US-CERT Vulnerability Note on CAIN in VMMs

Apparently “Linux KVM”, Parallels, and “Red Hat” are affected.  Microsoft and Xen are not affected. “Oracle”, QEMU, and VMware are unknown. CERT excerpt below, for more information, see full CERT Vulnerability Note and CAIN paper, including a list of other mitigations.

Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability
Vulnerability Note VU#935424

CVE IDs: CVE-2015-2877
Date First Published: 20 Oct 2015

Multiple vendors’ implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack. As reported in the “Cross-VM ASL INtrospection (CAIN)” paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR. Impact: A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack. Solution: Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.

CAIN: Silently Breaking ASLR in the Cloud
Antonio Barresi, Kaveh Razavi, Mathias Payer, Thomas R. Gross

Modern systems rely on Address-Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to protect software against memory corruption vulnerabilities. The security of ASLR depends on randomizing regions in memory which can be broken by leaking addresses. While information leaks are common for client applications, server software has been hardened to reduce such information leaks. Memory deduplication is a common feature of Virtual Machine Monitors (VMMs) that reduces the memory footprint and increases the cost-effectiveness of virtual machines (VMs) running on the same host. Memory pages with the same content are merged into one read-only memory page. Writing to these pages is expensive due to page faults caused by the memory protection, and this cost can be used by an attacker as a side-channel to detect whether a page has been shared. Leveraging this memory side-channel, we craft an attack that leaks the address space layouts of the neighboring VMs, and hence, defeats ASLR. Our proof-of-concept exploit, CAIN (Cross-VM ASL INtrospection) defeats ASLR of a 64-bit Windows Server 2012 victim VM in less than 5 hours (for 64-bit Linux victims the attack takes several days). Further, we show that CAIN reliably defeats ASLR, regardless of the number of victim VMs or the system load.

Click to access woot15-paper-barresi.pdf

Click to access woot15_slides_barresi.pdf

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s