Tuesday, August 18, 2015

VENOM-- Virtualized Environment Neglected Operations Manipulation


Another one in the wild. This years one of the biggest vulnerabilities till now but not as big as Heartbleed in the past year. This has impacted a lot of people including the corporate's and end users.

In layman terms it can be stated as the vulnerability which is present in Virtual Floppy disc controller (FDC)code in the Hyper-visor package called as QEMU . The FDC was added in the QEMU codebase as a functionality in 2004 

This code is used in a lot of other hyper-visor packages like KVM and XEN etc...

As a matter of fact this virtual floppy drive is added to any newly created VM by default and irrespective of the administrator disabling this feature, an unrelated bug causes the FDC buggy code to still remain active and exploitable by attackers.

NORMAL FUNCTIONING--In the normal functioning the guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. The QEMU’s virtual FDC uses a fixed buffer size for storing these commands and their associated data parameters. On the other hand the FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. 

Here comes the twist--An attacker can send these defined commands with specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.

Impact-- This FDC allows the VM to communicate with the underlying host and acts as a FLoppy Disc driver. This buffer overflow within the FDC can let the attacker access other VMs present in the hypervisor. They can also access the underlying hardware and use that to access other systems on the Hypervisor network. This is a serious threat for any kind of access to PII, corporate Intellectual property, not to mention the end users who rely on these kind of environments.

Note:the attacker or the attackers malicious code would require root or administrative privileges in the guest OS in order to run his exploit code.

Patches--  There are a couple of them which is out including Debian , red hat etc..

If you have control over the environment you can try using SELinux which can be used to control access on these kind of resources.
Also access control on Virtual Environment can give you some relief for the time being.

If you dont have control over the environment::don't forget to contact your respective Vendors:):)

Dont forget to visit http://venom.crowdstrike.com/. They have created a super diagram to explain the buggy VENOM... :)

References: http://venom.crowdstrike.com/

No comments:

Post a Comment