TID-208: Virtual Machine Escape
Threat Description
Virtualized environments will oftentimes share the same underlying hardware as the hypervisor. A hypervisor or virtualized environment vulnerability that allows the execution of unauthorized code could be used to escape the virtualized environments. By escaping the environment, a threat actor could manipulate the underlying hypervisor, operating system, or application/data within other environments hosted on that device.
Threat Maturity and Evidence
Known Exploitable Weakness
VMWare Security Advisory (VMSA-2024-0006.1)
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.” “A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.”
CWE
CWE-693: Protection Mechanisms Failure (Pillar)
“The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.”
CVE
Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) in vSphere (67577)
“Intel has disclosed details on a new wave of speculative-execution vulnerabilities known collectively as “Microarchitectural Data Sampling (MDS)” that can occur on Intel microarchitecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer the values of data otherwise protected by architectural mechanisms.”
Patch now! VMWare escape flaws are so serious even end-of-life software gets a fix
VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)
“VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.”