igor - Fotolia

VENOM zero-day vulnerability strikes virtual machine security

CrowdStrike security researchers discovered a major bug that could impact a wide range of commonly-used virtualization platforms.

Security researchers discovered a zero-day vulnerability that could jeopardize cloud and virtual machine security and impact millions of end users.

The virtualization vulnerability, dubbed VENOM (Virtualization Environment Neglected Operations Manipulation), was revealed Wednesday by CrowdStrike Inc., threat intelligence firm based in Irvine, Calif., after being discovered by Jason Geffner, senior security researcher at CrowdStrike. In a security advisory, CrowdStrike said VENOM affects the virtual floppy disk controller (FDC) of QEMU, a free and open source hypervisor, and could allow attackers to move out of a guest virtual machine and obtain code execution capabilities on the host machine.

"Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host's local network and adjacent systems," the security advisory stated, adding that VENOM could impact "thousands of organizations and millions of end users."

According to CrowdStrike, the FDC code is used by numerous virtualization platforms, including Xen and KVM, and is agnostic of host and guest operating systems because the flaw is in the hypervisor's code. CrowdStrike also said VMware, Microsoft Hyper-V and Bochs hypervisors are not affected by VENOM.

The VENOM vulnerability has existed since 2004 when the FDC was first introduced to QEMU, CrowdStrike said. But the good news is, according to the company, that there are no reports of the vulnerability being exploited in the wild.

The revelation of VENOM is the latest in a series of virtualization software issues that have caused headaches for enterprises and cloud providers over the last year. In October, major cloud providers Amazon Web Services, IBM Softlayer and Rackspace were forced to reboot portions of their public cloud infrastructure in order to patch a serious vulnerability in the Xen hypervisor.

Another Xen hypervisor flaw was discovered this year, but Amazon was able to patch the virtualization software and call off another planned reboot.

CrowdStrike recommended that administrators running Xen, KVM, or native QEMU clients apply the latest patches to address VENOM. The QEMU Project, the Xen Project, and Red Hat have already released updates to patch the zero-day vulnerability, and more organizations are expected to join the fray.

Next Steps

Learn about how NIST 800-125-A can provide a better understanding of hypervisor security threats

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection