A new unchecked buffer vulnerability that affects some computer virtualization platforms has been discovered and published by CrowdStrike Senior Security Researcher Jason Geffner. The vulnerability, dubbed VENOM (Virtual Environment Neglected Operations Manipulation, CVE-2015-3456), affects QEMU’s virtual Floppy Disk Controller (FDC) used in numerous virtual machine (VM) platforms including Xen, KVM, and the native QEMU client.

QEMU is an open source generic machine emulator and virtualizer. It’s name is short for Quick Emulator. Its source forms the foundation of multiple VM platforms used in datacenters across the world.

It is important to note that VMware, Microsoft Hyper-V, and Bochs hypervisors are unaffected by this vulnerability. Amazon has also already announced that AWS is not affected.

Patches available

If your VM host runs Xen or QUMU, these vendors already have patches available. Be sure to have a system administrator install the patch as soon as possible.

The CloudStrike information release on VENOM includes a more detailed (and expanding) list of patches available for affected VM platforms.

What risks does this vulnerability expose

An attacker can use this vulnerability to escape from a virtual machine (VM) instance and gain access to the host. In security parlance, VENOM is a privilege escalation exploit that would allow an attacker to gain access to parts of the machine otherwise secure.

An attacker can use VENOM to gain administrator level access to the host.

Once an attacker has high level access to the host, all VM instances running on that host can be viewed and manipulated.

An attacker with access to the host can also use that access to attack other hosts, databases, or systems connected to the host by using the hosts credentials and connection to the network.

Comparison to Heartbleed

Early reports of VENOM compared this vulnerability to an exploit discovered in 2014 dubbed Heartbleed that affected SSL, the encryption layer that protects much of the web. Due to the prevalence of SSL for every secure website and in every browser, this bug affected millions of users.

This is also the era where security bugs and exploits get interesting names and branding. VENOM is not exception in that it received a sinister cobra image and a cool name.

When it comes to user vulnerability, VENOM differs from Heartbleed in that VENOM cannot be triggered remotely. An attacker must have access to a VM through a local login and must be logged in to trigger the escalation attack. Heartbleed works remotely upon connection to the vulnerable system.

As a result, VENOM affects far fewer users than Heartbleed did, it affects far fewer vendors, and it’s already being patched out rapidly.

That said, this exploit can open up an entire host of VM clients and potentially the attached network to infiltration so it is urgent to get any vulnerable system patched.

photo credit: Cobra 2 via photopin (license); VENOM logo, CloudStrike.