VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
Security researchers say the zero-day flaw affects “millions” of machines in datacenters around the world.
Move over, Heartbleed. There’s a new catastrophic vulnerability in town.
A security research firm is warning that a new bug could allow a hacker to take over vast portions of a datacenter — from within.
The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter’s network.
Most datacenters nowadays condense customers — including major technology companies and smaller firms — into virtualized machines, or multiple operating systems on one single server. Those virtualized systems are designed to share resources but remain as separate entities in the host hypervisor, which powers the virtual machines. A hacker can exploit this newly-discovered bug, known as “Venom” — an acronym for “Virtualized Environment Neglected Operations Manipulation” — to gain access to the entire hypervisor, as well as every network-connected device in that datacenter.
The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies.
The bug, found in open-source computer emulator QEMU, dates back to 2004. Many modern virtualization platforms, including Xen, KVM, and Oracle’s VirtualBox, include the buggy code.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
“Millions of virtual machines are using one of these vulnerable platforms,” said CrowdStrike’s Jason Geffner, the researcher who found the bug, in a phone interview Tuesday.
The flaw may be one of the biggest vulnerabilities found this year. It comes just over a year after the notorious Heartbleed bug, which allowed malicious actors to grab data from the memory of servers running affected versions of the open-source OpenSSL encryption software.
“Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” said Geffner, using an analogy. “Venom allows a person to break in to a house, but also every other house in the neighborhood as well.”
Geffner said that the company worked with software makers to help patch the bug before it was publicly disclosed Wednesday. As many companies offer their own hardware and software, patches can be applied to thousands of affected customers without any downtime.
Now, he said, the big concern is companies that run systems that can’t be automatically patched.
To take advantage of the flaw, a hacker would have to gain access to a virtual machine with high or “root” privileges of the system. Geffner warned that it would take little effort to rent a virtual machine from a cloud computing service to exploit the hypervisor from there.
“What an adversary does from that position is dependent on the network layout,” said Geffner, indicating that a datacenter takeover was possible.
Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software.
“It’s definitely a real bug for people running clouds to patch against,” said Kaminsky. “It shouldn’t be too much of a headache as the big providers who might expose systemic risk have all addressed the flaw.”
As the bug was found in-house at CrowdStrike, there is no publicly known code to launch an attack. Geffner said the vulnerability can be exploited with relative ease, but said developing the malicious code was “not trivial.”
From the point of disclosure in late April, it’s taken companies about two weeks to begin patching affected systems.
Rackspace said in an emailed statement that it was notified of the vulnerability that affects a “portion” of its cloud servers, and that its systems are patched.
Oracle, which develops VirtualBox, said in an emailed statement that the company was “aware” of the problem, and fixed the code, adding that it will release a maintenance update soon.
“We will release a VirtualBox 4.3 maintenance release very soon. Apart from this, only a limited amount of users should be affected as the floppy device emulation is disabled for most of the standard virtual machine configurations,” said software lead Frank Mehnert.
A spokesperson for Oracle declined to comment.
A spokesperson for The Linux Foundation, which runs the Xen Project, declined to comment on specifics, but noted that a security advisory was published.
CrowdStrike is aware of the following vendor patches, advisories, and notifications.
- QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
- Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
- Red Hat: https://access.redhat.com/articles/1444903
- Citrix: http://support.citrix.com/article/CTX201078
- FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
- Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
- Rackspace: https://community.rackspace.com/general/f/53/t/5187
- Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
- Suse: https://www.suse.com/support/kb/doc.php?id=7016497
- DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
- f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html
We recommend you reach out to your vendors directly to get the latest security updates.