Security researchers have discovered a critical flaw that has left virtual machines vulnerable to attacks for a decade, as well as allowing attackers to move freely across virtual machines.
CrowdStrike, a security firm has warned that a new bug could allow hackers to take over huge parts of a datacenter – from the inside. The same zero-day vulnerability can allow the attacker to slip out of certain virtual machines and manipulate whatever’s running adjacently. In doing so, the notion of virtual machines having hard and fast, protective boundaries is shattered.
“This destroys the isolation myth that you can have something run a virtual machine and have it be isolated from everything else,” says Jason Geffner, the senior security researcher at CrowdStrike who uncovered the flaw. “This bug lets you escape a container and get into all other containers.”
Venom – the bug is considered highly dangerous, because it affects not just the systems running a Quick Emulator (QEMU), but also other virtualization software that takes advantage of QEMU, which includes the widely used KVM and Xen open source hypervisors. The affected software will be vulnerable regardless of the operating system it’s running on, as the QEMU is built from the same code base for all platforms including OS X, Windows, Linux and others.
The threat to virtual machines and cloud security
VENOM may be one of the biggest vulnerabilities discovered this year. It comes just over a year after the notorious Heartbleed bug, which allowed malicious actors to grab data from multiple servers’ memory which ran affected versions of the open-source OpenSSL encryption software.
“Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” said Geffner, using an analogy. “Venom allows a person to break in to a house, but also every other house in the neighborhood as well.”
The big concern with Venom is that some companies that run affected systems can’t be automatically patched. To take advantage of the vulnerability, a hacker will merely have to gain access to a virtual machine with “root” privileges of the system or datacenter.
“What an adversary does from that position is dependent on the network layout,” said Geffner, indicating that a datacenter takeover was possible.
Dan Kaminsky, a veteran security researcher and expert noted, “It’s definitely a real bug for people running clouds to patch against,” said Kaminsky. “It shouldn’t be too much of a headache as the big providers who might expose systemic risk have all addressed the flaw.”
Many modern virtualization platforms including Xen, KVM and Oracle’s VirtualBox, include the buggy code.
Oracle, which develops VirtualBox, added in a statement that the company was “aware” of the problem, and fixed the code, stating that it will release a maintenance update soon.
“We will release a VirtualBox 4.3 maintenance release very soon. Apart from this, only a limited amount of users should be affected as the floppy device emulation is disabled for most of the standard virtual machine configurations,” said lead software engineer Frank Mehnert.
“Millions of virtual machines are using one of these vulnerable platforms,” said CrowdStrike’s Jason Geffner, the researcher who found the bug.
VMware, Microsoft Hyper-V, and Bochs hypervisors software are not affected.
“My hope and expectation is that the good guys are able to patch their systems before the bad guys get access to it,” Geffner says.