Critical VM escape vulnerability impacts business systems, data centers

The vulnerability, dubbed Venom, affects systems usings the QEMU, Xen and KVM virtualization platforms

A critical vulnerability in code used by several virtualization platforms can put business information stored in data centers at risk of compromise.

The flaw, dubbed Venom but tracked as CVE-2015-3456, can allow an attacker to break out from the confines of a virtual machine (VM) and execute code on the host system.

This security boundary is critical in protecting the confidentiality of data in data centers, where virtualization is extensively used to allow different tenants to run servers on the same physical hardware.

The flaw is located in the virtual Floppy Disk Controller (FDC) code from the QEMU open source machine emulator and virtualizer. The code is also used by the Xen, KVM and other virtualization platforms.

The VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by the vulnerability, according security firm CrowdStrike, whose senior security researcher, Jason Geffner, found the issue.

There have been other VM escape vulnerabilities discovered over the years, but this one stands apart because it affects multiple virtualization platforms in default configurations and is agnostic to the guest or host operating system.

Attackers do need to have root access on the guest OS in order to exploit the flaw and execute code on the hypervisor. But once this is done, they could gain access to other servers running on the same hypervisor or to the network traffic originating from all virtual machines.

Because of a separate bug, on Xen and QEMU the vulnerable FDC code remains active even if the administrator disables the virtual floppy drive for a virtual machine, CrowdStrike said.

The QEMU and Xen projects released patches to address this vulnerability.

"While I do consider the vulnerability severe and recommend system administrators to apply fixes when available -- especially in environments where potentially untrusted users have access to guests with administrative privileges -- I also find it blown out of proportions," said Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, via email.

Having to first obtain root/administrator access on the guest system makes the vulnerability harder to exploit because an external attacker would need to chain the flaw with a different vulnerability for the guest OS, Eiram said. Also, it's worth noting that ARM platforms are not affected, he said.

The security team from Red Hat said in a blog post that while in theory the vulnerability has the potential to be used for code execution, it hasn't seen any working exploit that demonstrates this.

"To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon," said Tod Beardsley, research manager at Rapid7, via email. "Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesCrowdStrikesecurityRapid7Risk Based Securitypatch managementRed HatExploits / vulnerabilitiesdata protection

More about ARMCrowdStrikeKVMMicrosoftRapid7Red HatVenom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place