According to US CERT KB VU#649219 - A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation
What this means is that someone can cause a system exception in virtualized code and escape from the guest OS and into the Host environment with elevated privileges. This is concerning as the push for virtualization has been going on for quite some time. Both Intel and AMD package security features that are supposed to isolate the guest operating systems from each other and the host to prevent this type of attack. Unfortunately it looks like there is a flaw in Intel’s implementation of this protection that allows an attacker to break free and into the protected host OS.
There is good news though not all virtualization products are affected, but the list does include some popular ones such as Xen (including Cirtix’s implementation of it), FreeBSD (which does not include Apple’s Parallels), Microsoft’s Virtualization products in Windows 7 and Windows 2008 R2 (which by extension includes their virtualization product based on the Win 2008 R2 kernel) and Red Hat, Oracle (meaning Virtual Iron and Virtual Box is affected too), SUSE… it is quite a listing.
VMware seems to be unaffected by this issue while Debian and Fedora are still in question at the time of this writing. From looking at the listing and the affected software vendors this looks to be not only an issue with the Intel CPUs in question, but also the implementation of features by the software vendors. If it were a simple hardware exploit then the issue would be across all software virtualization products.
Still we will be very interested to hear what Intel has to say about this as it is a serious flaw and one that should not be open to attackers. The companies that are affected need to work very fast to patch their software so that they are not vulnerable to this while companies that are using their products need to be ready to implement the patches as soon as they are ready.
Again, it is looking like 2012 will go down in history as a pretty major year for security flaws.
Discuss this in our Forum