IT Focus Area: security
May 14, 2015
New VENOM Vulnerability Threatens Multiple Virtualization Platforms
A critical vulnerability has been discovered in code used by several virtualization platforms.
The flaw, discovered by Crowdstrike and dubbed VENOM (tracked as CVE-2015-3456), can allow an attacker to break from the confines of a virtual machine (VM) and execute code on the host system. Without mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
There have been other VM escape vulnerabilities discovered over the years, but this one stands apart. VENOM affects multiple virtualization platforms in default configurations and exists in the hypervisor’s codebase, making it agnostic to the guest or host operating system (Linux, Windows, Mac OS, etc.).
Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy.
What Products are Affected?
The bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable FDC code is used in numerous virtualization platforms and appliances, notably Xen, KVM, and the native QEMU client.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.
Though the VENOM vulnerability is agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
Which Vendors Have Released Patches?
To protect your organization, reach out to vendors directly to get the latest security updates. The following vendor patches, advisories, and notifications have been identified:
Have Exploits Been Observed in the Wild?
No; neither CrowdStrike nor any industry partners have seen this vulnerability exploited in the wild.
Protect Your Organization Now
Work with your IT partners and vendors to take action now.
If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability.
If you have a vendor service or device using one of the affected hypervisors, contact the vendor’s support team to see if their staff has applied the latest VENOM patches.