Virtual machine escape
In computer security, virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system. A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". In 2008, a vulnerability (CVE-2008-0923) in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS (commercial penetration testing tool). Cloudburst was presented in Black Hat USA 2009.
Previous known vulnerabilities
- CVE-2007-1744 Directory traversal vulnerability in shared folders feature for VMware
- CVE-2008-0923 Directory traversal vulnerability in shared folders feature for VMware
- CVE-2009-1244 Cloudburst: VM display function in VMware
- CVE-2012-0217 The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier
- CVE-2014-0983 Oracle VirtualBox 3D acceleration multiple memory corruption
- CVE-2015-3456 VENOM: buffer-overflow in QEMU's virtual floppy disk controller
- CVE-2015-7835 Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests
- CVE-2016-6258 Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe.
- CVE-2016-7092 Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests
- CVA-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine
- CVE-2017-0075 Hyper-V Remote Code Execution Vulnerability
- CVE-2017-0109 Hyper-V Remote Code Execution Vulnerability
- CVE-2017-4903 VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts
- CVE-2017-4934 VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host
- CVE-2017-4936 VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS
- CVE-2018-2698 Oracle VirtualBox: shared memory interface by the VGA allows read and writes on the host OS
- CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091: "Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
- CVE-2019-18420, CVE-2019-18421, CVE-2019-18422, CVE-2019-18423, CVE-2019-18424, CVE-2019-18425: Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) 
- "What is VM Escape? - The Lone Sysadmin". 22 September 2007.
- "Virtual Machines: Virtualization vs. Emulation". Retrieved 2011-03-11.
- "Path Traversal vulnerability in VMware's shared folders implementation". 18 May 2016.
- Dignan, Larry. "Researcher: Critical vulnerability found in VMware's desktop apps - ZDNet".
- "Security Monitoring News, Analysis, Discussion, & Community". Dark Reading.
- "Black Hat ® Technical Security Conference: USA 2009 // Briefings". www.blackhat.com.
- "VMSA-2017-0006". VMware.
- "VMSA-2017-0018.1". VMware.
- "CVE-2018-2698". securiteam.com: Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities.
- "CVE-2019-18420 to 18425". Patches beheben Schwachstellen in Xen und Citrix Hypervisor.