Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

New Virtualization Vulnerability Allows Escape To Hypervisor Attacks

Local privilege escalation vulnerability affects multiple virtualization products on Xen platform, would allow attacker to run arbitrary code or access any account, warns US-CERT.

A newly disclosed vulnerability that affects multiple virtualization products could allow an attacker to obtain administrative-level rights in the hypervisor and run arbitrary code or access any account of their choosing.

That warning arrived Tuesday in the form of a security advisory released by the U.S. Computer Emergency Readiness Team (US-CERT). "Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack," it read. "The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape."

"All systems running 64-bit Xen hypervisor running 64-bit PV [para-virtualized] guests on Intel CPUs are vulnerable to this issue," read a security advisory released by the open source Xen project.

[ A flaw in the popular--and free--MySQL and MariaDB databases leaves them open to brute-force attacks. Read more at MySQL Database Flaw Leaves Passwords Vulnerable. ]

Metasploit penetration testing framework founder, developer, and researcher H.D. Moore characterized the bug as a "serious guest-to-host escape vulnerability," noting that while it affects the Xen platform, it doesn't affect VMware.

The Xen project said it's updated the Xen code base to eliminate the vulnerability. Likewise, multiple vendors and providers of virtualization products, including FreeBSD, Microsoft, NetBSD, Oracle, Red Hat, and SUSE Linux, have released updated software to patch the Xen hypervisor flaw. Apple, Intel, and VMware have confirmed that the vulnerability doesn't exist in their products. Meanwhile, Debian GNU/Linux, Fedora Project, Gentoo Linux, HP, and IBM have yet to confirm whether their software is vulnerable to the escape-to-hypervisor vulnerability.

IBM has warned about the information security threat that "escape-to-hypervisor" attacks can pose, especially as roughly one-third of all virtualization bugs discovered by 2010 were in the hypervisor. Since virtualized environments run multiple instances of operating systems, an attacker that escaped from any one of those instances and gained administrative-level rights could then access any other virtualized environment running on the same server.

The security bulletins released in the wake of the Xen flaw announcements read along similar lines. "An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or potentially escalate their privileges, allowing them to execute arbitrary code at the hypervisor level," read the related Red Hat security bulletin, which noted that the flaw affects the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5.

According to Microsoft, the Xen flaw is present in its Windows User Mode Scheduler. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights," read Microsoft's related security bulletin. It said that Intel x64-based versions of Windows 7 and Windows Server 2008 R2 are affected by the flaw, as are Windows XP SP3 and Server 2003 SP2.

But there are mitigating factors. "An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability," said Microsoft. "The vulnerability could not be exploited remotely or by anonymous users." This means that--as noted by US-CERT--this is a "local privilege escalation" vulnerability.

According to Xen, another mitigation technique is to run the hypervisor in hardware-assisted virtualization mode, or to use 32-bit para-virtualization.

Both Microsoft and Red Hat rate the related hypervisor vulnerability in their products not "serious" but just "important," owing to the fact that an attacker must possess valid login credentials before executing the attack, or, in the case of Red Hat Linux guests, must possess at least "privileged guest user" status.

Credit for spotting the vulnerability goes to kernel and virtualization security researcher Rafal Wojtczuk of Bromium, who alerted the Xen project.

On a related note, Wojtczuk is scheduled to present a session at next month's Black Hat (BH) conference in Las Vegas on the topic of exploiting "user-to-kernel privilege escalation" bugs in four Intel-CPU-based operating systems--not including Linux. He's described the vulnerabilities involved as being "widespread and reliably exploitable."

"The BH talk will be precisely about the vulnerability that vendors released patches for yesterday," said Wojtczuk via email. "So naturally by BH time, this will not be a zero-day issue."

Black Hat USA Las Vegas, the premiere conference on information security, features four days of deep technical training followed by two days of presentations from speakers discussing their latest research around a broad range of security topics. At Caesars Palace in Las Vegas, July 21-26. Register today.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...