Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VUPEN Method Breaks Out of Virtual Machine to Attack Hosts

Researchers may have figured out a way to break out of a virtual machine and take over the underlying host.

Break out from Virtual Machine

Researchers may have figured out a way to break out of a virtual machine and take over the underlying host.

Break out from Virtual Machine

Researchers developed an “advanced exploitation method” which triggered a previously discovered vulnerability in order to escape a Xen virtual machine running on Citrix XenServer and get onto the host machine, Jordan Gruskovnjak, a security researcher at VUPEN Security wrote on the Vulnerability Research Team Blog on Tuesday. The vulnerability was discovered by Rafal Wojtczuk and presented during the recent Black Hat security conference in Las Vegas.

With this method, attackers who have root access on a guest virtual machine running under Xen can take over the host system and be able to execute arbitrary code with appropriate permissions, Gruskovnjak said. Once out of the virtual machine, attackers would be able to access all the other virtual machines running on that hardware.

“By controlling the general purpose registers, it is possible to influence the hypervisor behavior and gain code execution in the hypervisor context, escaping the guest context.” Gruskovnjak wrote.

While the vulnerability being exploited affects systems with Intel CPU hardware, the method described in the blog post only affects paravirtualized systems and not machines with native virtualization. Intel servers that support Xen directly is not impacted. Many of the newer high-end chips support virtualization with direct hardware support and thus offers native virtualization. On many systems, paravirtualization remains common, which relies on the kernel and the host virtual machine manager such as Citrix XenServer or Vmware to make appropriate calls to the guest VM.

VUPEN researchers used mmap to map various resources on a Linux system to trigger the vulnerability. Exploitation has been achieved under a 64-bit Linux PV guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1, according to the blog post. The method will work on other versions as well, said Gruskovnjak. The exploit requires root access on the VM to work.

VUPEN’s methods, if it can be used reliably, means attackers would finally be able to target virtual machines to compromise the host. A possible attack scenario may have attackers signing up with businesses that offer VM hosting. Since the attacker has root access over the VM being rented, it’s possible to try running the exploit. If any of these services happen to run Xen and use paravirtualization, which is very probable, the attacker breaks into the host operating system and then can hop into other virtual machines being rented by other customers. J

ust a few weeks ago, Symantec researchers identified a malware variant that could infect the files used by virtual machines to infect guest systems, but there have not been a lot of reliable exploits to seize control of the host.

Advertisement. Scroll to continue reading.

The implications of VUPEN’s attack method are staggering.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.