Bugzilla – Bug 941252
VUL-1: CVE-2015-2877: kernel: Cross-VM ASL INtrospection (CAIN)
Last modified: 2020-04-01 22:14:53 UTC
Antonio Barresi reports:
Security Advisory - "Cross-VM ASL INtrospection (CAIN)"
Date: July 30, 2015
We discovered a new attack vector against memory deduplication in
Virtual Machine Monitors (VMM) where attackers can effectively leak
randomized base addresses of libraries and executables in processes of
neighboring Virtual Machines (VM). The attack takes advantage of the
well known memory deduplication side-channel [1, 2]. VMMs that perform
memory deduplication enable malicious VMs to detect shared pages as
deduplicated pages usually incur higher write times because of the
Our attack relies on a combination of the available side-channel, the
ASLR implementation characteristics and the existence of suitable pages
with certain properties (see below).
We found memory pages in Windows and Linux systems that allow a
malicious VM to silently brute force all possible base addresses.
These pages are mostly static, long-lived and their entropy is directly
derived from the randomized base address of a library or executable,
making it possible to probe for the right randomized base address.
Our PoC attack against the default configuration of KVM breaks ASLR of a
neighboring Windows Server 2012 (x86_64) VM in less than 5 hours. We
estimate an attack against Linux based systems (x86_64) to take around
18 days (with the same configuration).
We expect a more determined attacker to further reduce attack time. The
attack time also depends on the memory available to an attacker (more
memory reduces attack time).
Note: the attacker only needs user rights within the attacking VM thus
no root/Administrator/elevated privileges are required.
bugbot adjusting priority
Assigning back to security team.
There is no code-fix for this issue. If customers want to work around this CVE, they have to disable memory sharing between VMs (by disabling KSM). Please update the documentation to reflect that.
posted a note:
CVE-2015-2877 "There is currently no code fix for this issue. A possible workaround is to disable memory sharing between VMs (by disabling KSM)."