Updated Google's Project Zero has emitted another vulnerability report, showing off a proof-of-concept exploit against the open-source KVM hypervisor that allows an attacker to escape a virtual machine on AMD-based servers – taking control of the underlying host system.
"To the best of my knowledge," Project Zero researcher Felix Wilhelm claimed of his discovery, "this is the first public write-up of a KVM guest-to-host breakout that does not rely on bugs in user space components such as QEMU."
The vulnerability, which was demonstrated through a proof-of-concept attack to launch a shell on a host system running on an AMD Epyc 7351P processor, relies on functionality exclusive to AMD chips – meaning Intel, the company's long-standing rival and current majority holder of the server market, is unaffected.
"The recent increase of AMD's market share in the server segment means that KVM's AMD implementation is suddenly becoming a more interesting target than it was in the last years," Wilhelm noted of his focus.
- You can hijack Google Cloud VMs using DHCP floods, says this guy, once the stars are aligned and...
- Epyc fail? We can defeat AMD's virtual machine encryption, say boffins
- Hyper-V bug that could crash 'big portions of Azure cloud infrastructure': Code published
- Developing for Windows 11: Like developing for Windows 10, but with rounded corners?
"AMD's virtualization extension is called SVM (for Secure Virtual Machine) and in order to support nested virtualisation, the host hypervisor needs to intercept all SVM instructions that are executed by its guests, emulate their behaviour and keep its state in sync with the underlying hardware.
"As you might imagine, implementing this correctly is quite difficult with a large potential for complex logic flaws, making it a perfect target for manual code review."
Wilhelm was able to find a bug quickly enough, spotting a method for malicious guests to gain access to the model-specific registers (MSRs) on the host. "When I initially discovered and reported this vulnerability, I was feeling pretty confident that this type of MSR access should be more or less equivalent to full code execution on the host," he explained.
"While my feeling turned out to be correct, getting there still took me multiple weeks of exploit development."
The finished attack, exploitable only in the KVM module included in the Linux 5.10 and 5.11 kernels and on AMD hardware, allows a malicious guest to gain full control over the host machine: the bug is triggered, a specific host MSR accessed, and a remote shell launched – a process which takes a maximum of five minutes.
There's good news in Wilhelm's report, though. The feature exploited by the flaw was only present in those two kernel versions, and there's no evidence it was ever exploited in the wild – but, he warned, "these capabilities are clearly achievable for a well-financed adversary" and the potential return on investment means "it seems safe to assume that more people are working on similar issues right now."
As for avoiding such issues in the future? "Security engineers working on virtualization security should push for as much attack surface reduction as possible," Wilhelm advised. "Moving complex functionality to memory-safe user space components is a big win even if it does not help against bugs like the one described above.
"Disabling unneeded or unreviewed features and performing regular in-depth code reviews for new changes can further reduce the risk of bugs slipping by.
"Hosters, cloud providers and other enterprises that are relying on virtualization for multi-tenancy isolation should design their architecture in way that limits the impact of an attacker with an VM escape exploit," Wilhelm continued, with the suggestion that machines acting as hosts to virtual machines should be treated as "at least partially untrusted" and that companies need to invest more in intrusion detection capabilities.
The disclosure comes in the same month as the discovery of an actively distributed malware, Siloscape, which exploited Windows containers to break through to the underlying Kubernetes cluster.
Earlier today we covered a report from security researcher Imre Rad, who revealed a flaw which allows users to hijack Google Compute Engine (GCE) virtual machines – though without putting the host system at risk.
"Even with a well audited codebase, this bug and its exploit directly shine a light on the fact that highly exploitable security vulnerabilities can exist in virtualization environments," opined ESET UK cybersecurity expert Jake Moore in a comment to The Register on the Project Zero disclosure.
"In an attempt to combat and protect such systems, and although not bulletproof, it would be useful to disable any non-essential features, isolating VM hosts while implementing robust detection software."
The vulnerability was disclosed privately to the KVM team in late March this year, and has been patched in Linux 5.12 and above – while 5.9 and below were never vulnerable.
More information is available on the Project Zero blog, in the proof-of-concept code on the Project Zero issue tracker, and in the patch notes on the Linux git repository. The Register has asked AMD for comment.
Updated at 13.10 BST on 1 July to add:
Th chip maker has sent us a statement.
"AMD appreciates the work of the Google Project Zero team in identifying the now resolved bug in older versions of the KVM Linux kernel. This bug was found in the KVM virtualization environment, not in the referenced AMD EPYC processor architecture or AMD software." ®