Happy Patch Tuesday

Author(s):  
Eric Rand,

In today's batch of patches from Microsoft, there are several very important vulnerabilities, but there is one that is specifically critical for users of Alienvault installations.

MS17-0075 describes a remote code execution vulnerability on Hyper-V systems. Given that the use of Hyper-V for hosting Alienvault instances has become more popular of late, with the support by Alienvault for running instances under Hyper-V, it is likely that many clients will need to patch this issue specifically.

Microsoft's link concerning this issue is here: https://technet.microsoft.com/library/security/MS17-008

Please note that MS17-0075 is the specific RCE vulnerability and is rated as 'critical'; there are other vulnerabilities addressed by this specific patch level.

The vulnerability in this particular instance appears to be a 'VMEscape' type issue, where a program executed on a VM can coerce execution of unauthorized processes on the hypervisor system, outside of the context of the VM. VMEscape type vulnerabilities are quite severe, as they allow for a malicious user to affect other systems that are running on the same physical machine as the VM for which they have normal access.

Potential impact to Alienvault users hosting their AV systems under Hyper-V would include denial of service against their AV system, compromise of AV system resources, compromise of log integrity for logs stored on the AV system, or various other kinds of attacks - as the attacker would have what amounts to illegitimate administrative access to the hypervisor system, they would be able to take any number of actions against hosted VMs, and do so outside of normal, audited channels.

Administrators who have Hyper-V installations are urged to apply this patch as soon as is feasible; skilled and motivated attackers are sometimes capable of reverse-engineering patches to determine valid exploits; for a widespread and severe case like this, it is likely there will be attacks in the wild sooner rather than later.

If the patch cannot be applied immediately, it may be advisable to quarantine individual VMs on separate physical hardware in order to mitigate the spread of potential attacks in the virtual environment. It must be stressed that this can only be a very short term, temporary measure.

There is no specific need to change from Hyper-V to other hypervisor environments; VMEscape type exploits have been identified for all major virtualization environments - this is a known and expected type of vulnerability to find, and should be anticipated as part of a regular patching and maintenance cycle.

If you have any questions about how this vulnerability may impact your installations, please feel free to contact me.

v/r,
--Eric Rand