Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability

2015-10-20T00:00:00
ID VU:935424
Type cert
Reporter CERT
Modified 2015-10-21T16:53:00

Description

Overview

Multiple vendors' implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.

Description

As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR.


Impact

A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack..


Solution

Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.


See CAIN paper for a list of other mitigations.


Vendor Information

935424

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Linux KVM __ Affected

Notified: August 11, 2015 Updated: September 14, 2015

Status

Affected

Vendor Statement

Basically if you care about this attack vector, disable deduplication.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Parallels Holdings Ltd __ Affected

Notified: August 11, 2015 Updated: September 09, 2015

Status

Affected

Vendor Statement

- Virtuozzo 6 (formerly Parallels Cloud Server 6) Virtual Machines are not affected since our hypervisor does not utilize page sharing. - Virtuozzo 6 Containers are affected through "pfcache" feature (enabled by default), in the sense that from inside a Container you can find out whether any other container on the host has (or ever had) the particular application/file (of the particular version). We are considering this information leak a minor issue, which comes as a price for memory deduplication. We have no plans for fixing it. If this is considered a major threat by user, then it could be mitigated by disabling the "pfcache" functionality.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. __ Affected

Notified: August 11, 2015 Updated: October 06, 2015

Statement Date: August 11, 2015

Status

Affected

Vendor Statement

This issue affects the versions of the Linux Kernel as shipped with Red Hat Enterprise Linux 4, 5, 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. Additionally a workaround is available. A future update may address this issue.

`VMM layer: Deactivation of memory deduplication Deactivating memory
deduplication will effectively mitigate all attack vectors. This measure
unfortunately eliminates all the highly appreciated benefits of memory
deduplication, namely the increase of operational cost-effectiveness through
inter-VM memory sharing.

Deactivating memory deduplication is the simplest way to prevent exploitation
of this attack. However this will cause an increase in the amount of memory
required and in some situations may adversely impact performance (e.g. due to
slower swap space being used). It is recommended that customers test this
workaround before using it in production.`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2877>
  • <https://access.redhat.com/security/updates/classification/>

Microsoft Corporation __ Not Affected

Notified: July 23, 2015 Updated: September 09, 2015

Statement Date: July 24, 2015

Status

Not Affected

Vendor Statement

There is no impact..

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Xen Not Affected

Notified: July 12, 2015 Updated: September 14, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Unknown

Notified: July 12, 2015 Updated: September 14, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QEMU Unknown

Notified: August 11, 2015 Updated: October 06, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

VMware Unknown

Updated: September 14, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 1.5 | AV:L/AC:M/Au:S/C:P/I:N/A:N
Temporal | 1.4 | E:F/RL:W/RC:C
Environmental | 1.0 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

<https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi>

Acknowledgements

Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.

This document was written by Brian Gardiner.

Other Information

CVE IDs: | CVE-2015-2877
---|---
Date Public: | 2015-07-30
Date First Published: | 2015-10-20
Date Last Updated: | 2015-10-21 16:53 UTC
Document Revision: | 42