Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VUPEN Method Breaks Out of Virtual Machine to Attack Hosts

Researchers may have figured out a way to break out of a virtual machine and take over the underlying host.

Break out from Virtual Machine

Researchers may have figured out a way to break out of a virtual machine and take over the underlying host.

Break out from Virtual Machine

Researchers developed an “advanced exploitation method” which triggered a previously discovered vulnerability in order to escape a Xen virtual machine running on Citrix XenServer and get onto the host machine, Jordan Gruskovnjak, a security researcher at VUPEN Security wrote on the Vulnerability Research Team Blog on Tuesday. The vulnerability was discovered by Rafal Wojtczuk and presented during the recent Black Hat security conference in Las Vegas.

With this method, attackers who have root access on a guest virtual machine running under Xen can take over the host system and be able to execute arbitrary code with appropriate permissions, Gruskovnjak said. Once out of the virtual machine, attackers would be able to access all the other virtual machines running on that hardware.

“By controlling the general purpose registers, it is possible to influence the hypervisor behavior and gain code execution in the hypervisor context, escaping the guest context.” Gruskovnjak wrote.

While the vulnerability being exploited affects systems with Intel CPU hardware, the method described in the blog post only affects paravirtualized systems and not machines with native virtualization. Intel servers that support Xen directly is not impacted. Many of the newer high-end chips support virtualization with direct hardware support and thus offers native virtualization. On many systems, paravirtualization remains common, which relies on the kernel and the host virtual machine manager such as Citrix XenServer or Vmware to make appropriate calls to the guest VM.

VUPEN researchers used mmap to map various resources on a Linux system to trigger the vulnerability. Exploitation has been achieved under a 64-bit Linux PV guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1, according to the blog post. The method will work on other versions as well, said Gruskovnjak. The exploit requires root access on the VM to work.

VUPEN’s methods, if it can be used reliably, means attackers would finally be able to target virtual machines to compromise the host. A possible attack scenario may have attackers signing up with businesses that offer VM hosting. Since the attacker has root access over the VM being rented, it’s possible to try running the exploit. If any of these services happen to run Xen and use paravirtualization, which is very probable, the attacker breaks into the host operating system and then can hop into other virtual machines being rented by other customers. J

ust a few weeks ago, Symantec researchers identified a malware variant that could infect the files used by virtual machines to infect guest systems, but there have not been a lot of reliable exploits to seize control of the host.

The implications of VUPEN’s attack method are staggering.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.