Vulnerability Note VU#935424
Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability
Overview
Multiple vendors' implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.
Description
As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR. |
Impact
A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack.. |
Solution
Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack. |
See CAIN paper for a list of other mitigations. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Linux KVM | Affected | 11 Aug 2015 | 14 Sep 2015 |
| Parallels Holdings Ltd | Affected | 11 Aug 2015 | 09 Sep 2015 |
| Red Hat, Inc. | Affected | 11 Aug 2015 | 06 Oct 2015 |
| Microsoft Corporation | Not Affected | 23 Jul 2015 | 09 Sep 2015 |
| Xen | Not Affected | 12 Jul 2015 | 14 Sep 2015 |
| Oracle Corporation | Unknown | 12 Jul 2015 | 14 Sep 2015 |
| QEMU | Unknown | 11 Aug 2015 | 06 Oct 2015 |
| VMware | Unknown | - | 14 Sep 2015 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 1.5 | AV:L/AC:M/Au:S/C:P/I:N/A:N |
| Temporal | 1.4 | E:F/RL:W/RC:C |
| Environmental | 1.0 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.
This document was written by Brian Gardiner.
Other Information
- CVE IDs: CVE-2015-2877
- Date Public: 30 Jul 2015
- Date First Published: 20 Oct 2015
- Date Last Updated: 21 Oct 2015
- Document Revision: 41
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.