#HITB2021AMS D2T2 – A QEMU Black Box Escape Via USB Device – Lingni Kong, Yanyu Zhang & Haipeng Qu
As the most popular open-source cloud architecture, OpenStack uses Qemu-KVM as the virtualization implementation of its computing nodes. Therefore, the threat of vulnerabilities in Qemu is very noteworthy for cloud platform security. Although Redhat fixes a large number of vulnerabilities in Qemu every year, most of them will not affect OpenStack because they just exploit components not provided by OpenStack. For example, the vulnerabilities CVE-2015-5165 and CVE-2015-7504 presented at the security conference HITB.
Even some serious vulnerabilities affect OpenStack, such as CVE-2015-3456 (called the venom vulnerability) which is a heap overflow vulnerability in the virtual floppy disk device. However, no one is able to display a complete exploit or relevant idea publicly. As above mentioned, there are only a few vulnerabilities that can be used to escape from the OpenStack virtual machine. It’s more challenging to develop an exploit for virtual machine escape in the public cloud since it is difficult for an attacker to obtain the key information such as Qemu version, binary files, and so on. Thus when we view as an attacker targeted on public cloud instruments, not only considering the exploitable of vulnerability or stability of the method, it’s more vital to escape the affected virtual machine without any additional information.
In this paper, we briefly introduce the Qemu-KVM architecture at first, then we propose the new concept of a black box escape. After an in-depth analysis of CVE-2020-14364, we present our approach to achieving a black box escape of a QEMU virtual machine.
===
A member of the Information Security Lab of the Ocean University of China
—
Chaitin Tech Security Researcher Member of Tea Deliverers. Focus on virtualization security and demonstrated ESXi escape for the first time on GeekPwn2018 and won the best technology award.
Have shared virtual escape cases in Hitcon, 36C3 and other security conferences
—
He is an Associate Professor in the College of Computer Science of the Ocean University of China, the Leader of Information security Lab of Ocean University of China, and Co-founder of the Blue-Whale Security Research Team. His research interests focus on Cryptography and Software Security Analysis.
source by Hack In The Box Security Conference
redhat openstack