Connect with us

Hi, what are you looking for?



Decade-Old VENOM Bug Exposes Virtualized Environments to Attacks

Security firm Crowdstrike has revealed the existence of a serious vulnerability affecting several popular virtualization platforms.

Security firm Crowdstrike has revealed the existence of a serious vulnerability affecting several popular virtualization platforms.

Dubbed “Virtualized Environment Neglected Operations Manipulation,” or VENOM, the security bug exists in the virtual Floppy Disk Controller (FDC) of QEMU, the generic, open source machine emulator and virtualizer.

According to Crowdstrike, an attacker can exploit the vulnerability (CVE-2015-3456) to escape a virtual machine (VM) and execute arbitrary code on the host. Malicious actors can leverage VENOM to access all the VMs running on the targeted host.

“Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy,” Crowdstrike wrote on a website set up specially for VENOM.

The vulnerability, which has existed since 2004 when the virtual FDC was first added to the QEMU codebase, impacts hypervisors such as XEN, KVM (Kernel-based Virtual Machine), and the native QEMU client, Crowdstrike said. However, the security firm noted that VENOM does not impact VMware, Microsoft Hyper-V, and Bochs hypervisors.

The QEMU code responsible for emulating the FDC is vulnerable to buffer overflow attacks because it doesn’t correctly bounds-check accesses to an array.

“The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command,” Crowdstrike explained.

“This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process,” the company added.

Advertisement. Scroll to continue reading.

Despite the fact that most organizations no longer use floppy drives, a virtual floppy drive is created by default in new virtual machines. In the case of QEMU and Xen, even if the virtual drive is disabled, the VENOM flaw can still be exploited because a different bug causes the vulnerable code to remain active, experts said.

Crowdstrike noted that it hasn’t seen any evidence that the vulnerability has been exploited in the wild. The company also pointed out that an attacker needs administrative or root privileges in the guest operating system in order to exploit the bug. However, the security firm believes VENOM is dangerous because it affects several virtualization platforms, it works on default configurations, and it allows direct arbitrary code execution.

The QEMU Project and the Xen Project have released patches to address the issue. Xen noted in its advisory that systems running only x86 paravirtualized guests and ARM systems are not vulnerable. Red Hat released patches today to resolve the vulnerability, and Amazon has informed AWS customers that their data and instances are not at risk.

According to a support document posted by FireEye on Wednesday, FireEye’s hypervisor leverages the open source component affected by VENOM and the company has released patches for all of its major products. “FireEye urges its customers to upgrade their affected appliances as soon as possible to ensure fidelity of their FireEye products and continued protection of their organization,” the company said.

According to White Ops chief scientist Dan Kaminsky, who worked with Crowdstrike on a fix for VENOM, such vulnerabilities can be dangerous because everything is moving to the cloud.

“There is a cost to this move, which is that attackers who once needed to find an exploit may get some degree of local privilege using money,” Kaminsky told SecurityWeek via email. “There’s a lot riding on the code that isolates VM’s, but like all code there’s a risk of bugs. Many cloud providers offer enhanced isolation of hardware, such that at minimum you’re only exposed to other VM’s from your own organization. When feasible it’s worth outbidding attackers to acquire this isolation.”

“We are increasingly using sandboxes on the network to analyze traffic. Nothing is without cost; these sorts of VM escapes (this one being particularly special, it being so inherited across the ecosystem) do create the threat of attackers with global visibility across your network,” the expert added. “If nothing else, sandboxing architecture can’t be patched like normal network equipment. If you’ve got it, fire drill it, because even unlike a domain controller attackers can make it run stuff by design.”

“The people most affected by VENOM are those who run hosted VPS services (and therefore, do routinely give root access to strangers’ guest machines), and those who subscribe to the same VPS services. Customers of VPS services should pester their vendors until patches are applied, and the vendors should move on this rapidly,” Tod Beardsley, Research Manager at Rapid7, told SecurityWeek.

“It’s important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS,” Beardsley  added. “This circumstance leads me to believe that VENOM is an “interesting” bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later.”

Related: Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers

Related: Mind Your Hypervisors, Says Security Researcher

*Updated with details on FireEye appliances and additional commentary

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.