Security Experts:

Decade-Old VENOM Bug Exposes Virtualized Environments to Attacks

Security firm Crowdstrike has revealed the existence of a serious vulnerability affecting several popular virtualization platforms.

Dubbed “Virtualized Environment Neglected Operations Manipulation,” or VENOM, the security bug exists in the virtual Floppy Disk Controller (FDC) of QEMU, the generic, open source machine emulator and virtualizer.

According to Crowdstrike, an attacker can exploit the vulnerability (CVE-2015-3456) to escape a virtual machine (VM) and execute arbitrary code on the host. Malicious actors can leverage VENOM to access all the VMs running on the targeted host.

“Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy,” Crowdstrike wrote on a website set up specially for VENOM.

The vulnerability, which has existed since 2004 when the virtual FDC was first added to the QEMU codebase, impacts hypervisors such as XEN, KVM (Kernel-based Virtual Machine), and the native QEMU client, Crowdstrike said. However, the security firm noted that VENOM does not impact VMware, Microsoft Hyper-V, and Bochs hypervisors.

The QEMU code responsible for emulating the FDC is vulnerable to buffer overflow attacks because it doesn’t correctly bounds-check accesses to an array.

“The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command,” Crowdstrike explained.

“This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process,” the company added.

Despite the fact that most organizations no longer use floppy drives, a virtual floppy drive is created by default in new virtual machines. In the case of QEMU and Xen, even if the virtual drive is disabled, the VENOM flaw can still be exploited because a different bug causes the vulnerable code to remain active, experts said.

Crowdstrike noted that it hasn’t seen any evidence that the vulnerability has been exploited in the wild. The company also pointed out that an attacker needs administrative or root privileges in the guest operating system in order to exploit the bug. However, the security firm believes VENOM is dangerous because it affects several virtualization platforms, it works on default configurations, and it allows direct arbitrary code execution.

The QEMU Project and the Xen Project have released patches to address the issue. Xen noted in its advisory that systems running only x86 paravirtualized guests and ARM systems are not vulnerable. Red Hat released patches today to resolve the vulnerability, and Amazon has informed AWS customers that their data and instances are not at risk.

According to a support document posted by FireEye on Wednesday, FireEye’s hypervisor leverages the open source component affected by VENOM and the company has released patches for all of its major products. "FireEye urges its customers to upgrade their affected appliances as soon as possible to ensure fidelity of their FireEye products and continued protection of their organization," the company said.

According to White Ops chief scientist Dan Kaminsky, who worked with Crowdstrike on a fix for VENOM, such vulnerabilities can be dangerous because everything is moving to the cloud.

“There is a cost to this move, which is that attackers who once needed to find an exploit may get some degree of local privilege using money,” Kaminsky told SecurityWeek via email. “There's a lot riding on the code that isolates VM's, but like all code there's a risk of bugs. Many cloud providers offer enhanced isolation of hardware, such that at minimum you're only exposed to other VM's from your own organization. When feasible it's worth outbidding attackers to acquire this isolation.”

“We are increasingly using sandboxes on the network to analyze traffic. Nothing is without cost; these sorts of VM escapes (this one being particularly special, it being so inherited across the ecosystem) do create the threat of attackers with global visibility across your network,” the expert added. “If nothing else, sandboxing architecture can't be patched like normal network equipment. If you've got it, fire drill it, because even unlike a domain controller attackers can make it run stuff by design.”

“The people most affected by VENOM are those who run hosted VPS services (and therefore, do routinely give root access to strangers' guest machines), and those who subscribe to the same VPS services. Customers of VPS services should pester their vendors until patches are applied, and the vendors should move on this rapidly,” Tod Beardsley, Research Manager at Rapid7, told SecurityWeek.

"It's important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS," Beardsley  added. "This circumstance leads me to believe that VENOM is an "interesting" bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later."

Related: Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers

Related: Mind Your Hypervisors, Says Security Researcher

*Updated with details on FireEye appliances and additional commentary

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.