Researchers have unearthed a deadly vulnerability in a common component many virtual machine platforms utilize that could allow an attacker to escape from the virtual machine and execute code on the host machine as well as infect other VMs operating within the environment. Researchers say the bug affects a wide range of virtualization software running on all major operating systems.
Attackers have a number of options to exploit the vulnerability, the easiest way to begin would be for an attacker to buy storage space on a cloud hosting provider. Attackers can then abuse the vulnerability to escape the data center’s virtual machine and move laterally throughout other virtual machines the host operates. If executed properly, attackers could even gain access to the local network the host is operating and steal sensitive data stored over the network.
Jason Geffner, senior security researcher at CrowdStrike disclosed the Venom (CVE-2015-3456) virtual machine vulnerability Wednesday, following widespread panic among many companies and webmasters.
Venom lies within the virtual floppy disk controller component of QEMU, an open-source virtualization package. The component, which is used by a large number of virtualization softwares, include both Xen and KVM. Hosting providers running on the following would be the largest targets for attackers, experts warned.
Seeing as more large companies are moving their resources to 3rd party cloud storage, the decade old vulnerability is more critical than ever.
Though floppy drives throughout computers are beyond obsolete, the FDC code which is the main part of this vulnerability is already incorporated throughout a majority of software packages.
“For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers,” CrowdStrike’s Venom disclosure writes.
VENOM, which stands for Virtualized Environment Neglected Operations Manipulation was discovered by Geffner during an audit of virtual machine hybervisors. CrowdStrike noted the bug has been present since 2004, when the virtual FDC code was originally implemented into QEMU. Both Xen and QEMU have released patches for the Venom vulnerability, alongside large cloud storage providers are in the midst of updating the new package software.
Another researcher Geffner worked with to release a patch for Vencom said the threat is still very real and extremely present.
To understand Venom, CrowdStrike released the following image outlining how VENOM works against vulnerable products.
The above image outlines step-by-step how an attacker could exploit the vulnerability and move throughout the network to gain access to several machines and any number of databases.
“All Xen systems running x86 HVM guests without stubdomains are vulnerable to this depending on the specific guest configuration. The default configuration is vulnerable. Guests using either the traditional ‘qemu-xen’ or upstream qemu device models are vulnerable. Guests using a qemu-dm stubdomain to run the device model are only vulnerable to takeover of that service domain.” the Xen Project wrote in their Venom vulnerability disclosure.
One of the largest cloud storage providers on the Internet, Amazon, has noted none of their AWS systems are vulnerable to the severe Venom flaw, assuring there is no risk to any form of customer data. Included in unaffected list are Microsoft and VMWare as well.
Researchers have said Venom isn’t being exploit in the wild, and though the vulnerability has been present for over 11 years, the flaw has only just been uncovered publicly.
The following vendors have worked with CrowdStrike to ensure their systems are secure from the latest virtualization vulnerability:
- Xen Project
- Red Hat
Experts believe the latest VENOM vulnerability may not be as severe as last years Heartbleed vulnerability, a severe OpenSSL flaw that could allow an attacker to decrypt communications. Heartbleed was believed to have affected over 25% of the entire web, leaving a huge portion of the web insecure at the time.
Experts have noted that this vulnerability mainly affects cloud hosting providers, who are owned and operated by large companies who are likely acting fast.
VENOM is far more severe than many past vulnerabilities, as this affects virtual software used everywhere, including even the largest companies in the world.
Several other companies are beginning to patch the flaw, including major cloud hosting providers hosting and securing enterprise data. Many major websites throughout the following days may experience temporary service outages while security teams patch the vulnerability.