CrowdStrike senior security researcher Jason Geffner recently uncovered a vulnerability called VENOM (CVE-2015-3456) in QEMU‘s virtual Floppy Disk Controller (FDC), which is leveraged by many virtualization platforms — the flaw, which has been in place since 2004, could allow attackers to escape the confines of a virtual machine (VM) guest environment.
“Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems,” Geffner wrote.
“Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security and privacy,” he added.
“VENOM affects a number of open-source hypervisors, such as QEMU, Xen, KVM, VirtualBox and many derivatives of these products,” CrowdStrike CTO Dmitri Alperovitch noted in a blog post describing the vulnerability.
“While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization,” Alperovitch added. “For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”
RedSeal CTO Dr. Mike Lloyd told eSecurity Planet by email that the potential to escape a virtual system makes the issue a serious one. “This is a widely feared form of vulnerability, since many business systems in the last few years have moved to public and private clouds,” he said.
“This virtualization means we often cannot tell which other outside organizations might have their workloads running on the same physical server as our systems, and so in principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect,” Lloyd added.
Eric Chiu, president and co-founder of HyTrust, said the flaw highlights the risks inherent in virtual infrastructure. “As we have seen from the major breaches in the last 18 months including Sony, Target, Snowden and Home Depot, attackers are looking to access the most data or wreak as much havoc as possible,” he said. “And given that most enterprises have virtualized 60 to 70 percent of their data centers, this could have a major business impact on every company.”
Tripwire senior security analyst Ken Westin said by email that there’s a key lesson to learn from the VENOM announcement. “High impact vulnerabilities such as Heartbleed and Shellshock are going to be the new normal and they can appear anywhere in your software/hardware stack,” he said.
“The most important thing organizations can do to get ahead of these is to take an inventory of their hardware and software assets and be able to quickly identify what systems are vulnerable and remediate them as fast as possible, hopefully before exploits are released into the wild,” Westin added.