Attacking the VM Worker Process

In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components. W...

Attacking the VM Worker Process

In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components. W...

Collect a complete memory dump on a MCS (non-persistent) machine on XenServer (Citrix Hypervisor)

This article outlines the steps to collect complete memory dump on a MCS non-persistent machine on XenServer Citrix Hypervisor. Often we are not able to get the memory dump in instances where MCS provisioned VDAs show behaviors like unresponsiveness/hang. The reason being the machine fails to sav...

Applepie - A Hypervisor For Fuzzing Built With WHVP And Bochs

Hello! Welcome to applepie! This is a tool designed for fuzzing, introspection, and finding bugs! This is a hypervisor using the Windows Hypervisor Platform API present in recent versions of Windows specifically this was developed and tested on Windows 10 17763. Bochs is used for providing deep...

The vulnerabilities of the functions virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() in the Libvirt management library allow a attacker to execute arbitrary code or escalate their privileges.

The vulnerabilities of the functions virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU in the Libvirt management library are due to access control errors. Exploiting these vulnerabilities can allow an attacker to execute arbitrary code or increase their privileges...

NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0086)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The writ...

NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0085)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by multiple vulnerabilities: - A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor emulates a preemption timer for L2 guests when nested =1...

NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0044)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver firewire-net ...

Kernel: KVM: leak of uninitialized stack contents to guest

An information leakage issue was found in the way Linux kernel's KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object hold...

PT-2019-17778 · Freebsd · Freebsd

Name of the Vulnerable Software and Affected Versions: FreeBSD versions 11.2-RELEASE through 11.2-RELEASE-p12 FreeBSD versions 11.3-RELEASE through 11.3-RELEASE-p1 FreeBSD versions 12.0-RELEASE through 12.0-RELEASE-p8 Description: The issue arises from the bhyve e1000 device emulation, which uses...

ALPINE-CVE-2019-10168

The virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's...

CVE-2019-10142

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the syste...

DEBIAN-CVE-2019-10142

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the syste...

CVE-2019-10142

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the syste...

Information disclosure

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the syste...

CVE-2019-10142

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the syste...

CVE-2019-10142

CVE-2019-10142 references a flaw in the Linux kernel's freescale hypervisor manager implementation. A parameter passed to an ioctl was not properly validated and was used in size calculations for page size, making the kernel vulnerable on 5.0.x kernels before 5.0.17. Exploitation could crash the ...

CVE-2019-10142

A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the syste...

[SECURITY] Fedora 29 Update: libosinfo-1.2.0-8.fc29

libosinfo is a library that allows virtualization provisioning tools to determine the optimal device settings for a hypervisor/operating system combination...

CVE-2019-5604

In FreeBSD 12.0-STABLE before r350246, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350247, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, the emulated XHCI device included with the bhyve hypervisor did not properly validate data provided by the guest,...