Hyper-V 'escape attack,' part 2: The mystery deepens

The roots of the Hyper-V hack are revealed -- and serve as a reminder to stick to best practices

Two weeks ago, I describe a true circumstance where a Hyper-V server was hacked (both a child VM and the parent system), and I was pulled in afterward to fix the resulting issues. The manner of the attack gave the appearance of a potential escape attack but without evidence this had occurred -- a mystery indeed.

Some folks at Microsoft read the article and offered to lend a hand in tracking down the cause of the hack. The investigation revealed several breaches of etiquette with regard to server security, especially in relation to Hyper-V. For starters, the parent system had additional software installed, including remote sharing application software called TeamViewer. Apparently the username and password for the administrator's account had been given out to others. Thus, the hack apparently was the result of a direct attack, not of the theoretical escape attack.

[ Don't look now, but your antivirus may be killing your virtualization infrastructure. InfoWorld's Matt Prigge shows you how to detect the warning signs. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

In addition, it appears that form of attack would not be possible with Hyper-V. Hyper-V is not susceptible to the guest-to-host escape vulnerability (aka a VM escape) that InfoWorld has described. The guest-to-host escape vulnerability applies only to virtualization frameworks (such as in Xen and EMC VMware) with operation modes that do not use hardware virtualization extensions but instead operate through techniques such as ring deprivileging to perform machine virtualization.

Unlike Xen and VMware, Hyper-V requires Intel VT-x and AMD-V hardware virtualization extensions, and it will not function on systems without hardware support for virtualization. It's not at risk for the guest-to-host escape attack. (CERT KB 649219 describes the patches from Red Hat and Xen to address the VM escape issue on their virtualization platforms.)

Ring deprivileging enables machine virtualization on systems that do not offer hardware extensions for virtualization by allowing the guest operating system to be run at a ring higher than 0 to accommodate the virtual machine monitor in ring 0. Additionally, methods such as binary translation are used to rewrite ring 0 instructions in terms of ring 3 instructions to enable traps and emulate virtualization. This is done because some ring 0 instructions behave differently when executed outside of ring 0, complicating trap and emulate virtualization.

Although Hyper-V isn't susceptible to this issue resulting in a guest-to-host escape, 64-bit versions of Windows 7 and Windows Server 2008 R2 could have an issue that in turn could result in an elevation of privilege within a Hyper-V VM or on a physical server. This privilege escalation issue within Windows guest VMs (also described in CERT KB 649219) was addressed in a security update for all affected Windows operating systems in June 2012.

Thus, when it comes to the escape attacks:

  1. A Hyper-V host isn't susceptible to the VM guest-to-host issues because it uses hardware virtualization extensions. Other hypervisors that don't require hardware virtualization extensions are susceptible, and admins should check to see if a patch is needed.
  2. Windows running within the VM could be susceptible to an elevation of privilege within the VM. Be sure you've applied that June 2012 security update to patch that flaw.

The mystery about who hacked this server continues. However, my immediate focus with the client is to ensure that it follows best practices from now on to ensure such a hack doesn't happen again. I'm starting with a freshly installed parent Hyper-V system running Windows Server 2012 R2 (with all the latest updates) and with no additional software installed on that parent system. Credentials for the parent system will not carry over to the VMs running on it, and I'll be the only one who knows the administrative access credentials to the parent system.

This story, "Hyper-V 'escape attack,' part 2: The mystery deepens," was originally published at InfoWorld.com. Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2014 IDG Communications, Inc.