Executive Summary

Summary
Title Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability
Informations
NameVU#935424First vendor Publication2015-10-20
VendorVU-CERTLast vendor Modification2015-10-21
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score2.1Attack RangeLocal
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#935424

Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability

Original Release date: 20 Oct 2015 | Last revised: 21 Oct 2015

Overview

Multiple vendors' implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.

Description

As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR.

Impact

A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack..

Solution

Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.

See CAIN paper for a list of other mitigations.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Linux KVMAffected11 Aug 201514 Sep 2015
Parallels Holdings LtdAffected11 Aug 201509 Sep 2015
Red Hat, Inc.Affected11 Aug 201506 Oct 2015
Microsoft CorporationNot Affected23 Jul 201509 Sep 2015
XenNot Affected12 Jul 201514 Sep 2015
Oracle CorporationUnknown12 Jul 201514 Sep 2015
QEMUUnknown11 Aug 201506 Oct 2015
VMwareUnknown-14 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base1.5AV:L/AC:M/Au:S/C:P/I:N/A:N
Temporal1.4E:F/RL:W/RC:C
Environmental1.0CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi

Credit

Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.

This document was written by Brian Gardiner.

Other Information

  • CVE IDs:CVE-2015-2877
  • Date Public:30 Jul 2015
  • Date First Published:20 Oct 2015
  • Date Last Updated:21 Oct 2015
  • Document Revision:41

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/935424

CWE : Common Weakness Enumeration

%idName
100 %CWE-200Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Os1070

Alert History

If you want to see full details history, please login or register.
0
1
2
3
DateInformations
2017-03-16 21:25:02
  • Multiple Updates
2017-03-03 17:23:48
  • Multiple Updates
2015-10-21 21:22:04
  • Multiple Updates
2015-10-21 00:19:26
  • First insertion