A new vulnerability discovered in the QEMU virtualization hypervisor has left virtual machines open to attacks for over a decade, security researchers have disclosed.
Jason Geffner, a senior security researcher with CrowdStrike who discovered the vulnerability, has dubbed it VENOM, for Virtualized Environment Neglected Operations Manipulation.
A successful exploit could potentially allow an attacker to crash a guest VM, or even break free of an affected VM and execute code on the host itself, with the same execution privileges as the QEMU process. An attacker could also potentially access data or execute code on other guest VMs running on the same host system.
The bug is considered highly dangerous, because it affects not only systems running QEMU itself, but also other virtualization software that takes advantage of QEMU, including the widely used KVM and Xen open source hypervisors.
The affected software will be vulnerable regardless of what operating system it is running on, because QEMU is built from the same code base for all platforms, including Linux, OS X, Windows, and others.
QEMU is hardly the only hardware virtualization software in town, however, and other hypervisors that don't use any QEMU code – including Bochs, Microsoft Hyper-V, and VMware – are not affected.
How deadly is VENOM?
The "neglected operations" part of the VENOM name refers to the all-but-forgotten portion of the QEMU code where the flaw is found. It affects the hypervisor's virtual floppy disk controller. And while surely almost nobody is still mounting virtual floppy images in 2015, the controller is initialized for guest VMs regardless of whether they use it, and it cannot be disabled.
Geffner said the flaw affects all versions of QEMU going back to 2004, when the virtual floppy controller was first introduced. Fortunately, he added, there is no known exploit that can successfully attack the flaw so far. Yet VENOM is risky enough to be considered a high-priority vulnerability.
In order to mount an exploit attempt, a user on the guest machine would need sufficient permissions to access the floppy disk controller I/O ports. On Linux guests, that means the user would need to have root access or otherwise elevated privilege. But on Windows guests, practically any user would have sufficient permissions.
Still, Veracode VP of research Chris Eng told The Register that creating an exploit for VENOM would require "a non-trivial amount of effort." Further, he said, while VENOM is concerning because it affects a wide range of products, a successful exploit would need to target a specific environment – meaning there's little chance of mass exploitation.
"While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale," Eng said. "Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like."
Companies with systems that contain the affected software should definitely contact their vendors and apply the appropriate patches, Eng said. Several vendors have already made patches available, including the QEMU and Xen projects and Red Hat.
Potentially more concerning, however, are cloud providers that rely heavily on QEMU-based virtualization. Fortunately, several of the more prominent cloud providers were made aware of VENOM before the public disclosure and have been working behind the scenes to ensure that their customers are protected.
Rackspace told El Reg that the vulnerability affected a portion of its cloudy servers, but added, "We have applied the appropriate patch to our infrastructure and are working with customers to fully remediate this vulnerability."
Amazon Web Services, meanwhile, said its customers needn't worry. "There is no risk to AWS customer data or instances," a spokesman told The Reg.
"Customer security is our top priority, and AWS takes extraordinary 'defense in depth' measures in constructing systems that do not rely solely upon any single component, such as the hypervisor, to protect customers."
Microsoft's Azure cloud, on the other hand, uses Redmond's own hypervisor technology, and thus isn't affected by VENOM. Google also told The Reg via email that its cloud does not use the vulnerable software.
Still, it would be little surprise if customers of other cloud hosting providers were burning up their vendors' phone lines this week, looking for reassurance. ®