A critical vulnerability called Venom (Virtualized Environment Neglected Operations Manipulation) has been discovered by Jason Geffner at the security firm CrowdStrike. The vulnerability is in a specific component in the open source virtualization package QEMU (which is also incorporated in other virtualization software such as Xen and KVM). Venom is a "VM escape" vulnerability that renders the host platform, all other VMs operating on the host platform, and any device operating on the host platform's network potentially vulnerable.
In comparison to other VM escape vulnerabilities, the vector used in Venom is used in default configurations, is not limited to a single virtualization platform, and allows for direct arbitrary code execution, according to CrowdStrike. The particularly vexing aspect is that the flaw exists in the virtual floppy disk controller (FDC) code in QEMU, which was added in 2004. While peripherally important for the time, modern production environments likely rarely utilize virtual floppy disk support.
According to Petr Matousek at Red Hat, "This flaw arises because of an unrestricted indexed write access to the fixed size FIFO memory buffer that FDC emulation layer uses to store commands and their parameters." Some commands in QEMU's virtual FDC fail to reset the index in a timely manner, or even at all — in which case, further writes made to the FDC can become out-of-bounds. As the attacker has full control over the stored values and nearly full control of the write length, this can be exploited to allow arbitrary commands to be executed from inside the host virtualization process.
Of particular importance, this vulnerability is independent of both the host and guest operating systems. Linux guests would require root access to interact with the FDC, and thereby exploit the vulnerability. For Windows, seemingly any user has the requisite permissions to interact with the FDC. This is a significant concern for the multitudinous providers of virtual private server (VPS) services, who provide root access to the customer.
For comparison, users of virtualization software on the desktop, such as Oracle VirtualBox or GNOME Boxes — both of which are vulnerable to the exploit — would be at a comparatively smaller risk, as the use of virtualization is different, it is uncommon to give someone root access to a VM running on a desktop system.
Be vigilant with the Venom vulnerability
Venom was discovered during a security review — not through finding an affected machine. CloudStrike indicates that neither they nor their industry partners have seen this vulnerability being exploited in the wild.
However, because of the relative rarity of VM escape vulnerabilities, it is likely that attackers will start attempting to exploit this vulnerability. In a phone interview with ZDNet's Zach Whittaker, Geffner noted that "the vulnerability can be exploited with relative ease, but said developing the malicious code was 'not trivial.'"
Users of VMware, Microsoft Hyper-V, OpenVZ, and Bochs can rest easy, as they do not utilize the QEMU floppy disk controller. Additionally, due to platform differences, ARM hosts using the affected packages are not vulnerable.
For users of the affected software, the instinctive reaction to this vulnerability is to disable the virtual FDC — it is a vestige of the past, and rarely, if ever, used. Unfortunately, according to CrowdStrike, "...on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers."
Software vendors have used the last two weeks to create a patch for the vulnerability, and these patches have been pushed to the repositories of various major Linux distributions.
The individual patches and bulletins for QEMU and Xen have been publicly disclosed, and Red Hat has a bulletin covering RHEL 5, 6, and 7 and OpenStack. The patch process for Debian is (at the time of writing) ongoing, with progress updates available on Debian's security tracker. Likewise, Ubuntu users should follow the instructions here for patching.
Users of VPS systems that utilize the affected software should ask their service provider what the timeline is for patching. This issue is not patchable from the guest OS — the update must be performed by the service provider.
Of note, any patch applied to QEMU to shield against this vulnerability will require a restart of the VMs, which will inevitably create some downtime as the patch is applied and VMs restarted.
What's your verdict?
Do you have systems — either on or off premises — that use the affected virtualization solutions? Do you often utilize the virtual FDC in VMs? Do you consider this to be a substantial issue, or does Venom not have fangs? Let us know in the comments.
- Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters (ZDNet)
- For Venom security flaw, the fix is in: Patch your VM today (ZDNet)
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
- Download: Executive's guide to the next wave of security challenges (free ebook)
Note: TechRepublic and ZDNet are CBS Interactive properties.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.