surface, experts warn that they can be plagued by security vulnerabilities that could be leveraged by malicious actors.

Hypervisors, also known as virtualization managers, enable organizations to run multiple operating systems on a single system and manages how each of the operating system instances is allocated the resources (processor and memory) it needs to function properly.

Rafal Wojtczuk, a researcher from Bromium who specializes in kernel and virtualization security, has taken the stage at the Black Hat USA 2014 security conference in Las Vegas to present "the lessons learned from eight years of breaking hypervisors."

Wojtczuk says serious hypervisor vulnerabilities are relatively rare, but they do exist. In fact, in March 2014, the researcher discovered a total of four vulnerabilities affecting Oracle's VM VirtualBox, which have been fixed by the company with the July 2014 critical patch update (CPU).

The researcher discovered a memory corruption issue in vbsfBuildFullPath, a data leak via VMMDevHGCMParmType_LinAddr_Out, a shared folder directory traversal flaw, and a frontend to kernel escalation on the host. The first three vulnerabilities can be exploited by an attacker who has kernel privileges in the virtual machine, while the fourth can be leveraged by an unprivileged user on the host to escalate to the host's kernel.

In addition to describing the root cause of the vulnerabilities, many of which he believes could have been easily avoided, Wojtczuk also provided information on the methods that can be used to mitigate such security holes and reduce the attack surface of hypervisors.

In his presentation at Black Hat, Wojtczuk pointed out the vectors, or the weak spots, that can be leveraged in attacks against hypervisors.

"Any code that processes attacker-controlled input is potentially vulnerable. The core of the hypervisor (the code near the vmexit handler), device model, additional privileged hypervisor-related services are all attack vectors," Wojtczuk told SecurityWeek in an interview prior to his Black Hat presntation.

According to the expert, if a hypervisor is used to isolate untrusted code running in a virtual machine from the rest of the system, successful exploitation of a hypervisor vulnerability breaks this isolation, and provides an attacker access to all the resources available to the hypervisor. Indirectly, this gives the attacker full control over the targeted machine.

"While the compromise of the hypervisor core immediately provides full control over the system, the compromise of other components should be considered fatal as well (although it might require an additional privilege elevation attack)," Wojtczuk explained.

Wojtczuk has also tested the DeepSafe hypervisor from McAfee (an Intel company), which was designed with security in mind. The researcher claims that he managed to find a way to exploit it and gain full control over the hypervisor because McAfee hasn't made use of Intel's Virtualization Technology for Directed I/O (VT-d) to protect it against direct memory access (DMA) attacks. He believes McAfee is well aware of this issue, but for some reason, possibly because they think it's unlikely to be exploited, they've chosen to ignore it.

The researcher says he's not aware of any attacks exploiting hypervisor vulnerabilities, and it's difficult to gain a complete view of what's happening in the wild. However, he points out that a well-funded government agency could be capable of putting such flaws to good use.

While hypervisors are useful for the isolation of less secure operating systems, the researcher believes that those responsible for designing and implementing such solutions should be aware of the fact that there is an attack surface. They should also be aware of the methods that can be used to harden these products, and apply them.

As for organizations that use hypervisors, Wojtczuk provides the following recommendations: "Beware that vulnerabilities do happen, be prepared to patch. Beware that different hypervisors have different security postures. Ask the vendor for hints to reduce attack surface (for instance how to tweak the configuration to turn off unneeded hypervisor-related services/functionality)."

Related Reading: A Deep Dive Into Hyperjacking

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.