Security researchers have discovered a number of flaws in vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator that could enable a hacker attacker with normal user privileges in the guest to make a virtual machine unresponsive.
According to a blog post by Piotr Bania of Cisco Talos, in order for the graphics to be produced, the graphics accelerators need to process the OpenGL scripts into actual graphics. That process is named "shader compilation." On the Intel Graphics accelerator, this is done inside the igdusc64 dynamic linked library (DLL), and this is where the vulnerability exists.
The first flaw (CVE-2018-12152), is an exploitable pointer corruption vulnerability in Intel's Unified Shader Compiler for Intel Graphics Accelerator, version 10.18.14.4889. A specially crafted pixel shader can cause a pointer corruption, that if exploited successfully, may lead to code execution.
"An attacker can trigger the vulnerability by supplying a specially crafted shader file, either in binary or text form. The vulnerability can be triggered from a VMware guest affecting VMware host (potentially causing VMware to crash or a guest-to-host escape). Under specific circumstances, WebGL may also be an attack vector," said Bania.
A second flaw (CVE-2018-12153) is an exploitable denial-of-service vulnerability in the same graphics accelerator. He an attacker can provide a specially crafted shader file (either in binary or text form) to trigger this vulnerability. This vulnerability can be triggered from VMware guest and the vmware-vmx.exe process crash on the host.
A third flaw (CVE-2018-12154), is an exploitable pointer corruption vulnerability. A specially crafted pixel shader can cause an infinite loop, leading to a denial of service.
"The vulnerability can be triggered from a VMware guest affecting VMware host where the vmware-vmx.exe will become unresponsive while consuming CPU resources," said Bania.
Bania added that the flaws that may lead to virtual machine guest-to-host escape are especially insidious, as they may expose more than just the targeted system. "The possibility of a remote attack vector through the WebGL increases the risk posed by this vulnerability, has it provides a bigger landscape of attack," he said.
According to a blog post by VMware, there is " no patch for this issue, customers must review their risk and apply the workarounds if applicable." Workarounds can be found here.
Nicholas Griffin, senior cyber security specialist at Performanta, told SC Media UK that for anybody using Intel’s graphics processors, this could be a very serious vulnerability.
"Whilst the impact footprint is lower than Meltdown and Spectre, this vulnerability is probably more serious. Why? Because this is likely to be used in real world attacks, rather than being largely theoretical," he said.
"It is trivial for an attacker to load a malicious shader, and this vulnerability even has significant potential to break out of virtual machines. Thankfully, mitigation just involves a quick and easy graphics driver update, which has already been made available through Intel. For virtual machines, disabling 3D acceleration will protect you."
Rory Mackie, security consultant at Arcturus, told SC Media UK that for this particular bug, website links and emails should be thoroughly scrutinised as there is the possibility of leveraging WebGL – a feature common in modern browsers – to exploit this vulnerability.
"In short, it’s possible that simply opening a link from an attacker in your browser could exploit your machine using this vulnerability," he said.