A new vulnerability known as VENOM has been discovered, which could allow an attacker to escape a guest virtual machine (VM) and access the host system along with other VMs running on this system. The VENOM bug could potentially allow an attacker to steal sensitive data on any of the virtual machines on this system and gain elevated access to the host’s local network and its systems.
The VENOM bug (CVE-2015-3456) exists in the virtual Floppy Disk Controller for the open-source hypervisor QEMU, which is installed by default in a number of virtualization infrastructures such as Xen hypervisors, the QEMU client, and Kernel-based Virtual Machine (KVM). VENOM does not affect VMware, Microsoft Hyper-V, and Bochs hypervisors.
The VENOM bug has existed since 2004, though it has reportedly not been exploited in the wild yet. QEMU’s developers and other affected vendors have since created and distributed patches for this bug.
How VENOM works
Cloud service providers often host their customers’ VMs on the same hardware within a data center, though they keep each VM isolated from one another to maintain their security. While businesses rely on their cloud service provider to prevent other customers from accessing other VMs, the VENOM vulnerability could allow an attacker to escape these protections and gain access to resources on other VMs.
According to the website specifically set up to publicize this vulnerability, guest VMs can send commands and associated data parameters to a virtualization platform’s Floppy Disk Controller. This controller uses a fixed-size buffer to store commands and data parameters, and it is supposed to clear the buffer once it fully processes all of its commands. However, the Floppy Disk Controller did not perform this buffer reset for two of the defined commands, which has now been found to have enabled the flaw.
If an attacker wants to take advantage of the VENOM vulnerability, they could instigate an attack by renting out space on a cloud hosting provider to get a suitable account and then access this service through a guest VM. They could then exploit this vulnerability by sending one of the two commands that are known to trigger the vulnerability along with specially crafted data parameters to the Floppy Disk Controller, causing a buffer overflow. If the exploit is successful, the attackers could cause the system to run arbitrary code. This would allow the attacker to perform any action they wish, including stealing data or downloading and running other code not only on their own VM, but on any other VM hosted on the same system.
VENOM’s potential impact
While floppy disks are an obsolete technology, many virtualization products add a virtual floppy drive to VMs by default, leaving the platforms open to the bugs that exist in the Floppy Disk Controller. The vulnerable technology is enabled in Xen, QEMU, FireEye’s hypervisor, and KVM by default. For Oracle’s VirtualBox, the Floppy Disk Controller is optional, meaning that customers’ VirtualBox installations should not be vulnerable to VENOM by default. VMware, Microsoft Hyper-V, and Bochs hypervisors are not reported to be vulnerable to VENOM.
There is already a lot of hype suggesting that VENOM is even “bigger than Heartbleed,” but this is not likely to be the case in terms of scale, at least. The Heartbleed vulnerability affected the OpenSSL library, which is one of the most commonly used implementations of the Secure Sockets Layer (SSL) and TLS Transport Layer Security (TLS) cryptographic protocols. Heartbleed affected a huge number of websites, applications, servers, virtual private networks, and network appliances. Meanwhile, VENOM only affects virtualization systems that specifically use QEMU’s Floppy Disk Controller and does not impact some of the most widely used VM platforms.
Is VENOM as bad as Heartbleed? The answer depends. If your system is vulnerable and you have a lot of critical services running on it with plenty of sensitive data, then an attack could be devastating. Heartbleed is considered to be a major issue mostly because the vulnerable systems are so widespread and common. VENOM is locally serious and could allow an attacker to do much more than Heartbleed, but the number of vulnerable systems is much smaller, making it a less serious problem in the greater scheme of things.
According to recent research, many businesses plan to increase their cloud computing spending by 42 percent in 2015, suggesting that they are putting more trust in this technology. This sort of issue may give them reasons to pause for thought. There are also other security issues to worry about in the cloud too, as we have shown in our recent research.
Fortunately, there are no reports of any attackers actively exploiting this bug in the wild yet. Additionally, QEMU and other vendors were informed of the bug prior to its disclosure and have released patches to fix the issue.
Users should check with their cloud providers to see if they have released a patch for the VENOM vulnerability. Administrators of VM systems who rely on Xen, KVM, or the native QEMU client should apply the VENOM patches as soon as possible.