VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data. This could potentially allow an attacker to steal sensitive data on any of these virtual machines and gain elevated access to the host’s local network and its systems.
VENOM (CVE-2015-3456) takes advantage of the floppy drive emulation code of the open-source hypervisor QEMU, installed by default in a number of virtualisation infrastructures such as Xen hypervisors, the QEMU client, and Kernel-based Virtual Machine (KVM).
What is it?
VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data. This could potentially allow an attacker to steal sensitive data on any of these virtual machines and gain elevated access to the host’s local network and its systems.
VENOM takes advantage of the floppy drive emulation code of the open-source hypervisor QEMU, installed by default in a number of virtualisation infrastructures such as Xen hypervisors, the QEMU client, and Kernel-based Virtual Machine (KVM)
What does it expose?
The successful exploitation of VENOM could result in arbitrary code execution in the context of the host and leads to breaking out of a guest machine and into the host system. To exploit this bug, user level access to a guest virtual machine, with sufficient permissions to talk to FDC I/O ports, is required. This means that the root user, or any other privileged user may exploit this bug.
VENOM can expose:
- Any neighboring guests
- The host operating system
- The host local network
At the time of this writing, there was already a public Proof of Concept available, which means that a public exploit can soon be released. Note that the use of the PoC release may still be useful to an attacker, as it may enable them to crash the hypervisor.
Who/What is affected?
Floppy disks are an obsolete technology, however many virtualisation products add a virtual floppy drive to VMs by default, which exposes VMs to the bugs that may exist in the Floppy Disk Controller (FDC). Besides, to exploit this vulnerability a floppy device, present in /dev/ within the guest, is not required because the Floppy Disk Controller is still present in the system.
As far as Portcullis is aware, the vulnerable technology is enabled in Xen, QEMU, FireEye’s hypervisor, and KVM by default. VMware, Microsoft Hyper-V, and Bochs hypervisors are not vulnerable. Oracle’s VirtualBox default installation shouldn’t be vulnerable by default, since the Floppy Disk Controller is optional. It is important to note that Amazon Web Services customers are not affected, however many other hosting platforms may be vulnerable.
What should we do?
There are no reports of any attackers actively exploiting this vulnerability yet. QEMU and other vendors were informed of the bug prior to its disclosure and have already released patches to fix the issue.
Portcullis recommends an upgrade to the latest version/patch of your virtualisation software, and checking for information from your vendor. In addition to this, if you are a cloud provider customer check if they have applied a patch for the VENOM vulnerability. Administrators of VM systems who rely on Xen, KVM, or the native QEMU client should apply the VENOM patches as soon as possible. If your organisation operates an affected virtualisation infrastructure for external customers, you should patch immediately.
To mitigate the overall risk of this vulnerability, only grant privileged guest access to trusted users.