SA97 : Malware Analysis Appliance VM Escape

Type symantec
Reporter Symantec Security Response
Modified 2020-03-03T20:13:36



The Malware Analysis Appliance (MAA) is vulnerable to a virtual machine escape where a sample being analyzed could change content and destination path of files being saved on the host's file system during analysis. Correct manipulation of the path and content could lead to code execution or denial of service on the MAA host.


Malware Analysis Appliance

CVE | Affected Version(s) | Remediation
All CVEs | 4.2 | Upgrade to 4.2.5.
4.1 | Upgrade to later release with fixes.

Malware Analyzer G2

CVE | Affected Version(s) | Remediation
All CVEs | All versions | Upgrade to latest release of MAA with fixes.



Severity / CVSSv2 | High / 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C)
References | NVD: CVE-2015-4523
Impact | Privilege escalation

The Malware Analysis Appliance (MAA) executes binaries submitted for analysis inside a virtual machine (VM). During analysis, artifacts in the form of files are retrieved from the VM by the host and are written to the host's file system. A binary running in the VM can craft malicious content and specify where it is stored within the host file system.

A sample that has been loaded into MAA can, as a lower privileged user, use this vulnerability to create and overwrite certain files. This could allow an attacker to cause a reboot or a reset to factory defaults. In specialized circumstances, the attacker could execute code as a lower privileged user.


Thank you to Jurriaan Bremer for reporting the vulnerability.


2015-10-02 Changed status to final
2015-07-13 Title Update
2015-06-30 Initial public release