This website uses cookies to enhance your browsing experience. Please note that by continuing to use this site you consent to the terms of our Privacy Notice.

ACCEPT
Experienced a Breach?

NEED IMMEDIATE ASSISTANCE?

Contact Us for Pre and Post Incident Response Services

CONTACT US NOW

VENOM

Virtualized Environment Neglected Operations Manipulation

Discovered by Jason Geffner, CrowdStrike Senior Security Researcher

_____________________

VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.

 

Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy.

 

Patches available below in Q&A section.

Q+A: Learn More About VENOM

What products are affected?

The bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable FDC code is used in numerous virtualization platforms and appliances, notably Xen, KVM, and the native QEMU client.

VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.).

Though the VENOM vulnerability is also agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.

What vendor patches are available for download?

CrowdStrike is aware of the following vendor patches.

  • QEMU Project: https://lists.gnu.org/archive/html/qemu-devel/2015-05/msg02561.html
  • Xen Project: http://xenbits.xen.org/xsa/advisory-133.html

This is not an all-inclusive list of patches. We recommend you reach out to your vendors directly to get the latest security updates.

What other mitigation options are available?

Running Virtual Machine hypervisors in certain configurations will minimize or even completely eliminate the impact of this vulnerability. The following is not an exhaustive list of such configurations and we welcome additional suggestions:

  • Xen
    • Xen systems running x86 paravirtualized guests are not vulnerable to this exploit
    • ARM systems are not vulnerable
    • Enabling stub-domains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain.  qemu-dm stub-domains are only available with the traditional “qemu-xen” version.

Have you seen VENOM exploits in the wild?

Neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild.

Floppy drives are outdated, so why are these products still vulnerable?

For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

How is this different from previous VM escape vulnerabilities?

Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.

  • CVE-2007-1744 – Directory traversal vulnerability in shared folders feature
  • CVE-2008-0923 – Path traversal vulnerability in VMware’s shared folders implementation
  • CVE-2009-1244 – Cloudburst (VMware virtual video adapter vulnerability)
  • CVE-2012-0217 – 64-bit PV guest privilege escalation vulnerability
  • CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple memory corruption vulnerabilities

VENOM (CVE-2015-3456) is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.

What is the vulnerability?

The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.

This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.

How long has this bug existed?

The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.

How was the VENOM vulnerability discovered?

Jason Geffner, CrowdStrike Senior Security Researcher, discovered the vulnerability while performing a security review of virtual machine hypervisors.

How do I protect myself from the VENOM vulnerability?

If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability.

If you have a vendor service or device using one of the affected hypervisors, contact the vendor’s support team to see if their staff has applied the latest VENOM patches.

Except where otherwise noted, the VENOM logo and the VENOM infographic on this page are available for use under the terms of a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). CrowdStrike and the CrowdStrike Logo are registered trademarks of CrowdStrike, Inc.

About CrowdStrike

CrowdStrike™ provides next-generation endpoint protection, threat intelligence, 24×7 monitoring and incident response services to many of the world’s largest and most advanced companies and government agencies.

Updated: 2015-5-13

 

Stop Breaches with CrowdStrike Falcon request a demo