Vulnerability discovered in virtualized machines could allow remote code execution

ITS Advisory Number: 
2015-058
Date(s) Issued: 
Friday, May 15, 2015
Subject: 
Vulnerability discovered in virtualized machines could allow remote code execution
Overview: 

A vulnerability called 'VENOM' has been discovered that may allow an attacker to escape the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host operating system. Exploitation of the VENOM vulnerability can potentially expose access to sensitive and personally identifiable information (PII), and, or corporate intellectual property (IP), potentially impacting thousands of organizations and millions of end-users that rely on VMs for the allocation of shared computing resources, connectivity, storage, security, and privacy.

Systems Affected: 
  • XEN (Citrix)
  • KVM
  • QEMU
  • VIRTUALBOX (Oracle)
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability dubbed VENOM (Virtualized Environment Neglected Operations Manipulation) has been discovered which may allow an attacker to escape the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. 

Hypervisors based on XEN, KVM, QEMU and VirtualBox are potentially vulnerable as long as the FDC is enabled (usually enabled by default) or PIIX and ICH9 I/O controllers are configured in the VM environment.

An attacker or the malware used would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.

Detection of this vulnerability relies on event monitoring and logging of virtual machine-related FDC use such as /dev/floppy, items such as memory exceptions, I/O interrupts, system calls, and privilege levels.

Please note the following caveats:

  • Amazon AWS, VMware, Microsoft Hyper-V, and Bochs hypervisors are not considered impacted by this vulnerability.
  • Removal of the Floppy disk controller does not mitigate the issue when PIIX and ICH9 I/O controllers are configured in the VM.
  • The user account in the VM must have admin/root privileges for exploitation of this vulnerability to escape to the hypervisor.  It appears the vulnerability cannot be remotely exploited from all accounts at this time.
  • Third-party hosting providers may or may not be affected by the VENOM vulnerability.

The following vendors have released patches and advisories:

Note:  Oracle has yet to release a fix for VirtualBox.

 

Actions: 

We recommend the following actions be taken:

  • Apply appropriate patches provided by vendors to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • If no updates and patches are available, monitor or contact your software vendors for availability.  
  • Verify with all third-party hosting providers that you use to ensure they are either not affected or have applied the patches.