SA97 : Malware Analysis Appliance VM Escape

1327

03 March 2020

30 June 2015

CLOSED

HIGH

CVSS v2: 8.3

SUMMARY

The Malware Analysis Appliance (MAA) is vulnerable to a virtual machine escape where a sample being analyzed could change content and destination path of files being saved on the host’s file system during analysis. Correct manipulation of the path and content could lead to code execution or denial of service on the MAA host.

AFFECTED PRODUCTS

Malware Analysis Appliance
CVE Affected Version(s) Remediation
All CVEs 4.2 Upgrade to 4.2.5.
4.1 Upgrade to later release with fixes.

 

Malware Analyzer G2
CVE Affected Version(s) Remediation
All CVEs All versions Upgrade to latest release of MAA with fixes.

 

ISSUES

CVE-2015-4523
Severity / CVSSv2 High / 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C)
References NVD: CVE-2015-4523
Impact Privilege escalation

 

The Malware Analysis Appliance (MAA) executes binaries submitted for analysis inside a virtual machine (VM).  During analysis, artifacts in the form of files are retrieved from the VM by the host and are written to the host's file system.  A binary running in the VM can craft malicious content and specify where it is stored within the host file system.

A sample that has been loaded into MAA can, as a lower privileged user, use this vulnerability to create and overwrite certain files.  This could allow an attacker to cause a reboot or a reset to factory defaults.  In specialized circumstances, the attacker could execute code as a lower privileged user.

ACKNOWLEDGEMENTS

Thank you to Jurriaan Bremer for reporting the vulnerability.

REVISION

2015-10-02 Changed status to final
2015-07-13 Title Update
2015-06-30 Initial public release