Exam CS0-002 topic 1 question 163 discussion

Cloud provider providing storage (IaaS). You cannot update the hypervisor but can configure MFA to access your infrastructure.

I'm confused at why so many people are choosing C, no where in the question stated the hyperV was outdated .

Hypervisor is vulnerable if "A threat actor has deployed a virtual machine to attack another virtual machine". VM escape.

C because it is asking to remidiate the ongoing situation, not future plans to do it better or to lower te risk from the beginning. Whoever is suggesting for MFA please reconsider your profession ;-)

Thank god one person mentioned VM escape. The only way you are going to be able to hack into additional VM's is through VM escape which involves manipulating the hypervisor. The answer is C

The question says "A threat actor has deployed a virtual machine to attack another virtual machine to gain access to the data" So option A and C is out of the way, as the vulnerability is in the cloud provider not the hypervisor, Option D could be a choice but that seems like a costly option, that leaves only option B to be correct

The threat actor has exploited a vulnerability in the hypervisor to escalate access rights. To remediate this vulnerability, the organization should update to a secure version of the hypervisor. By doing so, the organization can ensure that the hypervisor is not vulnerable to known attacks and that access rights cannot be escalated in the same way as before. Sandboxing the virtual machine, implementing an MFA solution, or implementing dedicated hardware for each customer are not effective solutions to this particular vulnerability.

Are we all reading the same question? There was absolutely nothing in this question that said anything about an outdated hypervisor version so how would anyone know that we need to update the hypervisor version? MFA is the best option.

Implement a MFA solution, answer is B. Only Cloud Provider has access to the host hypervisor. That is why the Adversary deployed a new VM to attack the existing VM. MFA would prevent anyone from compromising their Cloud Admin Account

I say the answer is B. The treat actor had to access the Cloud SP in the 1st place. Good luck getting around MFA when logging into the hypervisor.

B would most likely be the best answer for remediation in this scenario. Since nothing was specifically called out for an older software version on the hypervisor, I'll assume that it's up to date. The steps for remediation should be isolation, patches for the software version if any are available, after this you would do whatever remediation steps you could such as configuration changes, stricter access controls like MFA, then continue to monitor the system. So given the fact we don't know an accurate status of the current software version, MFA implementation would be the only guaranteed mitigation step to remediate a hypervisor vulnerability. Sandboxing VMs and dedicated hardware does not protect the system when the attacker has the capability to perform host escapes.

C. Question specifically asks "Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system?" which means remediate the hypervisor vulnerability. Sandboxing a virtual machine would mean isolating it from the other systems to prevent malicious code from spreading, but it won’t address the vulnerability in the hypervisor. Implementing an MFA solution would provide an additional layer of security, but it wouldn't remediate the vulnerability. Dedicated hardware for each customer would isolate customers' data, but it wouldn't address the hypervisor vulnerabilities. Also it would be the cloud provider who updates the hypervisor, not the client, so this question is being asked by the perspective of the cloud provider.

Those who answer C, i would say don't have any experience in the cloud at all. We are talking about cloud infrastructure where even using IAAS will not even allow touching the hypervisor, only the cloud provider can do the firmware update for you, and you cant even request it because different companies are sharing the same host with your server, assuming this is a public cloud.

I feel like this question is highlighting horizontal privilege escalation so going with B.

MFA would be incorrect in this case Yes MFA can be used to reduce the likelihood that the attacker gains access to the VM, however, the scenario specifically states that the attacker was able to escalate rights and the question asks what can be done to remediate the vulnerability. the vulnerability in this case would be the ability to escalate rights. thus to remediate this, its safe to say that the application needs to be patched somehow so C would be correct

Where did it say the hypervisor version wasn't secure or that it is outdated?

C is correct. Virtual machine (VM) escape attacks target vulnerabilities in the hypervisor supporting a virtualized environment. The strongest control to protect hypervisors against these attacks is to keep them patched.