search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability

Vulnerability Note VU#935424

Original Release Date: 2015-10-20 | Last Revised: 2015-10-21

Overview

Multiple vendors' implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.

Description

As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR.

Impact

A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack..

Solution

Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.

See CAIN paper for a list of other mitigations.

Vendor Information

935424
 

Linux KVM Affected

Notified:  August 11, 2015 Updated: September 14, 2015

Status

Affected

Vendor Statement

Basically if you care about this attack vector, disable deduplication.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Parallels Holdings Ltd Affected

Notified:  August 11, 2015 Updated: September 09, 2015

Status

Affected

Vendor Statement

- Virtuozzo 6 (formerly Parallels Cloud Server 6) Virtual Machines are
not affected since our hypervisor does not utilize page sharing.
- Virtuozzo 6 Containers are affected through "pfcache" feature (enabled
by default), in the sense that from inside a Container you can find out
whether any other container on the host has (or ever had) the particular
application/file (of the particular version). We are considering this
information leak a minor issue, which comes as a price for memory
deduplication. We have no plans for fixing it. If this is considered a
major threat by user, then it could be mitigated by disabling the
"pfcache" functionality.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Notified:  August 11, 2015 Updated: October 06, 2015

Statement Date:   August 11, 2015

Status

Affected

Vendor Statement

This issue affects the versions of the Linux Kernel as shipped with Red Hat
Enterprise Linux 4, 5, 6 and 7. Red Hat Product Security has rated this issue
as having Low security impact. Additionally a workaround is available. A future
update may address this issue.

VMM layer: Deactivation of memory deduplication Deactivating memory
deduplication will effectively mitigate all attack vectors. This measure
unfortunately eliminates all the highly appreciated benefits of memory
deduplication, namely the increase of operational cost-effectiveness through
inter-VM memory sharing.

Deactivating memory deduplication is the simplest way to prevent exploitation
of this attack. However this will cause an increase in the amount of memory
required and in some situations may adversely impact performance (e.g. due to
slower swap space being used). It is recommended that customers test this
workaround before using it in production.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Microsoft Corporation Not Affected

Notified:  July 23, 2015 Updated: September 09, 2015

Statement Date:   July 24, 2015

Status

Not Affected

Vendor Statement

There is no impact..

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Xen Not Affected

Notified:  July 12, 2015 Updated: September 14, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Unknown

Notified:  July 12, 2015 Updated: September 14, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QEMU Unknown

Notified:  August 11, 2015 Updated: October 06, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

VMware Unknown

Updated:  September 14, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 1.5 AV:L/AC:M/Au:S/C:P/I:N/A:N
Temporal 1.4 E:F/RL:W/RC:C
Environmental 1.0 CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.

This document was written by Brian Gardiner.

Other Information

CVE IDs: CVE-2015-2877
Date Public: 2015-07-30
Date First Published: 2015-10-20
Date Last Updated: 2015-10-21 16:53 UTC
Document Revision: 42

Sponsored by CISA.