Researchers urge hackers to exploit Hyper-V’s huge attack surface

At the Hack in the Box security conference in Amsterdam, ERNW security researchers Enno Rey, Felix Wilhelm, and Matthias Luft presented Compromise-as-a-Service: Our PleAZURE (pdf).

The group says they chose to research Hyper-V because there has been "very little research so far," resulting in only four DoS vulnerabilities in six years. Besides being used in a variety of corporate environments, Hyper-V - aka Windows Server Virtualization - "is also used in a variety of other platforms such as Microsoft Azure or the Xbox One gaming console."

In a newly released technical paper (pdf) on Hyper-V security, ERNW researchers wrote, "after almost six years on the market, only a handful of Denial-of-Service vulnerabilities were patched. Even though Microsoft's SDL has an impressive track record of producing secure software, this seems like an unrealistic low amount of vulnerabilities for such complex software."

The researchers also gave the talk at the Troopers 2014 security conference.

Is Azure Hypervisor the same thing as Hyper-V? ERNW's report states:

Officially, the Microsoft Azure cloud runs on a hypervisor called the "Azure hypervisor," which is not the same as Hyper-V. However, even a cursory look at an Azure VM shows that the both hypervisors are at least strongly related. Figure 4 shows a screenshot of an Azure VM with the standard Hyper-V VSC services running and the CPUID instruction executed in an Azure VM.

Sharing a code base between Hyper-V and Azure makes sense from an engineering standpoint. For security researchers or malicious attackers targeting Azure, it has the big advantage of allowing offline analysis of the hypervisor. By concentrating on the Hyper-V attack surface that is also relevant for Azure, the chance to discover vulnerabilities with a serious impact on the Azure cloud is quite high.

Although the researchers found a Hyper-V blue screen bug and reported it as a denial-of-service (DoS) flaw, Microsoft patched MS13-092 in November 2013 as an elevation of privilege (EoP) vulnerability. The researchers were then curious on how to turn a DoS to an escalation of privilege flaw. Additional research concluded that an attacker could only influence two values, PTE and the input GPA. The researchers will continue to analyze Microsoft's patch and resulting behavior; they called upon other researchers to do the same.

A big portion of the Hyper-V paper explains the architecture and maps the attack surface for VM breakout attacks, but they discovered "a critical vulnerability in the handling of hypercalls." They called analyzing different Hyper-V versions for silently patched vulnerabilities a "promising activity."

In conclusion, the ERNW researchers wrote:

Our research shows that hypervisors are large and complex software with a significant attack surface. Even if the term "Virtual Air Gap" is quite popular nowadays, our research shows that this gap is much smaller than a physical one. While Hyper-V is solid software and was developed with security in mind, it still suffers from critical security vulnerabilities. This is supposed to motivate other researchers as well to use our results and step in on analyzing the huge attack surface of Hyper-V, following the old hacker spirit Make the Theoretical Practical!

The researchers put it another way at Hack in the Box and were then quoted by hacker and security consultant Xavier Mertens on his rootshell blog:

“Any hypervisor is not a new security layer; it's a new place to find bugs.”