Privacy and Information Security | University of Illinois

Virtualized Environment Neglected Operations Manipulation (VENOM)

A recent vulnerability was released that affects certain Virtual Machines (VMs). This page will be updated if and when more information is available.

IMPACT

This vulnerability may allow an attacker to escape from the confines of an affected virtual machine guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems. However, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM. 

PLATFORMS AFFECTED

Many virtualization platforms and appliances, notably Xen, KVM, and the native QEMU client are affected by a bug in QEMU’s virtual Floppy Disk Controller (FDC). 

VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

Since the VENOM vulnerability exists in the hypervisor’s codebase, it is host operating system agnostic and can occur on Linux, Windows, Mac OS, etc. Even if a guest OS does not explicitly have a virtual floppy disk configured and attached, this issue is still exploitable. The Floppy Disk Controller is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled. 

DESCRIPTION:

The guest OS communicates with the Floppy Disk Controller (FDC) by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands.

An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.

CVE ASSIGNMENT:

CVE-2015-3456

REMEDIATION:

To eliminate the possibility of exploitation, install the latest QEMU, KVM, or Xen packages from the vendors.

ADVISORY:

<http://venom.crowdstrike.com/

MORE INFORMATION:

Please contact <securitysupport@illinois.edu> if you have any questions or concerns.

Date reported: 
Wednesday, May 13, 2015