SA97 : Malware Analysis Appliance VM Escape
1327
03 March 2020
30 June 2015
CLOSED
HIGH
CVSS v2: 8.3
SUMMARY
The Malware Analysis Appliance (MAA) is vulnerable to a virtual machine escape where a sample being analyzed could change content and destination path of files being saved on the host’s file system during analysis. Correct manipulation of the path and content could lead to code execution or denial of service on the MAA host.
AFFECTED PRODUCTS
| Malware Analysis Appliance | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 4.2 | Upgrade to 4.2.5. |
| 4.1 | Upgrade to later release with fixes. | |
| Malware Analyzer G2 | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | All versions | Upgrade to latest release of MAA with fixes. |
ISSUES
| CVE-2015-4523 | |
|---|---|
| Severity / CVSSv2 | High / 8.3 (AV:N/AC:M/Au:N/C:P/I:P/A:C) |
| References | NVD: CVE-2015-4523 |
| Impact | Privilege escalation |
The Malware Analysis Appliance (MAA) executes binaries submitted for analysis inside a virtual machine (VM). During analysis, artifacts in the form of files are retrieved from the VM by the host and are written to the host's file system. A binary running in the VM can craft malicious content and specify where it is stored within the host file system.
A sample that has been loaded into MAA can, as a lower privileged user, use this vulnerability to create and overwrite certain files. This could allow an attacker to cause a reboot or a reset to factory defaults. In specialized circumstances, the attacker could execute code as a lower privileged user.
ACKNOWLEDGEMENTS
Thank you to Jurriaan Bremer for reporting the vulnerability.
REVISION
2015-10-02 Changed status to final
2015-07-13 Title Update
2015-06-30 Initial public release