Security issue found in 64-bit virtualization software running on Intel CPUs

Vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape

Virtualization software has long been the subject of criticism because of real or perceived security flaws. Over the years there have been numerous virtualization exploits identified and resolved, but last week there was a significant uptick in the conversations about security issues around hypervisors and operating systems, because this time it didn't just affect a single vendor. Instead, the issue seems to affect a number of different 64-bit hypervisors and operating systems based on the type of processor they are operating.

The new security warning came down from the U.S. Computer Emergency Readiness Team (US-CERT) for some virtualized systems running on Intel processors. According to security researchers, some 64-bit operating systems and virtualization software that are operating on Intel CPUs can be vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

[ Also on InfoWorld: Veeam has released a free virtualization backup tool for VMware vSphere and Microsoft Hyper-V. | Read about what VMware's CTO said about the future of vSphere while at a VMUG meeting in Italy. | Keep up on virtualization by signing up for InfoWorld's Virtualization newsletter. ]

According to US-CERT KB VU#649219, "a ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation."

What this means is that someone may be able to cause a system exception in virtualized code and escape from the guest OS into the host environment with elevated privileges. Intel and AMD both package security features that are supposed to isolate the guest operating systems from each other and from the host to prevent this type of attack. Unfortunately, it looks as though there may be a flaw in Intel's implementation of this protection schema, allowing an attacker to break free and jump into the protected host OS.

In a recent blog post written by, the official Xen Project community blog, the vulnerability was explained as follows: "It has to do with a subtle difference in the way in which Intel processors implement error handling in their version of AMD's SYSRET instruction. The SYSRET instruction is part of the x86-64 standard defined by AMD."

It continued, "If an operating system is written according to AMD's specification, but run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system's memory."

Intel claims that this is a feature and not a bug. The company's vendor disclosure page states, "This is a software implementation issue. Intel processors are functioning as per specifications and this behavior is correctly documented in the IntelR64 Software Developers Manual, Volume 2B Pages 4-598-599."

1 2 Page 1
Page 1 of 2