The security firm CrowdStrike recently revealed a vulnerability that its staff discovered in QEMU-based virtual machine (VM) products (CVE-2015-3456). These include Xen, KVM, and VirtualBox. VMWare products, Bochs and Hyper-V, are not affected. The vulnerability, which they call "VENOM" (Virtualized Environment Neglected Operations Manipulation), can lead to complete control of a host computer, as well as access to all of the VMs running on the machine. VM vendors have or will have updates, and system administrators should apply them as soon as they are available.
This vulnerability lies in old code that is used by the VM software to interface with floppy disk drives. So, is it a simple matter of disabling the floppy drive in your VMs? Not exactly. First of all, disabling the floppy drive does not make the floppy disk drive code inactive on some VM software. Second, if there are other VMs on the same machine you will not be safe unless all of them have been updated. Cloud computing vendors use VMs as a way of maximizing efficiency of the hardware. While a customer will typically have access one VM, they likely will be sharing the underlying host machine with others running in their own VM. If an attacker gains access to one vulnerable VM, she can break out of that VM into the host system and will then have access to all VMs on the machine, as well as the underlying networking and storage systems on the host. To prevent this from happening, no VM can be left vulnerable.
The VENOM vulnerability has existed since 2004, when the floppy disk controller code was first added to the QEMU code. An attacker needs "root" access to a VM on a vulnerable system, either by breaking in or by having authorized access to a vulnerable VM on a machine hosting multiple VMs. The code that CrowdStrike has developed has not been made public, and at this point, no VENOM attacks have been seen outside of CrowdStrike.
However, we have seen how easy someone can find a vulnerable machine and proceed to get root access. If there is lax security (e.g. not patching for VENOM), there are likely other problems. Now that the bug is known, other researchers—as well as bad guys—will be working on VENOM exploits.
What should you do? If you can, simply apply the patch to the VM product that fixes this vulnerability, and make sure your provider has a policy of applying updates. Beyond the “simple fix,” there are some best practices that you should be following to make it harder for an attacker to exploit your system. The Wall Street Journal posted an article that provides businesses with a good place to start in protecting their corporate data.
We know that there are bad guys who are constantly investigating ways to profit at the expense of others, and we know that there are vulnerabilities that can allow the bad guys in. But we also know that basic security practices will thwart most of these attacks. However, even with the best security practices, we still may be dependent upon others for our security.
Readers interested in further details about this topic can reach us at: firstname.lastname@example.org