Vulnerability Alert

Microsoft Virtual PC and Virtual Server Guest Operating System Privilege Escalation Vulnerability

 
Threat Type:CWE-264: Permissions, Privileges, and Access Control
IntelliShield ID:18613
Version:2
First Published:2009 July 14 18:13 GMT
Last Published:2010 March 10 15:16 GMT
Port: Not available
CVE:CVE-2009-1542
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.2
 
Version Summary:

Microsoft has re-released a security bulletin and updated software to address the Microsoft Virtual PC and Virtual Server guest operating system privilege escalation vulnerability.

 
 
Description

Microsoft Virtual PC and Virtual Server contain a vulnerability that could allow a local attacker to assume control over a virtual system.

This vulnerability is due to errors when the vulnerable applications validate privilege levels within the Virtual Machine Monitor driver.? A local attacker could exploit this vulnerability to gain escalated privileges within the virtual operating system, resulting in the compromise of the virtual host.

Microsoft has confirmed this vulnerability in a security bulletin and released updated software.

 
Warning Indicators

The following Microsoft products are affected:

  • Microsoft Virtual PC 2004 SP1 and prior
  • Microsoft Virtual PC 2007 SP1 and prior
  • Microsoft Virtual PC 2007 x64 Edition SP1 and prior
  • Microsoft Virtual Server 2005 R2 SP1 and prior
  • Microsoft Virtual Server 2005 R2 x64 Edition SP1 and prior
 
IntelliShield Analysis

To?exploit this vulnerability, an attacker requires local access to an affected system and a virtual host, or have the ability to log in locally to a virtual host using remote access such as Remote Desktop or Terminal Services.? The attacker will?likely require either physical access to a vulnerable system or access to trusted network segments.? These requirements?limit the potential source of attacks.

An exploit within a virtual operating system will not likely allow the attacker to affect the host operating system.? Any impact will be limited to the individual virtual host.? However, depending on the functions of the virtual host, a compromise could affect critical operations or expose sensitive information.

The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the July 2009 security bulletin release.? This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2009

The update available from Microsoft corrects this vulnerability by properly determining privilege levels within the virtual host.

 
Vendor Announcements

Microsoft has re-released a security bulletin at the following link: MS09-033

 
Impact

A local attacker could exploit this vulnerability to gain elevated privileges within a virtual operating system.? An exploit could allow the attacker to take complete control over the virtual system; however, the attacker will likely be unable?to gain additional privileges on the host system.

 
Technical Information

The vulnerability is due to errors when the vulnerable applications validate privilege levels within the Virtual Machine Monitor driver.? The driver filters and processes requests from virtual machines to the underlying system hardware.? Malformed requests that are processed by the driver may be interpreted as having a higher security context, allowing a local attacker to take privileged actions within the virtual operating system.

A local attacker could exploit this vulnerability by running a program that is designed to issue a malicious request to the vulnerable application.? As a result, the attacker could perform actions with administrative privileges, possibly resulting in the complete compromise of the virtual machine.

 
Safeguards

Administrators are advised to apply the available software updates.

Administrators are advised to restrict system access to trusted users.

Administrators are advised to monitor critical systems.

 
Patches/Software

Microsoft customers can obtain updates directly by using the links in the security bulletin.  These updates are also distributed by Windows automatic update features and available on the Windows Update website.  Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.

 
Alert History
 

Version 1, July 14, 2009, 2:13 PM: Microsoft Virtual PC and Virtual Server contain a vulnerability that could allow a local attacker to assume control over a virtual system.  Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Virtual PC 2004 Base, SP1 | 2007 Base, SP1 | 2007 x64 Edition Base, SP1
Microsoft, Inc.Virtual Server 2005 Standard Edition Base | Standard Edition R2 Base, SP1 | Standard Edition R2 x64 Edition Base, SP1 | Enterprise Edition Base | Enterprise Edition R2 Base, SP1 | Enterprise Edition R2 x64 Edition Base, SP1

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield