VENOM Driver Flaw Puts Cloud Services, Virtualized Servers at Risk

Security firm CrowdStrike finds a serious vulnerability in a widely used driver and, following the hyperbolic trend toward marketing vulnerability research, dubs it VENOM.

VENOM flaw

A buffer overflow in a kernel-level driver included in many default virtualized environments could give attackers the ability to escape from a guest operating system and affect the host, according to security services firm CrowdStrike.

The vulnerability could cause problems for any vulnerable cloud service, which typically use virtualized systems throughout their operations, as well as corporate data centers. An attacker, for example, could create a virtual machine instance in a vulnerable cloud service, escape the guest operating system and compromise the host, according to the firm. After that, the attacker would have control over all the other guest operating systems running on the same host.

"This is why we believe it is such a big deal," Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike, told eWEEK. "There are still a lot of companies that use these vulnerable hypervisors."

CrowdStrike researcher Jason Geffner found the flaw earlier this year, and after confirming the issue, the company notified vendors in late April. Continuing the industry trend toward heavily marketing vulnerability research, CrowdStrike christened the vulnerability the "virtualized environment neglected operations manipulation," or VENOM, flaw, complete with a stylized cobra icon and dedicated Web page.

Ironically, the affected driver is for virtualized hardware that is hardly ever seen outside of movies made about the 1980s and 1990s—a floppy disk. QEMU's virtual Floppy Disk Controller (FDC) has a vulnerability that could allow an attacker to run code by pairing one of two flawed commands related to the controller with a buffer overflow, CrowdStrike stated.

The issue affects KVM, native QEMU and Xen virtual-machine clients. Hypervisors from Bochs, Hyper-V, Microsoft and VMware are not affected, according to CrowdStrike. A variety of software companies—from Red Hat to Rackspace and from Citrix to SUSE—have released updates for their products. Because of an unrelated bug, many platforms fail to disable the floppy disk controller even when an administrator disables the drive.

"For many of the affected virtualization platforms, even if you do not add the driver to the platform, you are still vulnerable," CrowdStrike's Geffner told eWEEK. "That's what makes this vulnerability so rare—it works with the default configuration."

Security experts from other companies agreed.

"This is a widely feared form of vulnerability, since many business systems in the last few years have moved to public and private clouds," Mike Lloyd, chief technology officer at RedSeal, said in a statement. "This virtualization means we often cannot tell which other outside organizations might have their workloads running on the same physical server as our systems, and so in principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect."

CrowdStrike is not the first company to find a way to break out of a virtualized sandbox and affect the host operating system. In a 2007 paper, Google researcher Tavis Ormandy delved into the possibilities of using vulnerabilities in the guest operating system to affect a virtual system. Around the same time, security researcher Joanna Rutkowska posited that malware could create its own hypervisor to emulate a computer and turn the current operating system into a virtual machine. Called the "Blue Pill" after the concept in the movie The Matrix, the speculative malware could then invisibly control the operating system.

Other security experts downplayed the current incarnation of the threat, noting that—unlike the Heartbleed flaw in OpenSSL servers—VENOM is a difficult issue to exploit.

"Heartbleed was so bad because it was a vulnerability discovered in one of the most commonly used applications for servers and had been for many years," Adam Kujawa, head of malware intelligence at Malwarebytes Labs, said in a statement. "VENOM doesn't come close to that kind of potential damage since the target group is so small and every minute it is shrinking as more systems get patched."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...