All news with #virtualization security tag

🔒 Cloud virtual machines deliver speed, scale and agility, but uncontrolled VM sprawl creates persistent security gaps. Many instances are provisioned quickly and then left unmanaged—missing OS updates, scoped permissions and continuous monitoring—so they can be abused for lateral movement or used as throwaway attack infrastructure. Organizations should inventory VMs, tighten workload identities and apply continuous, identity‑aware monitoring to reduce risk.

🛠 Amazon Elastic VMware Service (Amazon EVS) now lets administrators specify supported combinations of VMware Cloud Foundation (VCF) and ESX software versions when provisioning environments and hosts. You can designate a VCF version with the CreateEnvironment API, select an ESX version when adding hosts via CreateEnvironmentHost, and query valid pairings with the GetVersions API. AWS also adds support for new environment deployments using VCF 5.2.2 to broaden compatibility.

🔒 A team from CISPA disclosed StackWarp, a hardware vulnerability affecting AMD Zen 1–5 processors that subverts SEV-SNP protections. The flaw lets a privileged host manipulate a guest VM's stack pointer via a previously undocumented control bit and a co-running hyperthread, enabling control-flow hijacks, data corruption, and secret exfiltration. Vendors released microcode fixes and AGESA patches are planned.

🔒 Hypervisors are increasingly attractive targets for ransomware because a single host compromise can expose dozens or hundreds of VMs. Huntress Labs reports hypervisor ransomware involvement jumped from 3% to 25% in the second half of 2025, with the Akira group a major driver. The article urges treating hypervisor security with the same rigor as endpoints: strict access controls, runtime hardening, timely patching, and immutable backups. It also recommends improved monitoring, SIEM integration, and annual recovery drills to ensure rapid restoration.

🔒 Google’s Android Security and Privacy team collaborated with Arm to analyze the Mali GPU driver and implement SELinux-based IOCTL filtering that reduces the kernel driver's attack surface. The team categorized IOCTLs as unprivileged, instrumentation, and restricted, and used a staged rollout—first opt-in testing via a gpu_harden attribute, then opt-out with a gpu_debug domain—to validate behavior in real devices. The post provides step-by-step guidance for vendors to adopt a platform-level macro, define device-specific IOCTL lists, and enforce policy to keep deprecated and debug IOCTLs unreachable in production.

🔁NAKIVO has released Backup & Replication v11.1, expanding disaster recovery and MSP capabilities and adding five interface languages—French, Italian, German, Polish and Chinese. The update brings major Proxmox VE improvements, including Flash VM Boot, VM replication and template backup/recovery, automated backup verification with screenshots, direct tape recovery, and Exchange/SQL log truncation. It also introduces MSP Direct Connect to remove client-side port changes, Real-Time Replication for VMware with automated IO Filter and Journal Service installation, and granular folder- and volume-level backups for Windows and Linux physical machines with encryption, immutability and air-gapping options.

🚀Today AWS announced that Amazon Elastic VMware Service (Amazon EVS) is available in all availability zones in the Asia Pacific (Singapore) and Europe (London) Regions. Amazon EVS runs VMware Cloud Foundation directly within your Amazon VPC on EC2 bare-metal instances powered by AWS Nitro. You can deploy a complete VCF environment in hours using the guided configuration workflow or the AWS CLI with automated deployment, enabling faster migrations, lower latency for end users, and improved compliance and resiliency.

⚠️ Researchers at ETH Zurich published a paper demonstrating VMScape, a practical Spectre v2 (branch target injection) attack that escapes a guest VM to read host memory in virtualized environments. The team showed AMD Zen1–Zen5 CPUs and older Intel Coffee Lake servers can be abused to exfiltrate secrets from a default-configured VM. The issue was assigned CVE-2025-40300 and a Linux kernel patch is available; hardware protections such as SEV/SEV-SNP and TDX are recommended mitigations.

🔒 Researchers have demonstrated VMScape, a Spectre-like branch target injection attack that breaks guest-to-host isolation on AMD and Intel CPUs in virtualized environments. The proof-of-concept targeted KVM/QEMU in its default configuration and extracted host disk encryption keys from an AMD Zen 4 system. Tracked as CVE-2025-40300, mitigations include inserting an Indirect Branch Prediction Barrier (IBPB) on VMEXIT, which maintainers report causes only marginal performance impact. The vulnerability highlights that existing Spectre-BTI defenses and microcode updates are insufficient in some virtualized deployments, particularly on AMD Zen microarchitectures.

🔒 AWS confirms that guest data on instances running on the Nitro System and Nitro Hypervisor is not at risk from the research known as L1TF Reloaded, and no additional customer action is required. The researchers demonstrate that the technique chains half-Spectre gadgets with L1 Terminal Fault (L1TF) to transiently leak data on some hypervisors, but Nitro’s security-first architecture prevented data extraction. Nitro’s design relies on eXclusive Page Frame Ownership (XFPO) secret hiding, a minimal hypervisor footprint, and layered mitigations; AWS also notes coordinated disclosure and that it sponsored part of the research.