Wednesday, 13 May 2015

VENOM Vulnerability - Virtualized Environment Neglected Operations Manipulation

VENOM is short for Virtualized Environment Neglected Operations Manipulation and it is a vulnerability in the QEMU’s virtual Floppy Disk Controller (FDC). The vulnerable code is used in numerous virtualization platforms and appliances such as Xen, KVM, and the native QEMU client. 

The vulnerability has been assigned the following CVE (CVE-2015-3456). As far as we know, VMware, Microsoft Hyper-V, and the Bochs hypervisors are not impacted by this. 

The interesting fact about VENOM is that it applies to a wide range of virtualization platforms (using the default configurations) and it allows for arbitrary code execution. Due to the fact that the vulnerability exists in the hypervisor’s codebase, it affects all host and guest Operating Systems. 

However, the vulnerability can be exploited only with escalated privileges (root, administrator). 

When the guest Operating System sends commands to the FDC, (read, write, seek, format, etc.) these are being stored in a fixed-size buffer. Once a command is executed the buffer is cleared and awaits the next command. However, it was found that the buffer was not being cleared for two of the commands (FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND). Consequently, an attacker is able to send these two commands along with specially crafted data which results in a buffer overflow. This action allows the attacker to execute arbitrary code as the host's hypervisor process. 

The vulnerability allows the attacker to execute commands against the rest of the Virtual Machines (guest Operating Systems) being hosted in this particular physical server. It is also possible to start executing commands against the rest of the physical servers present in the network infrastructures, including any Virtual Machines hosted on these servers. In other words, the successful exploitation of this vulnerability could allow the potential infiltration on every machine across a datacenter's network. As companies used Cloud services more and more these days, it is possible to have sensitive data at risk. 

The QEMU Project and the Xen Project released patches in order to address the issue. Xen in its advisory mentions that systems running only x86 paravirtualized guests and ARM systems are not vulnerable. Red Hat released patches to resolve the vulnerability, and Amazon has informed their AWS customers that their data and instances are not at risk.
Most probably, Rackspace, Amazon, Linode and likely other cloud providers will reboot some of their servers over the next week after they patch several vulnerabilities affecting the Xen open-source hypervisor [1]. 

Even though patches will be available soon for the affected platforms by their respective vendors, administrators should also make sure the Virtual Machines follow best practises.

If you would like to read more about VENOM you may visit: venom.crowdstrike.com

If you would like to research and dig a little bit deeper in this, be aware that security issues and vulnerabilities in KVMs have always been an issue. Look up the emulated Cirrus Logic VGA (CVE-2007-1320) and NE2000 vulns in QEMU. [2]

[1] http://www.securityweek.com/xen-hypervisor-flaws-force-amazon-rackspace-reboot-servers

[2] https://marc.info/?l=oss-security&m=143155206320935&w=2

No comments:

Post a Comment