VENOM - Does it live up to the hype?

Published: 2015-05-16
Last Updated: 2015-05-16 04:17:04 UTC
by Rick Wanner (Version: 1)
4 comment(s)
Unless you have been hiding under a rock this week you have heard about VENOM.  The first article that I saw was from ZDNet with the headline of "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters".  Pretty provocative stuff.  Is VENOM really worth that much hype?
VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cute acronym basically means that the exploit takes advantage of a vulnerability in legacy code. In short the vulnerability is CVE-2015-3456 and it is found in fdc.c, the floppy disk controller software, used in some virtualization products. the most popular ones being QEMU, Xen and KVM.  The  vulnerability will permit someone with administrator access in the virtual machine (VM) to potentially escape the VM and execute arbitrary code from within the host virtualization software, with the permissions of the host virtualization software. The worst case scenario is that the attacker could escape to the guest operating system and access other guests on the same machine. To the best of my knowledge nobody has succeeded in demonstrating the worst case.
Should we panic?
This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic. 
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms. 
Certainly not of the significance of Heartbleed or FREAK.  While it is important to get vulnerable systems patched as soon as reasonable there is no reason to panic.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

4 comment(s)


My team would like to know your thoughts on the automated malware analysis platforms. That is a vector that can certainly be used remotely.


I am not sure I understand your question. The automated web scanners and other application scanners are of no use in exploiting this vulnerability across the Internet. It can only be exploited with an administrator shell on the guest VM. It is probably a good idea to keep an eye out for brute force attacks.

If you are in control of the environment and have access to a vulnerability scanner that can log into the guest VM's as Administrator then it should be possible to figure out which guests are vulnerable. I haven't, up to this point, seen any vulnerability scanners which have a test for this vulnerability.
I believe that Craig is referring to malware sandboxes that are designed to automatically detonate any executable that enters a corporate network. Many of these services execute the files as administrator, therefore meeting all of the requirements to successfully exploit a vulnerable system automatically. Although the attackers may not have a way of knowing who is running these types of devices, it could be as simple as sending a single email with a malicious attachment to exploit the vulnerability and gain access to the environment.
Cool attack vector. I hadn't thought of that one. I don't have enough information to determine how easy or hard that would be. But hypothetically, assuming the malware appliance is unpatched and is running one of the vulnerable virtualization products, if you could send it a piece of malware which executed the vulnerable floppy disk controller code and could somehow download a remote access trojan of some kind....maybe. Sounds like a lot of what ifs, but I have long since learned there are some very smart people out there with questionable morals who would be willing to try it. I suppose the goal of this would be that you could potentially get the malware appliance to lie about certain malware.

Cool, but I don't think I would lose any sleep over it. The more likely attack vector is a brute force on an administrator shell account followed by a local compromise of a virtualization box. Far juicier targets there.

Diary Archives