Exploit could allow code execution on host machine

May 13, 2015 14:37 GMT  ·  By

Popular virtualization platforms relying on the virtual Floppy Disk Controller code from QEMU (Quick Emulator) are susceptible to a vulnerability that allows executing code outside the guest machine.

Among the affected platforms are Xen, KVM (Kernel-based Virtual Machine) and the native QEMU client, which are used by various cloud computing services.

In a blog post published on Monday, researchers say that thousands of organizations and millions of end users are potentially at risk of having sensitive data, such as personally identifiable information or company databases, exposed.

Risk of code execution on host machine

The bug, tracked as CVE-2015-3456, has been dubbed VENOM (Virtualized Environment Neglected Operations Manipulation), and it has survived in the code since 2004, when the virtual Floppy Disk Controller (FDC) was included in the QEMU codebase.

Jason Geffner, senior security researcher at CrowdStrike, discovered it during a security review of hypervisors in virtual machines (VM).

The operating system run by the host machine is completely irrelevant because the flaw resides in the hypervisor’s code. However, leveraging it requires administrative or root privileges on the guest system.

According to the researchers, the FDC uses a fixed-size buffer for storing commands from the guest OS, which is immediately cleared in all cases but two.

An attacker could deliver one of these commands along with specific parameter data to cause a buffer overflow and then run arbitrary code in the context of the host’s supervisor process.

VENOM is exploitable even if floppy support is disabled

Although floppy disks are rarely used in VMs today, the vulnerability is significant because the drives are added by default and disabling them is not on the priority list of administrators when configuring a virtual system.

Jason Geffner, CrowdStrike Senior Security Researcher, says that even if floppy disk support is turned on, an unrelated bug exists, which maintains the FDC code active on Xen and QEMU products.

At the moment, patches are available at least from QEMU and XEN projects. Other vendors may also have released fixes. Administrators are advised to contact their vendors and apply the latest security updates.

CrowdStrike says that certain configurations can minimize the risk or eliminate it completely. For instance, Xen systems that run 32-bit paravirtualized guests are not impacted, just like ARM systems.

On the same note, the problem can be mitigated by enabling stub-domains, “by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stub-domains are only available with the traditional ‘qemu-xen’ version,” the researchers say.