{"id":15019,"date":"2014-10-22T15:53:42","date_gmt":"2014-10-22T15:53:42","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2739"},"modified":"2020-02-26T10:56:51","modified_gmt":"2020-02-26T15:56:51","slug":"how-a-linux-bug-may-affect-virtual-infrastructure","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/how-a-linux-bug-may-affect-virtual-infrastructure\/15019\/","title":{"rendered":"How a Linux bug may affect Virtual infrastructure"},"content":{"rendered":"<p>This article is a follow-up to our earlier piece <a href=\"https:\/\/business.kaspersky.com\/how-a-linux-bug-may-affect-windows-based-infrastructure\/2716\" target=\"_blank\" rel=\"noopener nofollow\">\u201cHow a Linux bug may affect Windows-based infrastructure\u201d<\/a>.<\/p>\n<p style=\"text-align: center\">\n<\/p><p>Virtual infrastructure may be largely Windows-based, as far as most of the virtual endpoints would (possibly) run on Windows, while the hypervisor may (and most likely would be) Linux-based. In this case it may be susceptible to attack via the vulnerable version of Bash (<a href=\"https:\/\/www.kaspersky.com\/blog\/shellshock-how-to-check-and-update-potentially-vulnerable-systems\/15011\/\" target=\"_blank\" rel=\"noopener nofollow\">Shellshock, again<\/a>).<\/p>\n<p>Hypervisors can be attacked both from the outside, just like any other PC or a server, and from the inside \u2013 i.e. from the host running on that hypervisor. In the first case, attackers will have to identify it within the corporate network.<\/p>\n<p>In the second case the sequence may look like this:<\/p>\n<p>a) An attacker detects a Windows-based under-protected virtual machine \u2013 and takes it over using phishing or a watering-hole sort of attack (directed on user, of course).<\/p>\n<p>b) Gaining the initial foothold, the attacker may attempt to use so-called \u201c<a href=\"http:\/\/en.wikipedia.org\/wiki\/Virtual_machine_escape\" target=\"_blank\" rel=\"noopener nofollow\">virtual machine escape<\/a>\u201d vulnerabilities (such as CVE-2008-0923, CVE-2009-1244, etc.) breaking out from the \u201cisolated\u201d VM and interacting with the host OS \u2013 i.e. hypervisor itself. This interaction may come in the form of a malicious attack exploiting the Shellshock flaw.<\/p>\n<p>c) Gaining access to the hypervisor means gaining control over every other virtual machine running on the host. Because the hypervisor sits between the physical hardware and the guest operating system, an attacker will then be able to circumvent security controls on the virtual machine. On all of them, actually.<\/p>\n<p>Multistage attacks may sound sophisticated, but there is nothing exotic about them. The fact that both Heartbleed and Shellshock are easy to exploit, further increase the risks of these scenarios becoming a reality.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/10\/06020144\/virtual_wide-1.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-2741\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/10\/06020144\/virtual_wide-1.jpg\" alt=\"virtual_wide\" width=\"1000\" height=\"700\"><\/a><\/p>\n<p>As a matter of fact, vendors of virtualization solutions do consider such possibilities.<\/p>\n<p><strong>VMware<\/strong><\/p>\n<p>VMware acknowledged that certain products, namely ESX 4.0 and 4.1 have a vulnerable version of the Bash shell, and recommended installing patches. Patching a number of virtual appliances, such as vSphere Replication 5.8, those are running Linux is also recommended.<\/p>\n<p>Details are available at <a href=\"http:\/\/kb.vmware.com\/selfservice\/microsites\/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=2090740\" target=\"_blank\" rel=\"noopener nofollow\">this bulletin<\/a>.<\/p>\n<p><strong>Xen<\/strong><\/p>\n<p>Citrix and Xen Project also acknowledged a possible vulnerability in XenServer:<\/p>\n<p><em>\u201cIn deployments where the Citrix XenServer host is configured to use DHCP for the host IP address allocation, this issue could allow an attacker with access to the management network to compromise the Citrix XenServer host.\u201d<\/em><\/p>\n<p>More technical details are available at Xen\u2019s <a href=\"http:\/\/xenserver.org\/blog\/entry\/security-bulletin-covering-shellshock.html\" target=\"_blank\" rel=\"noopener nofollow\">bulletin<\/a> as well as at Citrix\u2019s <a href=\"https:\/\/support.citrix.com\/article\/CTX200223\" target=\"_blank\" rel=\"noopener nofollow\">support site article<\/a>, both covering the Shellshock issue.<\/p>\n<p><strong>KVM<\/strong><\/p>\n<p>KVM is supposed to use Linux (<a href=\"http:\/\/www.webhostingtalk.com\/showthread.php?t=1416441\" target=\"_blank\" rel=\"noopener nofollow\">Ubuntu, for instance<\/a>) as the hypervisor OS, which also means a possible exploitability with Shellshock. To assure safety, Linux distributions used therein should be updated.<br>\n<strong>Oracle<\/strong><\/p>\n<p>In its special <a href=\"http:\/\/www.oracle.com\/technetwork\/topics\/security\/bashcve-2014-7169-2317675.html\" target=\"_blank\" rel=\"noopener nofollow\">Shellshock-related security bulletin<\/a> Oracle acknowledged that Oracle VM versions 2.2, 3.0, 3.1, 3.2, 3.3 are among products that require patches against the Shellshock vulnerability. Note that the bulletin had been last updated on October 21<sup>st<\/sup>, so it requires extra attention.<\/p>\n<p><strong>Microsoft Azure<\/strong><br>\nThis is a non-Linux solution, but still Bash may be present there. When asked about the possibility of exploitation, Bilal Alam, Microsoft\u2019s Partner Development Manager, Azure Websites, <a href=\"http:\/\/stackoverflow.com\/a\/26049596\" target=\"_blank\" rel=\"noopener nofollow\">wrote the following<\/a>:<br>\n<em>\u201cAzure WebSites is safe with respect to ShellShock. Azure WebSites uses IIS as our web server and we do not expose any external anonymously-accessible endpoint which exposes\/calls Bash.<\/em><\/p>\n<p>Note that we do install Bash as part of our VM installation (it comes with Git). But we do not expose any vector for calling into this shell remote\/anonymously. We will be updating Bash for caution-sake.\u201d<\/p>\n<p>Again, particular attention to a hypervisor is required. Recently a fellow IT worker told us about a situation they had to deal with: a hypervisor failure (apparently a hardware problem) led to the crash of an entire park of virtual machines. It wasn\u2019t related to Shellshock, and most likely had nothing to do with any type of malicious attack, but consequences were disastrous, even though the system was eventually reanimated.<\/p>\n<p>In a case where the attackers take over a hypervisor via whatever means, they would have the entire park of VMs under their control \u2013 with all the data stored therein, all incoming and outgoing traffic, etc. It\u2019s a perfect position for cyber-espionage and something that no company would want.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Linux bugs may affect or directly threaten entire virtualization infrastructures: Whatever OS is used on VMs, an attack on a hypervisor is possible from both the outside and inside, and exploitation of the dreaded Shellshock vulnerability on Linux-based hypervisors is a possibility, too.<\/p>\n","protected":false},"author":209,"featured_media":15909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[562,398,2196,2205],"class_list":{"0":"post-15019","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-linux","10":"tag-patches","11":"tag-shellshock-bash-bug","12":"tag-virtual-infrastructure"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/how-a-linux-bug-may-affect-virtual-infrastructure\/15019\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/how-a-linux-bug-may-affect-virtual-infrastructure\/15019\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/how-a-linux-bug-may-affect-virtual-infrastructure\/15019\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/linux\/","name":"Linux"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15019"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15019\/revisions"}],"predecessor-version":[{"id":33358,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15019\/revisions\/33358"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15909"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}