Virtualized Environment Neglected Operations Manipulation called VENOM, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms.
This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy.
What products are affected?
The bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable FDC code is used in numerous virtualization platforms and appliances, notably Xen, KVM, and the native QEMU client.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.
Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.).
Though the VENOM vulnerability is also agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
What vendors have released patches and advisories?
CrowdStrike is aware of the following vendor patches, advisories, and notifications.
- QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
- Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
- Red Hat: https://access.redhat.com/articles/1444903
- Citrix: http://support.citrix.com/article/CTX201078
- FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
- Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
- Rackspace: https://community.rackspace.com/general/f/53/t/5187
- Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
- Suse: https://www.suse.com/support/kb/doc.php?id=7016497
- DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
- f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html
We recommend you reach out to your vendors directly to get the latest security updates.
Have you seen VENOM exploits in the wild?
Neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild.
Floppy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
How is this different from previous VM escape vulnerabilities?
Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.
- CVE-2007-1744 – Directory traversal vulnerability in shared folders feature
- CVE-2008-0923 – Path traversal vulnerability in VMware’s shared folders implementation
- CVE-2009-1244 – Cloudburst (VMware virtual video adapter vulnerability)
- CVE-2011-1751 – Missing hotplug check during device removal
- CVE-2012-0217 – 64-bit PV guest privilege escalation vulnerability
- CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple memory corruption vulnerabilities
VENOM (CVE-2015-3456) is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.
What is the vulnerability?
The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.
This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.
How long has this bug existed?
The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.
How was the VENOM vulnerability discovered?
Jason Geffner, CrowdStrike Senior Security Researcher, discovered the vulnerability while performing a security review of virtual machine hypervisors.
How was the response to the vulnerability coordinated?
After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.
How do I protect myself from the VENOM vulnerability?
If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability.
If you have a vendor service or device using one of the affected hypervisors, contact the vendor’s support team to see if their staff has applied the latest VENOM patches.
References: Venom Crowdstrike.