Jailbreaking a virtual machine has always been sort of a black op. You constantly hear whispers of researchers studying malware samples captured in the wild that can leap from a virtual guest machine to the host. Other researchers, meanwhile, work on exploits for vulnerabilities that would also allow an attacker to escape a virtual machine.
These tangible exploits threaten the sanctity of virtualization projects that are so en vogue today with many companies for their server consolidation and power consumption benefits. The volume is getting louder on these exploit tools because every month or so, there are more of them.
One of the neatest was outlined in late July at Black Hat 2009 USA. Immunity, an assessment and penetration testing company, provided details on a tool called Cloudburst, developed by senior security researcher Kostya Kortchinsky. Cloudburst, available to users of Immunity's CANVAS testing tool, exploits a bug in the display functions of VMware Workstation 6.5.1 and earlier versions, as well as VMware Player, Server, Fusion, ESXi and ESX [see CVE 2009-1244 for exact version numbers].
Kortchinsky went a little outside the box with Cloudburst, choosing to exploit the dependencies between virtual machines and devices such as video adapters, floppy controllers, IDE controllers, keyboard controllers and network adaptors to gain access to the host. During his Black Hat presentation, he explained how he attacked vulnerabilities in the way VMware emulates a video device; he demonstrated how he exploited host memory leaks into the guest, and arbitrary memory writes from the guest to anywhere in the host.
"The video adapter pareses the most complex data," he says. "It has a huge amount of shared memory."
Kortchinsky says the same code emulates devices on every VMware product. "If the vulnerability is there, it's there on every VMware product and can be accessed from the guest through port i/o or memory-mapped i/o." Immunity says Cloudburst's ability to corrupt memory allows it to tunnel a MOSDEF connection over the frame buffer of the guest to communicate with the host. MOSDEF is an exploit tool in the CANVAS arsenal written by Immunity founder Dave Aitel.
VMware has patched these vulnerable versions of its products, doing so on April 10, four days after Cloudburst was released to CANVAS. And that's what makes Cloudburst different; it's not a proof of concept, unlike most VM malware.
So now that the technical portion of this conversation has ended, what does it mean for you as a security manager, someone with buying power and decision-making responsibilities? Well, a little bit more than it did say two years ago before the economy tripped over itself and your justifications for spending relied less on the bottom line and more on threats that could impact your IT environment and that you could touch and squeeze.
Virtualization threats have always been abstract, more theory than practice. Sure there was the supposed undetectable virtual rootkit, Blue Pill, but that required such innate technical understanding that it hardly seemed feasible for attackers to weaponize something so intricate. Experts, meanwhile, warned that tangible threats to virtual environments were coming, but still you're unlikely to strategize and buy on the theoretical. What you are likely to do is jump headfirst into virtualization because the benefits are too sweet not to take a lick from the mixing bowl. Securing it probably comes later.
Well, it's later.
Attacks are progressing slowly out of the theoretical into the practical. Right now there are five CVE alerts based on VM escapes and certainly more to come as researchers and other attackers build on work done by Kortchinsky, Greg McManus of iDefense and the research teams at Core Security.
Experts say networks shouldn't rely on traditional security measures because they don't counteract every VM threat. Until now, most organizations have been reactive about securing virtual environments and with the swell of new attacks, exploits and proof-of-concept projects, VM security is front and center.
Two years ago, security expert and current Cisco director of cloud and virtualization solutions Chris Hoff wrote: "It doesn't help that we're trying to build business cases to start thinking about investing in securing virtualized environments when the threats and vulnerabilities are so esoteric and by manner of omission executives are basically told that security is something they do not need to focus on any differently in their virtualization deployments."
With Cloudburst being the most recent attack as the backdrop, experts such as Hoff and many others who have been beating the drum for security in virtual environments are starting to look pretty bleeding edge with their prognostications and pleadings.
So a final word from Hoff, again from two years ago writing about a flaw that enabled at the time an attacker to run arbitrary code on a VMware GuestOS: "This will be the first of many, of that you can be sure. … You can use something like this to start having discussions [with management] in a calm, rational manner…before you have to go reconfigure or patch your global virtualized server farms, that is…"
Later has arrived.
Michael S. Mimoso is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.