The greatest fear of anyone running a virtual machine especially in a shared hosting environment is that an attack against one VM could jump the wall and impact the other VMs on the same machine; a so called guest escape.
CrowdStrike, a vendor of host-based security solutions, announced today that one of its Senior Security Researchers, Jason Geffner, has discovered a vulnerability, dubbed VENOM (Virtualized Environment Neglected Operations Manipulation), in the open source hypervisor software QEMU.
The VENOM vulnerability resides in the virtual Floppy Disk Controller component of QEMU. An exploit could crash the hypervisor and rise above the VM, handing over control of the other VMs on the same machine to an attacker.
The vulnerability has been tagged CVE-2015-3456.
The seriousness of this vulnerability is compounded by the fact that many components of the open-source solution are re-used in commercial platforms such as Xen, KVM, and Oracle VM VirtualBox.
Both the QEMU and Xen projects have issued patches for the VENOM vulnerability. Another work around that would appear to be more expedient would be to just remove the Floppy Disk Controller from all VMs.
However, according to CrowdStrike, “In Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.”
Many organizations that run specialized VM infrastructures will be scrambling to patch in coming weeks. If the past is any indicator there will soon be proof of concept code available and soon after that, exploits.