Venom Virtualisation Vulnerability Could Impact Cloud, Data Centre Security

An 11-year-old vulnerability in a number of virtualisation platforms could allow a malicious attacker to gain access to host systems and steal sensitive information, security researchers have warned.

Venom, as it has been dubbed, was discovered by Crowdstrike’s Jason Geffner while performing a security review of virtual machine hypervisors and was found in the virtual Floppy Disk Controller (FDC) used by QEMU, an open source machine emulator and virtualiser.

This FDC is used in numerous virtualisation platforms, including Xen, KVM and the native QEMU client, but crucially, not VMware, Hyper-V and Bochs’s hypervisors. However Crowdstrike have warned that potentially thousands of organisations and “millions” of end users could be affected.

Floppy disk

“Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems,” said Crowdstrike, which says the FDC in question was added to the QEMU database in 2004.

Although floppy disks are a dated technology, the FDC is added to a virtual machine by default. The guest operating system communicates with the FDC by sending commands to the input/output port and the FDC keeps track of how much data it expects to receive. Once all the expected data is received, the FDC executes the command and clears the buffer for the next one.

Venom could allow an attacker to send these commands with specially created parameter data that would overflow the butter and allow for the execution of malicious code.

Researchers say Venom differs from previous ‘escape’ virtualisation vulnerabilities because they were only exploitable in non-default configurations or configurations that aren’t permitted in secure environments.

Unique threat

What makes Venom unique from other ‘escape’ virtualisation vulnerabilities is that it impacts a wide array of platforms, works in default configurations and allows for the direct execution of code. Previous bugs have only been exploitable in non-default configurations or configurations not permitted in secure environments and have tended to affect single virtualisation platforms.

Crowdstrike “responsibly” disclosed Venom at the end of last month. No exploits have been spotted in the wild, but those affected have been urged to download any patches and contact any vendors using an affected hypervisor to ensure their staff have patched their systems.

Heartbleed 2.0?

The scope of Venom has immediately drawn comparisons with the Heartbleed SSL bug discovered last year, but experts have said that although the new vulnerability is likely to affect fewer systems.

“There is already a lot of hype suggesting that VENOM is even ‘bigger than Heartbleed,’ but this is not likely to be the case in terms of scale, at least,” said Symantec. “Heartbleed affected a huge number of websites, applications, servers, virtual private networks, and network appliances. Meanwhile, VENOM only affects virtualization systems that specifically use QEMU’s Floppy Disk Controller and does not impact some of the most widely used VM platforms.

“Is VENOM as bad as Heartbleed? The answer depends. If your system is vulnerable and you have a lot of critical services running on it with plenty of sensitive data, then an attack could be devastating. Heartbleed is considered to be a major issue mostly because the vulnerable systems are so widespread and common. VENOM is locally serious and could allow an attacker to do much more than Heartbleed, but the number of vulnerable systems is much smaller, making it a less serious problem in the greater scheme of things.”

“[Venom is] serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available,” added Karl Sigler, threat intelligence manager at Trustwave. “The virtualisation products it does affect are popular (XEN, KVM, QEMU, and VirtualBox), but the absence of VMWare and Microsoft as affected eases the blow in a lot of cases.

Are you a security expert? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

22 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

23 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

24 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago