Security researchers at CrowdStrike have uncovered a vulnerability that makes it possible for an attacker to escape from a virtual machine and gain access to the host hypervisor and the other virtual machines running on it. And that could mean trouble for data centers and cloud service providers.
Researchers have named the security vulnerability Venom, which stands for Virtualized Environment Neglected Operations Manipulation, and some people are already comparing the seriousness of Venom to the Heartbleed vulnerability, which made headlines last year.
In an interview with ZDnet, Jason Geffner, the researcher at CrowdStrike who discovered the venom security vulnerability, used an analogy to explain the difference between Heartbleed and Venom.
"Heartbleed lets an adversary look through the window of a house and gather information based on what they see," he said. "Venom allows a person to break in to a house, but also every other house in the neighborhood as well."
Who is affected by Venom
The Venom security vulnerability lies in the virtual floppy disk controller (FDC) used in several open-source virtualization platforms and appliances such as QEMU, Xen, KVM, and Virtual Box. The actual attack occurs when specially crafted commands and data are sent to the buffer of the virtual FDC (which is normally used for storing and processing seek, read, write, and other low-level floppy disk commands), overflowing it, and allowing arbitrary data to be run by the hypervisor process.
The necessity of having access to a virtual machine’s root privileges limits the usefulness of this vulnerability, but the ubiquity of the controller itself means it can be exploited on any of the affected hypervisors regardless of the host OS.
If you or your SMB customers use VMware, Microsoft Hyper-V, or Bochs, you can breathe easy because those hypervisors are not affected by this particular vulnerability.
How to address the problem
Infrastructure providers and developers reacted quickly, producing patches to address the security vulnerability and applying them to millions of machines. According to CrowdStrike, there haven’t been any reports of the vulnerability being exploited yet, but there are a number of vendors who still need to apply the patches.
As an MSP, if you administer a system running one of the affected systems, you should review the latest patches and make sure they’ve been applied. If you’re not sure if any affected hypervisors are running in your customers’ environments, we suggest reviewing these environments as soon as possible to make sure.