'VENOM' vulnerability enables virtual machine escapes

By exploiting the vulnerability, an attacker could possibly obtain code-execution access to the host system.
By exploiting the vulnerability, an attacker could possibly obtain code-execution access to the host system.

A researcher with CrowdStrike has identified a vulnerability in virtual floppy drive code used by numerous computer virtualization platforms that, if exploited, can enable an attacker to escape from a virtual machine (VM).

Jason Geffner, senior security researcher with CrowdStrike, is credited with discovering the roughly decade-old bug – CVE-2015-3456 – referred to as VENOM, which stands for Virtualized Environment Neglected Operations Manipulation.

According to a CrowdStrike advisory website that details the issue, QEMU's virtual Floppy Disk Controller (FDC) contains vulnerable code that is used in many virtualization platforms and appliances, such as Xen, KVM, and the native QEMU client.

By exploiting the vulnerability, an attacker can escape from within an affected VM guest system and possibly obtain code-execution access to the host system, the advisory website indicated.

“A virtual machine guest system can send commands (such as 'read from the floppy disk', 'format the floppy disk', etc.) and data to the virtual floppy drive,” Geffner told SCMagazine.com in a Wednesday email correspondence.

He continued, “The VENOM vulnerability allows an attacker to send carefully crafted malformed data to the virtual floppy drive from the guest system to cause data on the host system to become corrupt. This data corruption can be used to allow the attacker to get control over the host system.”

Ultimately, the vulnerability can put corporate intellectual property and sensitive information at risk, the advisory website said.

So far, QEMU, Xen Project and Red Hat have issued advisories and patches, according to the advisory website, which indicated that neither CrowdStrike nor industry partners have seen the vulnerability being exploited in the wild.

In comments emailed to SCMagazine.com on Wednesday, Tod Beardsley, research manager at Rapid7, said that people who run hosted virtual private server (VPS) services and people who subscribe to the same VPS services are most affected by VENOM.

“It's important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS,” said Beardsley, adding, “To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon.”

Page 1 of 2
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS