Thursday, May 14, 2015

VENOM: What you need to know (CVE-2015-3456)

Researchers at CrowdStrike discovered a flaw in the Floppy Disk Controller emulation component of QEMU virtualization software. If an adversary has administrative access to a virtual server, they can potentially exploit this to gain access to every other virtual server on the same physical host. Here is a moderately non-technical explanation.
Venom is a fictional comic character and occasional nemesis of Spider-Man... wait, that's not the Venom you meant.

Researchers at CrowdStrike discovered a flaw in the Floppy Disk Controller emulation component of QEMU virtualization software, which they dubbed "Virtualized Environment Neglected Operations Manipulation" or “VENOM” for short. If an adversary has administrative access to a virtual server, they can potentially exploit this to gain root access on the virtualization host (the physical box), and from there read memory and do anything else with other virtual servers on the same box. This vulnerability was given the identifier CVE-2015-3456

If server farms are not your area of expertise, that paragraph might need some explanation. The typical home computer running Windows or OS X behaves as a single computer. You log in, you use the computer, you log out. In a more complex setup or in a small office, you might run the server version of an operating system, in which more than one person can log in and use the server simultaneously - but it is still a single computer. If you reboot the server, or use up all the memory - or get infected with malware - it affects everyone else using the same server.

Virtualization is technology to run more than one "virtual private server" (VPS) or "virtual machine" (VM) on a single physical computer. In other words, a single computer can pretend to be several separate machines. In my case, I may run Windows 8 with traditional Windows applications in one VM, Kali Linux with my hacking tools in another VM, and yet other VMs in which I run live malware to analyze its behavior. Larger businesses use virtual machines as a way to get the most use out of expensive computing equipment, as well as to fit more into a finite datacenter (servers take up physical space; if I can run more than one VM on the same physical server, I need fewer physical devices, and with that comes less cooling and less electricity use). Cloud services take the concept a step further, offering separate virtual private servers to different customers. A customer can (in theory) do whatever they wish with their own VM, and at worst crash their own virtual server, never affecting other customers on the physical box.

QEMU is the name of a particular type of machine emulator. It is widely used in cloud server farms due to its high performance and low cost (I won't go into the open source software topic other than to say QEMU is at its root open source, developed by and maintained by volunteers). 

This is where VENOM comes in. Virtualization hypervisors (the supervisor software that manages virtual environments) separate the VM from the physical hardware, so they include emulation - software that mimics the physical device hardware. If multiple VMs try to use the same physical hard drive, or network interface, or floppy disk (remember those?), the hypervisor keeps those requests separate and acts as a gatekeeper. QEMU includes code to emulate floppy disk drives, an early form of portable data storage. 

CrowdStrike researcher Jason Geffner discovered a flaw in the floppy drive code. An administrator on one virtual machine could exploit this flaw to gain access to the hypervisor, and from there control other virtual machines on the same physical server. Once in control of the hypervisor, the malicious actor might shut down a VM, or read confidential files in another VM, or cause any number of other forms of harm to another VM's customers.

A few caveats:
  • It can only be exploited by an administrator of a virtual server. It cannot be exploited by a standard user or an anonymous web user. 
  • No known exploit exists yet, though a proof of concept is published.
  • It does not affect VMWare or Microsoft Hyper-V
  • It does not affect Amazon Web Services.

What to do?

For your home: probably nothing. This affects businesses running virtualized environments, not home users on single-purpose PCs.

For your corporate datacenter? CrowdStrike has a list of affected vendors, along with links to the respective vendor advisories, in the Q+A section of the linked document. If you use an affected product, assess the risk and update as soon as is practical.

For your hosted website or cloud service, check with your hosting provider as to their vulnerability and plans to update.

Related links:

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen