Venom Virtualisation Vulnerability Could Impact Cloud, Data Centre Security

An 11-year-old vulnerability in a number of virtualisation platforms could allow a malicious attacker to gain access to host systems and steal sensitive information, security researchers have warned.

Venom, as it has been dubbed, was discovered by Crowdstrike’s Jason Geffner while performing a security review of virtual machine hypervisors and was found in the virtual Floppy Disk Controller (FDC) used by QEMU, an open source machine emulator and virtualiser.

This FDC is used in numerous virtualisation platforms, including Xen, KVM and the native QEMU client, but crucially, not VMware, Hyper-V and Bochs’s hypervisors. However Crowdstrike have warned that potentially thousands of organisations and “millions” of end users could be affected.

Floppy disk

“Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems,” said Crowdstrike, which says the FDC in question was added to the QEMU database in 2004.

Although floppy disks are a dated technology, the FDC is added to a virtual machine by default. The guest operating system communicates with the FDC by sending commands to the input/output port and the FDC keeps track of how much data it expects to receive. Once all the expected data is received, the FDC executes the command and clears the buffer for the next one.

Venom could allow an attacker to send these commands with specially created parameter data that would overflow the butter and allow for the execution of malicious code.

Researchers say Venom differs from previous ‘escape’ virtualisation vulnerabilities because they were only exploitable in non-default configurations or configurations that aren’t permitted in secure environments.

Unique threat

What makes Venom unique from other ‘escape’ virtualisation vulnerabilities is that it impacts a wide array of platforms, works in default configurations and allows for the direct execution of code. Previous bugs have only been exploitable in non-default configurations or configurations not permitted in secure environments and have tended to affect single virtualisation platforms.

Crowdstrike “responsibly” disclosed Venom at the end of last month. No exploits have been spotted in the wild, but those affected have been urged to download any patches and contact any vendors using an affected hypervisor to ensure their staff have patched their systems.

Heartbleed 2.0?

The scope of Venom has immediately drawn comparisons with the Heartbleed SSL bug discovered last year, but experts have said that although the new vulnerability is likely to affect fewer systems.

“There is already a lot of hype suggesting that VENOM is even ‘bigger than Heartbleed,’ but this is not likely to be the case in terms of scale, at least,” said Symantec. “Heartbleed affected a huge number of websites, applications, servers, virtual private networks, and network appliances. Meanwhile, VENOM only affects virtualization systems that specifically use QEMU’s Floppy Disk Controller and does not impact some of the most widely used VM platforms.

“Is VENOM as bad as Heartbleed? The answer depends. If your system is vulnerable and you have a lot of critical services running on it with plenty of sensitive data, then an attack could be devastating. Heartbleed is considered to be a major issue mostly because the vulnerable systems are so widespread and common. VENOM is locally serious and could allow an attacker to do much more than Heartbleed, but the number of vulnerable systems is much smaller, making it a less serious problem in the greater scheme of things.”

“[Venom is] serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available,” added Karl Sigler, threat intelligence manager at Trustwave. “The virtualisation products it does affect are popular (XEN, KVM, QEMU, and VirtualBox), but the absence of VMWare and Microsoft as affected eases the blow in a lot of cases.

Are you a security expert? Try our quiz!