0 / 10 flipped
VM Escape
Tap to reveal
An attack where an attacker breaks out of an isolated VM and gains access to the hypervisor host OS or other VMs on the same physical machine. VM escape defeats the core isolation model of virtualization. If successful, the attacker can potentially control every VM the hypervisor manages. It is typically achieved by chaining multiple vulnerabilities β a guest OS bug plus a hypervisor hardware simulation bug.
Pwn2Own 2017 β Three Chained Vulnerabilities
Tap to reveal
The canonical VM escape example: (1) Microsoft Edge JavaScript engine bug β code execution inside Edge sandbox. (2) Windows 10 kernel bug β full guest OS compromise. (3) VMware hardware simulation bug β escape to the host. Each step alone was limited; the chain achieved full host access. All three vendors patched after the competition. Demonstrates why hypervisor hardware simulation bugs are critical severity.
Resource Reuse
Tap to reveal
A virtualization vulnerability where physical memory (or storage) reclaimed from one VM is assigned to another VM without being zeroed first. The second VM can read residual data from the first β credentials, encryption keys, application data. Resource reuse is an information disclosure vulnerability. Fixed by memory scrubbing (hypervisor zeros pages before reassignment). Critical in multi-tenant cloud environments where different customers share the same physical host.
Memory Scrubbing
Tap to reveal
The hypervisor process of zeroing physical memory pages before assigning them to a new VM. Memory scrubbing prevents resource reuse data leakage β a VM receiving zeroed pages cannot read anything from the previous VM that used that memory. A required security control in any shared/multi-tenant virtualization environment. Bugs in the scrubbing logic can create windows where zeroing is skipped.
VM Sprawl
Tap to reveal
The accumulation of unmanaged, untracked virtual machines β particularly orphaned VMs with no active owner. Orphaned VMs run unpatched OS versions, retain their original network access, and are not monitored. VM sprawl expands the attack surface and creates persistent, undetected beachheads for attackers. Prevented by VM lifecycle policies that require ownership registration and automatically deprovision unowned VMs.
Hypervisor
Tap to reveal
The software layer that creates, runs, and enforces isolation between VMs on a physical host. The hypervisor allocates CPU, memory, storage, and network resources to each VM and maintains the boundaries between them. It is the enforcement engine for VM isolation. Hypervisor vulnerabilities are critical β a bug in the hypervisor affects the security of every VM it hosts. Hypervisor patches should be treated with the same urgency as OS kernel patches.
Hardware Simulation Bug
Tap to reveal
A vulnerability in the hypervisor's emulation of virtual hardware devices (network cards, storage controllers, etc.) for guest VMs. Bugs in the simulation layer can allow a guest to manipulate the hypervisor directly, potentially escaping VM isolation. Hardware simulation bugs were the critical final step in the Pwn2Own 2017 VMware escape β the layer between a guest OS compromise and full host access.
Why must VMs be patched like physical machines?
Tap to reveal
VMs run real operating systems and real applications with real vulnerabilities β the virtual wrapper does not protect against OS or application exploits. A VM running an unpatched Windows Server has all the same vulnerabilities as a physical server running the same unpatched OS. VMs need: OS patching, application updates, endpoint protection, access controls, and monitoring β identical to physical machines. Being virtual adds risks (VM escape, resource reuse); it removes none.
Resource Overcommitment
Tap to reveal
When a hypervisor allocates more virtual resources to VMs than are physically available. Example: 4 GB of physical RAM supporting three VMs each allocated 2 GB (6 GB total). This works because VMs rarely use their full allocation simultaneously β the hypervisor dynamically lends physical pages to whichever VM needs them. Overcommitment is efficient and normal; the security risk is that shared physical pages must be zeroed when reclaimed to prevent resource reuse data leakage.
Why is VM escape considered "the ultimate" virtualization attack?
Tap to reveal
Because it defeats the entire virtualization isolation model in one step. Every VM on a hypervisor shares the same physical host. If an attacker escapes from one VM to the host, they can potentially access every other VM the hypervisor manages β including their memory, storage, and network traffic. Instead of compromising one system, the attacker compromises the entire virtual infrastructure. A hypervisor managing 100 VMs means a single VM escape can affect 100 systems simultaneously.