VENOM stings Qemu
|VENOM||Stands for Virtual Environment Neglected Operations Manipulation|
|Discovered by||Jason Geffner, Senior Security Researcher at CrowdStrike.|
|Affected Software||QEMU (Xen <=4.5.x and KVM)|
|Affected Systems||Any OS running Xen <= 4.5.0
VirtualBox <= 4.3.28
|Not Affected||VMWare, Microsoft Hyper-V.|
The (FDC)Floppy Disk Controller in QEMU, is vulnerable to buffer overflow, leading to denial of service in guest or possibly executing arbitrary code on the host.
Vulnerable QEMU commands, which leads to out of bounds memory corruption in FIFO:-
FD_CMD_READ_ID is vulnerable to guest using floppy disk, but
FD_CMD_DRIVE_SPECIFICATION_COMMAND is vulnerable, irrespective of guest using floppy disk.
From Redhat Security Blog
This issue affects all x86 and x86-64 based HVM Xen and QEMU/KVM guests, regardless of their machine type, because both PIIX and ICH9 based QEMU machine types create ISA bridge (ICH9 via LPC) and make FDC accessible to the guest. It is also exposed regardless of presence of any floppy related QEMU command line options so even guests without floppy disk explicitly enabled in the libvirt or Xen configuration files are affected.
There has been no report of publicly available or a successful exploit, yet.
Here are the possible steps that the attacker would attempt to exploit VENOM:-
- gain shell access to one of the guest OS of a cloud/virtual host
- escalate privilege to root/administrator on the guest OS
- craft exploit code on a test environment(simulated to match the host running guest OS)
- run the successfully tested exploit code on the guest OS, and hope to gain access to host, possibly via remote shell
- access gained on host is more likely root/administrator
- using the gained access, access all guests on the host and all servers accessible connected to the network
As you can see from above, there are various stages for an attacker to cross. Especially, to run a successful exploit code on host's memory stack. It is more likely to cause a denial of service.
But a successful attack will have a catastrophic effect.
As said before, this vulnerability affects guests, irrespective of floppy disk being enabled or not.
Upstream Fix - QEMU code hw/block/fdc.c was patched to make sure that the FIFO index is bounded by allocated memory. The updates are available on most distros.
- Update qemu-kvm package immediately.
# Centos / RHEL yum update qemu-kvm # Ubuntu / Debian apt-get upgrade qmeu-kvm
- Each qemu runs as a process, so shutdown and start each guest, will do. No need to reboot the host, unless you are lazy.
Some existing mitigation techniques:-
- ASLR(Address Space Layout Randomization) is a technique where address allocation is random on every boot. This means that, it is difficult(but possible) for an attacker to jump reliably to a position in the stack.
# sysctl -a | grep randomize kernel.randomize_va_space = 2
- NX(No eXecute) bit is a technology used in cpu to ensure that certain areas of memory is non-executable.
# cat /proc/cpuinfo ... flags: .... nx ....
- sVirt is said to mitigate this type of attack.
So, dont get bitten by venom, stay safe.