Significant virtual machine vulnerability has been hiding in floppy disk code for 11 years

CrowdStrike researchers announced this morning that they have discovered a buffer overflow vulnerability in many of today's most popular virtual machine platforms

CrowdStrike researchers announced this morning that they have discovered a buffer overflow vulnerability in many of today's most popular virtual machine platforms that could potentially allow hackers access to the host.

They named the vulnerability VENOM -- Virtualized Environment Neglected Operations Manipulation -- because it takes advantage of long-neglected code, the virtual floppy disk controller.

"We suspect that there are millions of virtual machines around the world that are vulnerable," said researcher Jason Geffner, who discovered the flaw.

Affected platforms include Xen hypervisors, KVM, Oracle VM VirtualBox and the native QEMU client. Geffner estimates that these machines account for the majority of the virtual machine market, due to their widespread use by cloud computing services, infrastructure as a service providers and appliance vendors.

The vulnerability allows a hacker to send malformed commands to the virtual floppy drives, cause a buffer overflow, and gain administrator access to the host machine.

"It's a way to escape out of the virtual machine and execute code on the host with full privileges," said CrowdStrike CTO Dmitri Alperovitch. "It can be used by attackers to do nasty things."

It's a stealthy back door into corporate networks that is hard to detect with current security technology, he said.

To add insult to injury, even if administrators have disabled the virtual floppy drive code -- because really, who uses floppy drives? -- another, totally unrelated bug, still allows that code to be accessed.

CrowdStrike notified affected vendors in late April and patches are now available for the both the VENOM vulnerability and the second bug that prevents floppy drive code to be completely deactivated.

"We've worked very closely to with the software vendors to make sure they understand the vulnerability, developed patches, and released patches and information to their predisclose lists yesterday," said Geffner.

The patch itself will be publicly released tomorrow, but CrowdStrike is not releasing proof of concept exploit code.

"The big concern now is with anyone using virtual machines in-house," he said. "They need to be patched right away."

He added that the vulnerability was an original discovery, and that CrowdStrike has not seen it in the wild.

"Nor have the vendors with whom we've spoken," he added.

The floppy drive legacy code dates back to 2004, said Geffner, and hasn't been touched since.

"This is legacy technology that, for the most part, hasn't been used in 20-plus years," said Alperovitch. "It is coming back to haunt us and cause major problems now."

According to Geffner, the floppy drive controller code continues to be included because there are still a couple of situations where virtual floppy drives are needed.

For example, there are still old-school computers out there with floppy drives, and some tools, such as hard disk recovery tools, need to be installed on floppies. Developers test the code for these tools on virtual machines -- and so need access to virtual floppy disks.

Another application of virtual floppy disks is to run legacy software that requires a specially formatted floppy disk to be present. Some software vendors used to do this to ensure that the software was being used by a legitimate customer and wasn't an illegal copy.

Feeling social? Follow us on Twitter and LinkedIn Now!

This story, "Significant virtual machine vulnerability has been hiding in floppy disk code for 11 years" was originally published by CSO Online.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesCrowdStrikeoperating system securityapplication securityCSO Australia

More about CrowdStrikeCSOKVMOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place