Don’t Allow VENOM VM Security Vulnerability to Bite Your Virtualization Platforms

May 18, 2015 Off By David

Article written by David Marshall

This latest virtualization exploit is being widely reported to affect virtual machines running on hypervisor platforms such as Xen, KVM and native QEMU.

A security researcher, CrowdStrike, discovered and reported the new vulnerability, claiming it could allow a hacker to infiltrate potentially every machine on a datacenter’s network, leaving millions of virtual machines vulnerable to attack.

Dubbed VENOM (i.e. Virtualized Environment Neglected Operations Manipulation), the vulnerability (CVE-2015-3456) exists in the floppy disk controller driver for QEMU, an open-source computer hypervisor that is used for managing virtual machines.

The zero-day exploit was originally reported by CrowdStrike senior security researcher, Jason Geffner. However, the exploit is said to have been around since at least 2004.

Geffner explained, "This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host."

He continued, "This VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems."

It’s hard to believe that in 2015 and in a virtual world, we’re still talking about a floppy exploit as a possibility. I mean, virtual or not, who uses floppies anymore, right? Oddly enough, even if administrators disable the virtual floppy drive code, another totally unrelated bug still allows that code to be accessed.

Some in the industry have begun to compare VENOM to Heartbleed, the open-SSL flaw that allowed an attacker to spy on data transmitted online.

However, others have stated that it isn’t as severe. For one reason, VENOM appears to be isolated to Xen, KVM, QEMU, and VirtualBox hypervisors. The more popular and widely used VMware and Microsoft hypervisors are unaffected. Also unaffected is the Bochs hypervisor and applications running on Amazon’s AWS platform since they have a pretty heavily customized version of Xen.

In addition, patches for many platforms have already been released. Among those with patches already out: Xen Project, Citrix, FireEye, QEMU, Red Hat, SUSE, Ubuntu Linux, and F5.

Oracle announced that VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 versions prior to 4.3.28 are all affected by VENOM, as are Oracle VM 2.2, 3.2 and 3.3, and Oracle Linux 5, 6 and 7. But the company has put out an advisory message with mitigating instructions where available.

As for Oracle Cloud, the company notified customers in an advisory that the Oracle Cloud teams are evaluating the fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes.

One researcher who doesn’t appear overly phased by VENOM is Tamas K. Lengyel, a senior security researcher at Novetta. He stated in a recent blog post on the Xen Project site that the VENOM bug is one of a known class of threats that have been brought on by complex and error prone programming when emulating hardware devices in software.

But the good news, according to Lengyel, is that this exploit is "easy to mitigate" against, stating that to protect against VENOM and any other attacks made via hardware emulation, administrators need only to add one line to the Xen domain configuration:

device_model_stubdomain_override = 1

This enables the so-called stubdomains feature that means the QEMU code is restricted to just the virtual machine it provides emulation for, and not the top-level domain 0. Thus, an escape through QEMU will only land an attacker in a stubdomain, without access to critical resources.

"However, as with most security systems, it comes at a cost," writes Lengyel. "Running stubdomains requires a bit of extra memory as compared to the plain QEMU process in dom0. This in turn can limit the number of VMs a cloud provider may be able to sell, so they have little incentive to enable this feature by default on their end."

You can stay informed and learn more about VENOM by going here: http://venom.crowdstrike.com/

About the Author

David Marshall is an industry recognized virtualization and cloud computing expert, a seven time recipient of the VMware vExpert distinction, and has been heavily involved in the industry for the past 16 years. To help solve industry challenges, he co-founded and helped start several successful virtualization software companies such as ProTier, Surgient and Hyper9.

David is also a co-author of two very popular server virtualization books: "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and "VMware ESX Essentials in the Virtual Data Center." He was also the Technical Editor on Wiley’s "Virtualization for Dummies" and "VMware VI3 for Dummies" books. David also authored countless articles for a number of well known technical magazines, including: InfoWorld, Virtual-Strategy and TechTarget. And in 2004, he founded the oldest independent virtualization and cloud computing news site, VMblog.com, which he still operates today.

Follow David Marshall

Twitter: @vmblog
LinkedIn: https://www.linkedin.com/in/davidmarshall
Blog: http://vmblog.com

CategoryNews

Google one-downs Amazon with new cloud price cuts

Microsoft Research Unveils VC3 Cloud Workload Privacy Project