Zero Day Initiative, a security research program that offers rewards for successful hacks, reported that on last day of their recent "PWN2OWN 2017" competition, a team of contestants pulled off an unique and challenging feat: they compromised a virtual machine and managed to "escape" to the host system running the virtualization software. The hack involved three distinct and challenging tasks:
- Compromising Microsoft's Edge Browser
- Compromising the Guest Operating System (running Windows 10)
- Compromising the VMware Workstation virtualization software
And this was all accomplished through a controlled website. Although this may not be the first time each individual layer was compromised, this is perhaps the first reported instance where all three were bypassed at once. Even if you factor in this being only a "proof of concept," the implications are significant.
Virtual machines represent a critical security boundary to organizations everywhere. To say nothing of the myriad of hosted environments where this technology is paramount in keeping customer data not just secure, but also private from each other since they may be running on the same physical hardware. Browser sandboxes, in particular the one in Microsoft's Edge Browser, are considered very difficult to bypass.
A hack that can "break out" of a virtual machine is also significant and is a sign that any technology layer -- no matter how seemingly secure -- is subject to a hack and must be planned for when implementing security. Virtual machines in general have a perception of being an unbreakable security layer, but as this hack proves, any layer connected to the internet can be compromised.
As concerning as this hack is, there are security strategies organizations can adopt to combat this specific attack. For example, implementing multi-factor authentication (MFA) along with centralized identity management would help prevent an attacker from even getting inside a virtual machine (or a host machine for that matter). Compared to only needing a password for access, you will have boosted your security beyond what a password alone can do.
Another security best practice to employ is the least privilege model, where privileged accounts are only given the precise level of access they are needed and only to specific systems. Combined with MFA this would further mitigate the damage caused if an attacker somehow managed to access a virtual machine (or host).
Fortunately this hack was part of an ethical competition sponsored by a security company. The precise details of the attack will not be disclosed until all the affected vendors have patched the exploits used. The silver lining is that while this specific attack will be addressed, it should still serve as a wakeup call to rethink how secure the virtual machine layer truly is and to have a mature security strategy in place to counter this and all threats to your organization.
Learn how to protect your organization from data breaches and financial ruin here.