Executive Summary

Summary
Title Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability
Informations
Name VU#935424 First vendor Publication 2015-10-20
Vendor VU-CERT Last vendor Modification 2015-10-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#935424

Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability

Original Release date: 20 Oct 2015 | Last revised: 21 Oct 2015

Overview

Multiple vendors' implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.

Description

As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR.

Impact

A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack..

Solution

Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.

See CAIN paper for a list of other mitigations.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Linux KVMAffected11 Aug 201514 Sep 2015
Parallels Holdings LtdAffected11 Aug 201509 Sep 2015
Red Hat, Inc.Affected11 Aug 201506 Oct 2015
Microsoft CorporationNot Affected23 Jul 201509 Sep 2015
XenNot Affected12 Jul 201514 Sep 2015
Oracle CorporationUnknown12 Jul 201514 Sep 2015
QEMUUnknown11 Aug 201506 Oct 2015
VMwareUnknown-14 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base1.5AV:L/AC:M/Au:S/C:P/I:N/A:N
Temporal1.4E:F/RL:W/RC:C
Environmental1.0CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi

Credit

Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.

This document was written by Brian Gardiner.

Other Information

  • CVE IDs:CVE-2015-2877
  • Date Public:30 Jul 2015
  • Date First Published:20 Oct 2015
  • Date Last Updated:21 Oct 2015
  • Document Revision:41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/935424

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Os 3274
Os 4

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2017-03-16 21:25:02
  • Multiple Updates
2017-03-03 17:23:48
  • Multiple Updates
2015-10-21 21:22:04
  • Multiple Updates
2015-10-21 00:19:26
  • First insertion