11-year-old VM escape bug opens host machines to compromise

CrowdStrike researchers have recently discovered a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms, which could be exploited by attackers to escape the confines of the virtual machine and to gain code-execution access to the underlying host machine, other VMs running on that host, and potentially to the the host’s local network and neighbouring systems.

They dubbed it VENOM – Virtualized Environment Neglected Operations Manipulation.

“Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy,” they explained.

The good news is that no one has yet spotted VENOM being exploited in the wild. When the researchers discovered the flaw, they informed affected vendors of and gave them time to push out patches before they went public with the discovery.

Affected products are those that use QEMU’s virtual Floppy Disk Controller (FDC): Xen hypervisors, the Kernel-based Virtual Machine (KVM), and the native QEMU client. The QEMU and Xen projects have already issued a patch.

VMware, Microsoft Hyper-V, and Bochs hypervisors are not vulnerable.

“The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase,” the researchers shared. If you’re wondering why it is still added to new virtual machines by default, it’s because it’s still occasionally used in a number of situations.

“If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability,” the researchers advised.

“If you have a vendor service or device using one of the affected hypervisors, contact the vendor’s support team to see if their staff has applied the latest VENOM patches.”