New Vulnerability for the Linux Kernel: Januscape Allows 'Escaping' from VMs
It is called Januscape, it is 16 years old, and it is the latest vulnerability discovered in the Linux kernel, more specifically in the virtual machine management subsystem (KVM, Kernel Virtual Machine). It was discovered by researcher Hyunwoo Kim, who verified how it is possible to "escape" from the confinement of virtual machines to take control of the host machine.
Januscape Allows Escaping from VMs
Januscape is a vulnerability that remained in the Linux kernel for about sixteen years before being detected and fixed last June, with Kim receiving a reward through Google’s bug bounty program kvmCTF.
The bug allows exiting the isolation to which virtual machines are subjected, meaning that it is not possible to execute commands in guest machines to influence the host machines. Januscape works thanks to a mechanism known as "use after free": a portion of memory is deleted but continues to be used subsequently; this makes it possible, by knowing its location, to insert data and instructions at will.
In this case, two outcomes are possible: the first is to crash the host machine causing a kernel panic, resulting in a situation of denial of service (consider cloud services, where physical machines are shared among dozens of VMs); the second is, in distributions like Red Hat Enterprise Linux, to take control of the host machine by obtaining root permissions, meaning the ability to perform any operation without limitations.
The researcher who discovered it claims that the vulnerability affects both Intel and AMD processors (ARM ones were subject to another vulnerability called ITScape, discovered by the same Kim) and that it is necessary to have root permissions on the guest machine to exploit the vulnerability. If root permissions are not available, it is possible to exploit Dirty Frag (discovered again by Kim) to obtain them on unpatched machines and conduct the attack.
Kim has published a proof of concept for the attack version that leads to kernel panic; the version that obtains root permissions on the host machine will be released "in a very distant future" to ensure that as many machines as possible are updated to be protected.