Privilege Escalation Vulnerability Sets Stage For Potential VM Escape
According to the CERT notification advisory, “A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation.”
The fact that this particular attack can only be executed locally significantly mitigates the impact, according to Pete Lindstrom, vice president of research at Spire Security. But, it does offer validation for this overall category of exploits.
[Related: New Exploit Targets Microsoft XML Core Services ]
“The VM escape is the Holy Grail for virtualization attackers and is the thing that distinguishes the difference in risk between physical machines and virtual machines,” he said. “If you can break out of a virtual machine and get to a host, the potential exists that you can control the other virtual machines that exist on the system, or even the physical operating environment of the system. But in this case, the effect is severely reduced by the fact that it has to be executed locally. So, it would have to be an insider job or an uncontrolled physical environment. But if you’re local, you pretty much have control to begin with.”
Lindstrom added that virtualization advocates often downplay the risk of VM escape, but this development demonstrates that it’s important for businesses to recognize that the risks are valid.
CERT reports that the effective solution in the current circumstance involves applying the appropriate update.