Bugzilla – Bug 941252
VUL-1: CVE-2015-2877: kernel: Cross-VM ASL INtrospection (CAIN)
Last modified: 2020-04-01 22:14:53 UTC
Antonio Barresi reports: http://www.antoniobarresi.com/security/cloud/2015/07/30/cain/ Security Advisory - "Cross-VM ASL INtrospection (CAIN)" ------------------------------------------------------- Date: July 30, 2015 Description ----------- We discovered a new attack vector against memory deduplication in Virtual Machine Monitors (VMM) where attackers can effectively leak randomized base addresses of libraries and executables in processes of neighboring Virtual Machines (VM). The attack takes advantage of the well known memory deduplication side-channel [1, 2]. VMMs that perform memory deduplication enable malicious VMs to detect shared pages as deduplicated pages usually incur higher write times because of the required copy-on-write. Our attack relies on a combination of the available side-channel, the ASLR implementation characteristics and the existence of suitable pages with certain properties (see below). We found memory pages in Windows and Linux systems that allow a malicious VM to silently brute force all possible base addresses. These pages are mostly static, long-lived and their entropy is directly derived from the randomized base address of a library or executable, making it possible to probe for the right randomized base address. Our PoC attack against the default configuration of KVM breaks ASLR of a neighboring Windows Server 2012 (x86_64) VM in less than 5 hours. We estimate an attack against Linux based systems (x86_64) to take around 18 days (with the same configuration). We expect a more determined attacker to further reduce attack time. The attack time also depends on the memory available to an attacker (more memory reduces attack time). Note: the attacker only needs user rights within the attacking VM thus no root/Administrator/elevated privileges are required. References: https://bugzilla.redhat.com/show_bug.cgi?id=1252096 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2877 https://www.usenix.org/conference/woot15/workshop-program/presentation/barresi http://www.antoniobarresi.com/security/cloud/2015/07/30/cain/ http://www.antoniobarresi.com/files/cain_advisory.txt
bugbot adjusting priority
Assigning back to security team. There is no code-fix for this issue. If customers want to work around this CVE, they have to disable memory sharing between VMs (by disabling KSM). Please update the documentation to reflect that.
posted a note: CVE-2015-2877 "There is currently no code fix for this issue. A possible workaround is to disable memory sharing between VMs (by disabling KSM)."