Virtualization vulnerabilities are seeing a huge surge this year as security researchers start to truly take the microscope to the full range of virtualization software. Hypervisors increasingly are being used against every level of the enterprise hardware stack—servers, desktops, storage, network equipment and more—and virtualization is what’s powering the cloud revolution. The rapid maturation of server virtualization and ascendency of other enterprise uses of virtualization software are likely to spur on deeper looks at the overall security hygiene of the virtualized ecosystem.
“We see a lot of enterprises wanting to move to the cloud and to do that they’ve needed to leverage hypervisors and software that implements the cloud,” said Brian Gorenc, director of Vulnerability Research with Trend Micro and head of the Zero Day Initiative (ZDI) program. “And so what we’re seeing a lot inside of the ZDI program is vulnerability related to virtualization –things like VMware workstation and Oracle VirtualBox.”
ZDI runs the highly popular Pwn2Own contest each year and Gorenc said the last couple of years have seen a number of high-profile VMware and Oracle VirtualBox flaws discovered there. And, according to a recent analysis Gorenc did of first-half 2018 disclosures, VirtualBox bug reports are up by 275 percent.
“This goes along with the VMware reports we’ve been receiving since last year’s contest, showing research into the security of these virtualization products is really just getting underway,” he said.
This year has seen a number of disclosures for high-profile vulnerabilities specifically targeting virtualization. For example, at the beginning of the year, VMware had to release a patch for three critical vulnerabilities in its vSphere Data Protection software that enabled authentication bypass and privilege escalation in the system. And this spring Citrix had to issue hotfixes for XenServer that would allow for remote compromise and denial-of-service conditions. Meantime, a whole other can of worms has been cracked open in the form of the whole new class of speculative side-channel attacks sparked off by Spectre and Meltdown, which have had a ripple effect on virtualization infrastructure.
And the increased interest among security researchers in virtualization flaws is reflected in programming expected to be highlighted at Black Hat USA next week. For example, one pair of researchers at the show is planning on disclosing a vulnerability on the kernel virtual machine (KVM) on ARM systems that can be exploited to install a hypervisor rootkit affected systems. Additionally, Microsoft engineers will be presenting a pair of talks around Hyper-V technology that’s coming in conjunction with the company’s big push to encourage the security community to help it find flaws it may have missed.
“Historically it’s been one of the harder attack surfaces to analyze and it’s actually interesting that Microsoft is going to be providing researchers and the world with a little bit more insight to how that technology works,” Gorenc said. “I think their ultimate goal is to have people submit bugs to them and participate in their bounty programs and help harden the attack surface that way.”
In fact, Microsoft this summer broadened the scope of its Hyper-V bug bounty program and is offering the highest bounty payouts for discoveries in Hyper-V than any other kind of flaw in it its overall bug bounty program. The software giant is offering $250,000 for finding the most severe classes of remote code execution flaws, as well as $25,000 for information disclosure flaws and $15,000 for denial-of-service bugs in Hyper-V.