Threat Update | VENOM Vulnerability
May 13, 2015
CrowdStrike has disclosed a vulnerability that impacts a large number of virtual machine (VM) products. CrowdStrike named this vulnerability, tracked as CVE-2015-3456, VENOM, which stands for Virtualized Environment Neglected Operations Manipulation. CrowdStrike Intelligence is not aware of any in-the-wild exploitation of this vulnerability.
The specific issue is a buffer overflow vulnerability exposed due to a race-condition in QEMU’s hardware emulation code. The vulnerability may allow a local privileged attacker to escape from the confines of a virtual machine (VM) guest system and obtain code-execution access to the host system. Since the exploit exposes a bug in the hypervisor code, it is independent of host or guest operating systems, and should work across all platforms (Windows, Linux, Mac, etc.).
In order to implement this attack, the attacker must have privileged local access to the guest VM. This escape has no relationship to any specific actor.
Organizations using hypervisor platforms, to include Xen, KVM, Oracle VirtualBox, and the native QEMU client, should contact their vendors for additional information. Herjavec Group will be engaging our partners appropriately and communicate necessary patches and updates as information becomes available.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.
Infrastructure as a Service (IaaS) companies, as well as security vendors utilizing virtual machines, may be susceptible to exploitation of this vulnerability. CrowdStrike will post patch information by affected vendors on the VENOM FAQ site