VENOM flaw, millions of virtual machines are vulnerable to attack

Security Researcher at CrowdStrike claims VENOM vulnerability leaves millions of virtual machines vulnerable to cyber attacks.

A new security vulnerability dubbed VENOM (CVE-2015-3456) is threatening the security industry. The CrowdStrike Senior Security Researcher Jason Geffner who discovered the vulnerability explained that the flaw could be exploited by an attacker to compromise any machine is a data center’s network, according to the expert millions of virtual machines are vulnerable to attack.

“VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.” explained Geffner in a blog post.

VENOM is the acronym for “Virtual Environment Neglected Operations Manipulation,” it is a flow that affects the floppy disk controller driver for QEMU, which is an open-source computer emulator known as a hypervisor that is used for the management of virtual machines .

An attacker can send commands and specially crafted parameter data from the guest system to the Floppy Disk Controller to cause the data buffer overflow and execute arbitrary code in the context of the host’s hypervisor process.

VENOM is considered very dangerous because its exploitation if possible against a wide array of virtualization platforms, works on default configurations, and allows the arbitrary code execution.

The expert explained that the impact of VENOM could be dramatic for thousands of organizations and millions of end users.  The attacker can crash the hypervisor, obtain the control of the targeted machine and all virtual machines running on it.

“Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy.” wrote the researcher.

Cloud providers like Amazon have promptly provided a fix for the VENOM flaw, experts at CrowdStrike have been working with principal software vendors to develop a patch for the vulnerability, which is expected to be released tomorrow.

CrowdStrike reported that the following vendor have already released patches and advisories for the VENOM flaw:

• QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
• Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
• Red Hat: https://access.redhat.com/articles/1444903
• Citrix: http://support.citrix.com/article/CTX201078

CrowdStrike confirmed that it will not publicly release a proof of concept exploit code.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  VENOM, hacking)