TID-208: Virtual Machine Escape
Threat Description
Virtualization mechanisms allow multiple operating sytem instances to share the same underlying hardware. Hypervisor software is responsible for orchestrating and maintaining the separation between virtual machines (VMs) to ensure that failure or compromise within one VM does not affect others. However, vulnerabilities in APIs and services the hypervisor exposes to guest VMs, the implementation of virtualized hardware abstractions, or other hypervisor components could be used by an adversary to escape the virtualized environments. By escaping the environment, a threat actor could manipulate the underlying hypervisor, operating system, or application/data within other environments hosted on that device.
Threat Maturity and Evidence
Known Exploitable Weakness
- VMWare Security Advisory (VMSA-2024-0006.1)
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
“A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.”
CWE
- CWE-693: Protection Mechanisms Failure (Pillar)
“The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.”
CVE
Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities in vSphere (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)
“Intel has disclosed details on a new wave of speculative-execution vulnerabilities known collectively as “Microarchitectural Data Sampling (MDS)” that can occur on Intel microarchitecture prior to 2nd Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer the values of data otherwise protected by architectural mechanisms.”VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities] (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)
“VMWare’s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.”