As the most popular open-source cloud architecture, OpenStack uses Qemu-KVM as the virtualization implementation of its computing nodes. Therefore, the threat of vulnerabilities in Qemu is very noteworthy for cloud platform security. Although Redhat fixes a large number of vulnerabilities in Qemu every year, most of them will not affect OpenStack because they just exploit components not provided by OpenStack. For example, the vulnerabilities CVE-2015-5165 and CVE-2015-7504 presented at the security conference HITB.
Even some serious vulnerabilities affect OpenStack, such as CVE-2015-3456 (called the venom vulnerability) which is a heap overflow vulnerability in the virtual floppy disk device. However, no one is able to display a complete exploit or relevant idea publicly. As above mentioned, there are only a few vulnerabilities that can be used to escape from the OpenStack virtual machine. It’s more challenging to develop an exploit for virtual machine escape in the public cloud since it is difficult for an attacker to obtain the key information such as Qemu version, binary files, and so on. Thus when we view as an attacker targeted on public cloud instruments, not only considering the exploitable of vulnerability or stability of the method, it’s more vital to escape the affected virtual machine without any additional information.
In this paper, we briefly introduce the Qemu-KVM architecture at first, then we propose the new concept of a black box escape. After an in-depth analysis of CVE-2020-14364, we present our approach to achieving a black box escape of a QEMU virtual machine.