The divisive VENOM vulnerability—marketing logo and all—has been good for three solid days of debate and angst over its severity, ease of exploitation and risks.
The first public proof-of-concept exploit, however, may aid in calming some of the anxiety around the bug, which is proving difficult to attack at scale.
SUSE Linux security project manager Marcus Meissner wrote a short program and put it up on the OSS Security mailing list shortly after VENOM was disclosed. The code, he said, confirms the patches released are effective. The bug was found by researchers at CrowdStrike. It lives in the virtual floppy disk controller component of QEMU, an open-source virtualization package. XEN, KVM and other virtualization platforms run QEMU, and hosting providers who run on these platforms were advised to patch quickly.
“It is a very basic program showing only the error condition, with the goal of crashing the [QEMU] process,” Meissner told Threatpost. “It does not try to achieve code execution. I wrote it for our QA team to confirm the bug is fixed after update.”
Meissner’s exploit, he said, tries to write past the end of the FIFO memory buffer used by the floppy disk controller to store commands and parameters. The PoC crashes the unpatched QEMU process, Meissner said.
“To trigger the condition of the exploit is easy, however the attacker needs to have root-level privileges on the guest machine,” Meissner said. “From this to gaining code execution needs knowledge of the memory layout of the QEMU process running. Without address space randomization this could be more or less easy, but I have not researched this.”
The vulnerability could lead to an attacker escaping the confines of the virtual machine and gaining access to the host, and in turn, all of the other virtual instances running on that server.
“As guest escape, I would consider it at least ‘important’ to ‘critical,'” Meissner said in characterizing the seriousness of the vulnerability.
Noted researcher Dan Kaminsky told Threatpost this week that an attacker could, rather than exploit a machine, gain a measure of local privilege by purchasing it.
“Many cloud providers offer enhanced isolation of hardware, such that at minimum you’re only exposed to other VMs from your own organization,” Kaminsky said. “When feasible, it’s worth outbidding attackers to acquire this isolation.”
While floppy disks are a forgotten memory on most computers, the code that runs them is added by default to many systems.
“Such devices like the floppy controller or the network card have state engines that are more or less complex to emulate. These might also not always be written with security deeply in mind, as they originate from a time like 10 years ago or more,” Meissner said. “Also C code is notorious hard to program, so bugs are always present. So the floppy disc controller is not special here.”
Most, if not all, of the affected vendors have published patches that address the VENOM vulnerability. Whether hosting providers consider the downtime required to patch and reboot machines an acceptable risk or loss is another issue.
In the meantime, experts caution that users shouldn’t buy into all the hyperbole about VENOM, especially comparisons to Heartbleed and other Internet-wide bugs. Chris Eng, VP of research at Veracode, said mass exploitation of VENOM would be close to impossible because remote-code execution exploits would have to be tailored to specific environments, and the fact that an attacker would need access to the host does mitigate some of the risk.
“While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale,” Eng said. “Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like. Companies should absolutely apply patches as they become available.”