Venom Vulnerability Could Violate Virtual Machines

Crowdstrike on Wednesday made public its discovery of yet another long-buried Linux vulnerability.

“Venom,” as it has been dubbed, was unearthed by the firm’s senior security researcher, Jason Geffner. It is listed as vulnerability CVE-2015-3456.

Venom exists in the virtual floppy drive code (FDC) used by virtualization platforms based on QEMU (quick emulator). It has been around since 2004.

The code probably went undetected for 11 years because “it’s not obvious at all that this is a vulnerability,” Geffner told LinuxInsider.

“When I notified the QEMU team a few days [after reporting it] of a second way to reach this vulnerability, I got a call from one of the team members who told me he was looking at my report and I must be mistaken,” Geffner continued. “I had to walk them through it a few times before they saw it.”

How Venom Kills

Venom is a threat to virtual machines.

A server runs a hypervisor, which in turn runs one or more virtual machines, called “guest machines.” The hypervisor provides each guest operating system with a virtual OS and manages the execution of the guest OSes.

Several VMs, running multiple instances of one OS or different OSes, can be guested on one hardware platform.

When guest OSes send commands such as seek, read, write or format to the FDC’s input/output port, the FDC stores them and their associated parameters in a fixed-size buffer, according to Crowdstrike.

It keeps track of how much data to expect for each command. After all expected data for a given command is received from the guest OS, the FDC executes the command and clears the buffer for the next command.

However, two commands, which Crowdstrike did not disclose, are not reset. An attacker can send those commands and specially crafted parameter data from the guest system to the FDC to create a buffer overflow and execute arbitrary code during the host’s hypervisor process.

Attackers will need administrator privileges or root access privileges, so it’s not as if a hacker can waltz in and take over the FDC.

Still, with Venom, a malicious user program with sufficient root privileges “could break through the isolation normally afforded by the hypervisor and reach into the memory space of its hosted peers, potentially corrupting the software stack running in the other VMs and gaining access to sensitive data and applications,” Bill Weinberg, senior director of open source strategy at Black Duck Software, told LinuxInsider.

Who’s at Risk

“I don’t see this as a Linux vulnerability, but rather more as a virtual machine vulnerability,” said David Hobbs, director of security solutions at Radware.

“It more relates to KVM, Xen and VirtualBox — these are the hypervisors that have the vulnerability,” he told LinuxInsider.

Venom is more threatening to cloud providers than to enterprises, but “I expect cloud providers will act quickly to patch this up,” Hobbs said.

VMware, Microsoft Hyper-V and Bloch hypervisors are safe from Venom, because they use their own code.

Amazon isn’t vulnerable, said Ken Westin, security analyst for Tripwire, because it uses a modified version of Xen.

However, enterprises using a security appliance are at risk, Crowdstrike CTO Dmitri Alperovitch told LinuxInsider.

“Security appliances are used in a network to detonate malware, and they run the malware at the admin level to see its maximum functionality, so it does have admin privileges and can take down the system,” noted Crowdstrike’s Geffner.

Data centers offering Infrastructure as a Service, and their customers, also are threatened by Venom, he remarked, because “when customers rent out VMs from these data centers, they give them root level access to the system.”

How Dangerous Is Venom?

Venom is not more dangerous than Heartbleed, Tripwire’s Westin told LinuxInsider, because it can’t be remotely executed.

“I would put this below Heartbleed and Shellshock, but it is something that needs to be patched quickly,” he said.

“It’s like a loaded handgun lying on a table,” suggested Crowdstrike’s Alperovitch. “It’s not a threat yet because no one has picked it up, but that can happen any time.”