Chapter 34 Β· Quiz

Virtualization Vulnerabilities Quiz

Multiple choice, matching, analysis, and evaluation questions.

Part A β€” Multiple Choice

Q1
What is a VM escape, and why is it considered the most severe type of virtualization attack?
βœ… Correct: B. A VM escape breaks the isolation boundary between a VM and the host (or other VMs). It is the most severe virtualization attack because the hypervisor manages many VMs on one physical host β€” escaping to the host gives access to all of them. Instead of compromising one VM, the attacker compromises the entire virtual infrastructure.
Q2
In the Pwn2Own 2017 VMware escape demonstration, researchers used three chained vulnerabilities. Which of the following correctly describes the final step that crossed the VM isolation boundary?
βœ… Correct: C. The VMware hardware simulation bug was the final step. The Edge JS bug (A) achieved sandboxed code execution. The Windows 10 kernel bug (B) achieved guest OS compromise. Neither of these crossed the VM boundary β€” that required the VMware hardware simulation bug, which let code running in the compromised guest manipulate the hypervisor layer and escape to the host.
Q3
A hypervisor host has 4 GB of physical RAM. It runs three VMs, each allocated 2 GB. Security researchers warn about a resource reuse vulnerability. What is the specific risk this vulnerability presents?
βœ… Correct: B. Resource reuse is specifically about memory pages that are reclaimed from one VM and reassigned to another without being zeroed. If the hypervisor fails to zero the pages, residual data (credentials, keys, application state) from the first VM remains readable by the second. This is an information disclosure vulnerability β€” data leaks across VM isolation via shared physical memory.
Q4
An organization discovers 200 virtual machines on its infrastructure with no registered owners, running OS versions that are 18 months out of date on patches, and with firewall rules granting access to production network segments. What is this condition called, and what is the primary security concern?
βœ… Correct: C. VM sprawl β€” the accumulation of unmanaged, orphaned VMs. The primary concerns are: (1) unpatched OS makes the VMs easy targets, (2) persistent firewall access to production segments means a compromised orphaned VM is a direct pivot point into production, and (3) no monitoring means compromise goes undetected. VM escape (A) and resource reuse (B) are different vulnerability types. Overcommitment (D) is a resource allocation concept, not a security vulnerability by itself.
Q5
Why must virtual machines receive the same OS patching treatment as physical machines?
βœ… Correct: B. VMs run real OS instances β€” Windows, Linux, etc. β€” with the same vulnerabilities as their physical counterparts. The hypervisor does not patch guest OS vulnerabilities; it only enforces isolation between VMs. An unpatched Windows Server VM is just as vulnerable to OS exploits as an unpatched physical Windows Server. Option D is particularly dangerous β€” snapshot rollback is a recovery tool, not a security control, and using it after compromise may still leave data exposed.

Part B β€” Matching

Match each virtualization vulnerability to its correct description.

TERM

VM Escape
Resource Reuse
VM Sprawl
Hardware Simulation Bug

DESCRIPTION

Physical memory pages not zeroed before reassignment β€” residual data from one VM readable by another
A hypervisor flaw in emulated virtual hardware that allowed the Pwn2Own 2017 attack to cross the VM boundary to the host
Accumulation of unmanaged, orphaned VMs running unpatched OS with unconstrained network access
Breaking out of isolated VM isolation to reach the hypervisor host or other guest VMs on the same physical machine

Part C β€” Analysis

Q6 β€” Analyze
A hypervisor vendor releases a patch for a critical vulnerability in the hardware device simulation layer. A security manager says: "Patching the hypervisor requires a maintenance window and will briefly interrupt all 200 VMs on that host. We'll schedule it for next month's maintenance window." Analyze the risks of this decision.
βœ… Correct: C. A hardware simulation bug in a hypervisor is exactly the type of vulnerability used in VM escape attacks (as demonstrated in Pwn2Own 2017). Delaying the patch a month keeps all 200 VMs exposed to an attack that, if successful, gives an attacker access to every VM on the host. Hypervisor patches for hardware simulation vulnerabilities should be treated as critical and applied on an emergency schedule β€” the brief interrupt of 200 VMs is far preferable to a potential full-host compromise. VM escape does not require physical access (D) β€” it is performed from inside a compromised VM over the network.

Part D β€” Evaluation

Q7 β€” Evaluate
A cloud architect argues: "VM isolation ensures that our customers' VMs are completely secure from each other. Even if one customer's VM is fully compromised, the isolation boundary means no other customer is at risk." Evaluate this claim.
βœ… Correct: B. VM isolation is a strong control and is effective against most threats β€” but it is not an absolute guarantee. The Pwn2Own 2017 demonstration showed that a real-world VM escape is achievable by chaining hypervisor vulnerabilities. Resource reuse vulnerabilities have also been demonstrated where data leaks between VMs via shared memory. The claim that a fully compromised VM poses "no risk" to others overstates the isolation guarantee. Proper cloud security requires defense-in-depth: patch hypervisors promptly, enable memory scrubbing, segment VM networks, and monitor for anomalous cross-VM activity.
0/7
Questions Answered Correctly