A researcher with CrowdStrike has identified a vulnerability in virtual floppy drive code used by numerous computer virtualization platforms that, if exploited, can enable an attacker to escape from a virtual machine (VM).
Jason Geffner, senior security researcher with CrowdStrike, is credited with discovering the roughly decade-old bug – CVE-2015-3456 – referred to as VENOM, which stands for Virtualized Environment Neglected Operations Manipulation.
According to a CrowdStrike advisory website that details the issue, QEMU's virtual Floppy Disk Controller (FDC) contains vulnerable code that is used in many virtualization platforms and appliances, such as Xen, KVM, and the native QEMU client.
By exploiting the vulnerability, an attacker can escape from within an affected VM guest system and possibly obtain code-execution access to the host system, the advisory website indicated.
“A virtual machine guest system can send commands (such as 'read from the floppy disk', 'format the floppy disk', etc.) and data to the virtual floppy drive,” Geffner told SCMagazine.com in a Wednesday email correspondence.
He continued, “The VENOM vulnerability allows an attacker to send carefully crafted malformed data to the virtual floppy drive from the guest system to cause data on the host system to become corrupt. This data corruption can be used to allow the attacker to get control over the host system.”
Ultimately, the vulnerability can put corporate intellectual property and sensitive information at risk, the advisory website said.
So far, QEMU, Xen Project and Red Hat have issued advisories and patches, according to the advisory website, which indicated that neither CrowdStrike nor industry partners have seen the vulnerability being exploited in the wild.
In comments emailed to SCMagazine.com on Wednesday, Tod Beardsley, research manager at Rapid7, said that people who run hosted virtual private server (VPS) services and people who subscribe to the same VPS services are most affected by VENOM.
“It's important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS,” said Beardsley, adding, “To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon.”
In a Wednesday post, Robert Graham, CEO of Errata Security, said exploiting the vulnerability requires some knowledge of the host operating system.
“This is a hypervisor privilege escalation bug,” Graham wrote. “To exploit this, you'd sign up with one of the zillions of VPS providers and get a Linux instance. You'd then, likely, replace the floppy driver in the Linux kernel with a custom driver that exploits this bug. You have root access to your own kernel, of course, which you are going to escalate to root access of the hypervisor.”
Chris Eng, vice president of research with Veracode, indicated in comments emailed to SCMagazine.com on Wednesday that VENOM should definitely be patched, but that the vulnerability is not overly devastating.
“First, there is little chance of mass exploitation; any exploit created around VENOM would have to be tailored against a specific target environment,” Eng said. “Second, the attacker would have to already be on the target system to get at the vulnerability – certainly not impossible in a public cloud environment but nevertheless a complicating factor.”
Adam Kujawa, head of malware intelligence at Malwarebytes Labs, said in comments emailed to SCMagazine.com on Wednesday that the vulnerability does not pose a threat at the moment since an attack method has not been seen in the wild. “The attack also does not target all virtual machine types, just a handful, which reduces the actual target of these attacks greatly,” he said.
According to the advisory website, VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by VENOM. Additionally, Amazon noted in a Wednesday post that there is no risk to Amazon Web Services customer data or instances.
