SA97 : Malware Analysis Appliance VM Escape

2015-06-30T08:00:00
ID SMNTC-1327
Type symantec
Reporter Symantec Security Response
Modified 2020-03-03T20:13:36

Description

SUMMARY

The Malware Analysis Appliance (MAA) is vulnerable to a virtual machine escape where a sample being analyzed could change content and destination path of files being saved on the host's file system during analysis. Correct manipulation of the path and content could lead to code execution or denial of service on the MAA host.

AFFECTED PRODUCTS

Malware Analysis Appliance

CVE | Affected Version(s) | Remediation
All CVEs | 4.2 | Upgrade to 4.2.5.
4.1 | Upgrade to later release with fixes.

Malware Analyzer G2

CVE | Affected Version(s) | Remediation
All CVEs | All versions | Upgrade to latest release of MAA with fixes.

ISSUES

CVE-2015-4523

Severity / CVSSv2 | High / 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C)
References | NVD: CVE-2015-4523
Impact | Privilege escalation

The Malware Analysis Appliance (MAA) executes binaries submitted for analysis inside a virtual machine (VM). During analysis, artifacts in the form of files are retrieved from the VM by the host and are written to the host's file system. A binary running in the VM can craft malicious content and specify where it is stored within the host file system.

A sample that has been loaded into MAA can, as a lower privileged user, use this vulnerability to create and overwrite certain files. This could allow an attacker to cause a reboot or a reset to factory defaults. In specialized circumstances, the attacker could execute code as a lower privileged user.

ACKNOWLEDGEMENTS

Thank you to Jurriaan Bremer for reporting the vulnerability.

REVISION

2015-10-02 Changed status to final
2015-07-13 Title Update
2015-06-30 Initial public release