Bug 941252 - (CVE-2015-2877) VUL-1: CVE-2015-2877: kernel: Cross-VM ASL INtrospection (CAIN)
VUL-1: CVE-2015-2877: kernel: Cross-VM ASL INtrospection (CAIN)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-08-11 09:02 UTC by Alexander Bergmann
Modified: 2020-04-01 22:14 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-08-11 09:02:30 UTC
Antonio Barresi reports:


Security Advisory - "Cross-VM ASL INtrospection (CAIN)"

Date: July 30, 2015

We discovered a new attack vector against memory deduplication in
Virtual Machine Monitors (VMM) where attackers can effectively leak
randomized base addresses of libraries and executables in processes of
neighboring Virtual Machines (VM). The attack takes advantage of the
well known memory deduplication side-channel [1, 2]. VMMs that perform
memory deduplication enable malicious VMs to detect shared pages as
deduplicated pages usually incur higher write times because of the
required copy-on-write.

Our attack relies on a combination of the available side-channel, the
ASLR implementation characteristics and the existence of suitable pages
with certain properties (see below).

We found memory pages in Windows and Linux systems that allow a
malicious VM to silently brute force all possible base addresses.
These pages are mostly static, long-lived and their entropy is directly
derived from the randomized base address of a library or executable,
making it possible to probe for the right randomized base address.

Our PoC attack against the default configuration of KVM breaks ASLR of a
neighboring Windows Server 2012 (x86_64) VM in less than 5 hours. We
estimate an attack against Linux based systems (x86_64) to take around
18 days (with the same configuration).

We expect a more determined attacker to further reduce attack time. The
attack time also depends on the memory available to an attacker (more
memory reduces attack time).

Note: the attacker only needs user rights within the attacking VM thus
no root/Administrator/elevated privileges are required.

Comment 1 Swamp Workflow Management 2015-08-11 22:00:37 UTC
bugbot adjusting priority
Comment 7 Joerg Roedel 2016-07-15 13:09:58 UTC
Assigning back to security team.

There is no code-fix for this issue. If customers want to work around this CVE, they have to disable memory sharing between VMs (by disabling KSM). Please update the documentation to reflect that.
Comment 8 Marcus Meissner 2016-08-01 12:28:59 UTC
posted a note:
 CVE-2015-2877 "There is currently no code fix for this issue. A possible workaround is to disable memory sharing between VMs (by disabling KSM)."