‘VENOM’ Flaw in Virtualization Software Could Lead to VM Escapes, Data Theft

Venom vulnerability

Researchers have uncovered a vulnerability in an obscure component of many virtualization platforms that they say can allow an attacker to escape from a guest virtual machine and gain code execution on the host, as well as any other VMs operating on that machine. Experts say the bug affects a wide variety of virtualization software running on all major operating systems.

The simple route to exploiting this vulnerability is for an attacker to buy space on a cloud hosting provider. From there, he can use the vulnerability to escape the VM he’s running and move laterally among the other VMs on that host. The attacker may then be able to access the local network running the host and get to sensitive data stored there. The bug was discovered by Jason Geffner, a senior security researcher at CrowdStrike.

The vulnerability itself lies in the virtual floppy disk controller component of QEMU, an open-source virtualization package. The component is included in a number of virtualization platforms, including Xen and KVM, and the largest target base for attackers would be hosting providers who run these platforms, experts say. With so many enterprises moving their resources to cloud providers, the danger from the decade-old vulnerability is high.

“There is a cost to this move, which is that attackers who once needed to find an exploit may get some degree of local privilege using money. There’s a lot riding on the code that isolates VM’s, but like all code there’s a risk of bugs. Many cloud providers offer enhanced isolation of hardware, such that at minimum you’re only exposed to other VM’s from your own organization. When feasible it’s worth outbidding attackers to acquire this isolation,” said researcher Dan Kaminsky, co-founder of White Ops. 

Although floppy drives are hopelessly obsolete, the FDC code that’s at the heart of this vulnerability is present in many places.

“For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers,” the FAQ on the vulnerability says.

The bug is being called VENOM, for virtualized environment neglected operations manipulation, and CrowdStrike’s Geffner discovered it during an audit of virtual machine hypervisors. The bug has existed since 2004, when the virtual FDC code was added to QEMU. Both Xen and QEMU have produced patches for the vulnerability and most of the large cloud providers have addressed the bug. But Kaminsky, who worked with CrowdStrike to produce a fix for the VENOM flaw, said the threat from attackers is still real.

“We are increasingly using sandboxes on the network to analyze traffic. Nothing is without cost; these sorts of VM escapes (this one being particularly special, it being so inherited across the ecosystem) do create the threat of attackers with global visibility across your network. If nothing else, sandboxing architecture can’t be patched like normal network equipment. If you’ve got it, fire drill it, because even unlike a domain controller attackers can make it run stuff by design,” Kaminsky said.

The Xen Project has released an advisory on the vulnerability.

“All Xen systems running x86 HVM guests without stubdomains are vulnerable to this depending on the specific guest configuration. The default configuration is vulnerable. Guests using either the traditional ‘qemu-xen’ or upstream qemu device models are vulnerable. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain,” the advisory says.

Amazon, one of the larger cloud services providers, said that its systems are not vulnerable to the VENOM bug.

“We are aware of the QEMU security issue assigned CVE-2015-3456, also known as ‘VENOM,’ which impacts various virtualized platforms. There is no risk to AWS customer data or instances,” Amazon said.

Though the vulnerable code has been in QEMU for 11 years, it wasn’t known until now, and knowing is half the battle.

Suggested articles