Unlike Xen and VMware, Hyper-V requires Intel VT-x and AMD-V hardware virtualization extensions, and it will not function on systems without hardware support for virtualization. It's not at risk for the guest-to-host escape attack. (CERT KB 649219 describes the patches from Red Hat and Xen to address the VM escape issue on their virtualization platforms.)
Ring deprivileging enables machine virtualization on systems that do not offer hardware extensions for virtualization by allowing the guest operating system to be run at a ring higher than 0 to accommodate the virtual machine monitor in ring 0. Additionally, methods such as binary translation are used to rewrite ring 0 instructions in terms of ring 3 instructions to enable traps and emulate virtualization. This is done because some ring 0 instructions behave differently when executed outside of ring 0, complicating trap and emulate virtualization.
Although Hyper-V isn't susceptible to this issue resulting in a guest-to-host escape, 64-bit versions of Windows 7 and Windows Server 2008 R2 could have an issue that in turn could result in an elevation of privilege within a Hyper-V VM or on a physical server. This privilege escalation issue within Windows guest VMs (also described in CERT KB 649219) was addressed in a security update for all affected Windows operating systems in June 2012.
Thus, when it comes to the escape attacks:
- A Hyper-V host isn't susceptible to the VM guest-to-host issues because it uses hardware virtualization extensions. Other hypervisors that don't require hardware virtualization extensions are susceptible, and admins should check to see if a patch is needed.
- Windows running within the VM could be susceptible to an elevation of privilege within the VM. Be sure you've applied that June 2012 security update to patch that flaw.
The mystery about who hacked this server continues. However, my immediate focus with the client is to ensure that it follows best practices from now on to ensure such a hack doesn't happen again. I'm starting with a freshly installed parent Hyper-V system running Windows Server 2012 R2 (with all the latest updates) and with no additional software installed on that parent system. Credentials for the parent system will not carry over to the VMs running on it, and I'll be the only one who knows the administrative access credentials to the parent system.
This story, "Hyper-V 'escape attack,' part 2: The mystery deepens," was originally published at InfoWorld.com. Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.