Today, CrowdStrike disclosed a critical virtual machine escape vulnerability (which we named VENOM) discovered by our Senior Security Researcher Jason Geffner. VENOM affects a number of open-source hypervisors, such as QEMU, Xen, KVM, VirtualBox and many derivatives of these products. For weeks now, we have worked with major infrastructure providers and the developers of these hypervisors to assess the impact, provide sufficient time for patches to be written, and responsibly coordinate disclosure.
While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.
I’m very pleased to see how the community came together in a collaborative and effective way to rapidly create and deploy patches before this vulnerability could be exploited in the wild. Releasing a patch for bugs like this is challenging since it requires a cascading disclosure process – which begins with approaching the upstream vendors who have to analyze and produce the fix for the vulnerability. In the case of VENOM, we worked with the maintainers of QEMU, the hypervisor where this vulnerability was first introduced in 2004, and with other vendors of major hypervisors like Xen and VirtualBox. We also worked with the operating system vendors that integrate the KVM hypervisor and educated a wide range of organizations that use these hypervisors in their products and services, including infrastructure providers and security appliance vendors that rely on virtualization.
There were numerous dependencies between vendors and patches that had to be worked out and coordinated. This experience highlights the continuing need for a better and more clearly defined process for identifying dependencies and coordinating vulnerability disclosure between open-source projects and vendors that integrate that technology. I also want to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.
We are pleased with the positive responses we’ve received from vendors and users worldwide. Vendors have thanked us for getting millions of virtual machines patched in advance of this notification. Still, there’s a continuing need for other organizations to review their environments for the presence of affected hypervisors and ensure that they are patched.
We have stayed away from describing the technical details of the vulnerability since some vendors remain vulnerable and we do not want to accelerate the timeline of seeing attacks in the wild. We will publish those details once sufficient time has passed for those vendors to apply the patches.
We will continue to update venom.crowdstrike.com with relevant information about advisories and patches released by providers. If you have other updates that you would like listed, please contact us with information at firstname.lastname@example.org.
Last but not least, I would like to thank the hero of this announcement – Jason Geffner, who worked tirelessly, creatively, passionately, and with exceptional skill to discover this vulnerability, assess its impact, and has collaborated with affected vendors to mitigate this significant security risk. Well done Jason!