Security specialists at CrowdStrike have discovered a new vulnerability that could affect hundreds of data centers. Named ‘Venom,’ the flaw affects some popular virtualization platforms, specifically, KVM, VirtualBox, Xen and QEMU. However, not all platforms are open to attack.
The new bug exploits a buffer-overflow bug in the QEMU’s floppy disk controller (FDC). For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, according to CrowdStrikes’ web site, an unrelated bug causes the vulnerable controller to remain active and exploitable by attackers.
The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input and output ports. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.
It may look innocuous but…
This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.
”If used, the bug can allow attackers who have access to one virtual machine to potentially access all other virtual machines which run on the same hardware. Although this is a new bug many of the larger data center operators are aware of it and have patched it. However it is not thought that this bug is as bad as the ‘Heartbleed’ scare last year” he said.
Bochs, Microsoft and VMWare are not affected by this bug. Jason Geffner, CrowdStrike Senior Security Researcher, discovered the vulnerability while performing a security review of virtual machine hypervisors.
Not time to panic… yet
Karl Sigler, Threat Intelligence Manager at Trustwave told DCD:“It’s serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available. The virtualisation products it does affect are popular (XEN, KVM, QEMU, and VirtualBox), but the absence of VMWare and Microsoft as affected eases the blow in a lot of cases.
“In order to exploit this vulnerability an attacker would require access to an existing virtual machine. In other words, this attack can’t be pulled off remotely. Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack. In this regard the attack is very similar to a Privilege Escalation attack where the attacker requires an initial foothold before exploitation.
”I would see this attack typically used to target hosting companies that use virtual environments like KVM. An attacker would purchase a KVM instance then useVENOM to breach the hosting machine.”
The bug has existed since 2004
Many cloud hosts, including Amazon’s AWS, DigitalOcean and Rackspace use Xen or KVM virtualization technology. According to CrowdStrike, the bug has existed since 2004. Information and advice are available from their web site.
Amazon AWS issued an update saying “We are aware of the QEMU security issue assigned CVE-2015-3456, also known as ‘VENOM,’ which impacts various virtualized platforms. There is no risk to AWS customer data or instances.”
There are no known in-the-wild attacks and a patch is available
Karl Sigler, Trustwave
Rackspace, another major cloud vendor, also issued a statement saying that Venom does affect “…a portion of our Cloud Servers fleet…” and that it is patching the part of its infrastructure that may be affected by the vulnerability.
Unfortunately there is no easy way to check if another VM on your host machine has been exploited. The only solution is for data centers to reboot host machines with a patch from CrowdStrike. While you can be reasonably assured that Digital Ocean, Equinix and Rackspace will respond accordingly, the same may not be the case for the less responsible hosting providers.