Vulnerability Note VU#935424
Virtual Machine Monitors (VMM) contain a memory deduplication vulnerability
Original Release date: 20 Oct 2015 | Last revised: 21 Oct 2015

Overview
Multiple vendors’ implementations of Virtual Machine Monitors (VMM) are vulnerable to a memory deduplication attack.

Description
As reported in the "Cross-VM ASL INtrospection (CAIN)" paper, an attacker with basic user rights within the attacking Virtual Machine (VM) can leverage memory deduplication within Virtual Machine Monitors (VMM). This effectively leaks the randomized base addresses of libraries and executables in the processes of neighboring VMs. Granting the attacker the ability to leak the Address-Space Layout of a process within a neighboring VM results in the potential to bypass ASLR.

Impact
A malicious attacker with only user rights within the attacking VM can reliably determine the base address of a process within a neighboring VM. This information can be used to develop a code-reuse or return oriented programming exploit for a known vulnerability in a target process. Attacking the target process is outside the scope of the CAIN attack..

Solution
Deactivation of memory deduplication is the only known way to completely defend against the CAIN attack.
See CAIN paper for a list of other mitigations.

Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedLinux KVMAffected11 Aug 201514 Sep 2015
Parallels Holdings LtdAffected11 Aug 201509 Sep 2015
Red Hat, Inc.Affected11 Aug 201506 Oct 2015
Microsoft CorporationNot Affected23 Jul 201509 Sep 2015
XenNot Affected12 Jul 201514 Sep 2015
Oracle CorporationUnknown12 Jul 201514 Sep 2015
QEMUUnknown11 Aug 201506 Oct 2015
VMwareUnknown-14 Sep 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
1.5
AV:L/AC:M/Au:S/C:P/I:N/A:N

Temporal
1.4
E:F/RL:W/RC:C

Environmental
1.0
CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi

Credit

Thanks to Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross for reporting this vulnerability.
This document was written by Brian Gardiner.

Other Information

CVE IDs:
CVE-2015-2877

Date Public:
30 Jul 2015

Date First Published:
20 Oct 2015

Date Last Updated:
21 Oct 2015

Document Revision:
41

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply