search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability

Vulnerability Note VU#935424

Original Release Date: 2015-10-20 | Last Revised: 2015-10-21

Overview

Multiple vendors' implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.

Description

As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR.

Impact

A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack..

Solution

Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.

See CAIN paper for a list of other mitigations.

Vendor Information

935424
Expand all

Linux KVM

Notified:  August 11, 2015 Updated:  September 14, 2015

Status

  Affected

Vendor Statement

Basically if you care about this attack vector, disable deduplication.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Parallels Holdings Ltd

Notified:  August 11, 2015 Updated:  September 09, 2015

Status

  Affected

Vendor Statement

- Virtuozzo 6 (formerly Parallels Cloud Server 6) Virtual Machines are
not affected since our hypervisor does not utilize page sharing.
- Virtuozzo 6 Containers are affected through "pfcache" feature (enabled
by default), in the sense that from inside a Container you can find out
whether any other container on the host has (or ever had) the particular
application/file (of the particular version). We are considering this
information leak a minor issue, which comes as a price for memory
deduplication. We have no plans for fixing it. If this is considered a
major threat by user, then it could be mitigated by disabling the
"pfcache" functionality.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  August 11, 2015 Updated:  October 06, 2015

Statement Date:   August 11, 2015

Status

  Affected

Vendor Statement

This issue affects the versions of the Linux Kernel as shipped with Red Hat
Enterprise Linux 4, 5, 6 and 7. Red Hat Product Security has rated this issue
as having Low security impact. Additionally a workaround is available. A future
update may address this issue.

VMM layer: Deactivation of memory deduplication Deactivating memory
deduplication will effectively mitigate all attack vectors. This measure
unfortunately eliminates all the highly appreciated benefits of memory
deduplication, namely the increase of operational cost-effectiveness through
inter-VM memory sharing.

Deactivating memory deduplication is the simplest way to prevent exploitation
of this attack. However this will cause an increase in the amount of memory
required and in some situations may adversely impact performance (e.g. due to
slower swap space being used). It is recommended that customers test this
workaround before using it in production.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2877 https://access.redhat.com/security/updates/classification/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  July 23, 2015 Updated:  September 09, 2015

Statement Date:   July 24, 2015

Status

  Not Affected

Vendor Statement

There is no impact..

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xen

Notified:  July 12, 2015 Updated:  September 14, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  July 12, 2015 Updated:  September 14, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QEMU

Notified:  August 11, 2015 Updated:  October 06, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Updated:  September 14, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 1.5 AV:L/AC:M/Au:S/C:P/I:N/A:N
Temporal 1.4 E:F/RL:W/RC:C
Environmental 1 CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.

This document was written by Brian Gardiner.

Other Information

CVE IDs: CVE-2015-2877
Date Public: 2015-07-30
Date First Published: 2015-10-20
Date Last Updated: 2015-10-21 16:53 UTC
Document Revision: 41

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.