III. Exploitation on Virtualisation

by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
A virtualisation infrastructure represents an additional architectural layer which can suffer from security vulnerabilities and be the target of attacks. Generally, attacks can be categorised into: (1) concealing malicious code activities through detection of virtual machines, (2) denial of service on the virtual machine, and (3) virtual machine escape which is considered to be the most threatening type of attack.

Potential Vulnerabilities in Virtualisation Environment

1. Concealing malicious code activities through detection of VM - VM-specific Instructions in the CPU (including the CPUID instruction) would leak information about VM presence. The approaches used to detect the presence of VM or hypervisors usually rely on timing which demands for a comparison to executions without the presence of a hypervisor or require external time sources. Once the hackers detected the existence of VM, they can perform malicious code activities on the virtualisation layer. Malicious codes may alter the behaviour of VM, including refusing to run.

2. Denial of Service on the Virtual Machine - Apart from detection, virtual machine can be targets of attacks with the objectives to reduce the availability of VMs. Classical denial of service (DoS) attacks can lead to abnormal termination of VMs or high computational load (e.g. produced through infinite loops) which hinders the interaction of users or administrators with affected VMs.

3. Virtual Machine Escape - Virtual machine escape is an exploit that enables a hacker to move from within a virtual machine to the hypervisor, thereby gaining access to the entire computer and all the virtual machines running within it. In other word, the attacker can execute arbitrary code on the host system with the privileges of the virtual machine. This denotes a total compromise.

To minimise the chance of attacks by intruders and safeguard the virtual environment within the organisation, a series of hardening steps for the virtualisation environment have to be in placed properly. In next three sections, some hardening guidelines would be introduced to secure the environment for server virtualisation.

Historical Incident

VMware Multiple Denial Of Service Vulnerabilities

Some VMware products support storing configuration information in VMDB files. Under some circumstances, a malicious user could instruct the virtual machine process (VMX) to store malformed data, causing an error. This error could enable a successful Denial-of-Service attack on guest operating systems.