VENOM - Virtualized Environment Neglected Operations Manipulation vulnerability CVE-2015-3456

Introduction

Cloud Computing (as against cloud storage or cloud CRM or cloud spreadsheet app, etc) makes use of virtual computer technology. On a single piece of hardware system, multiple "virtual" computers (aka virtual machines) are activated. The virtual computers appear to be fully formed separate systems, as if each was a dedicated piece of hardware with main memory, hard disk, network connection, USB ports, CD-ROM, and yes, floppy drive.

However, there is just one hardware system underlying multiple virtual computers. In order to share the single "hardware" device among multiple virtual computer, a software-based hardware emulation is installed, which is variously called "virtual machine manager" (VMM) or "hypervisor" (loosely speaking). So the VMM/hypervisor acts as a moderator/arbitrator, allowing sharing of the hardware between different "virtual computers". The separation is enforced in various ways and the virtual computers go their merry way serving your computing needs while respectfully sharing the common hardware under the watchful eyes of the hypervisor. Clearly, if the hypervisor has a bug in the software for monitoring the sharing of resources, a virtual computer, under the influence of a malicious software, can take advantage of this bug and potentially interfere with the other virtual computer systems sharing the hardware.

VENOM explained

VENOM vulnerability is one such bug in the QEMU (Quick EMUlator) - an open source virtualization and machine emulator software, which is used by several commercial hypervisor products. More information at http://wiki.qemu.org/Main_Page .

QEMU contains software module that acts as if it is a floppy drive, and allows the virtual computer to access the "virtual floppy". Most virtual computers will not be configured with a floppy, but QEMU provides this feature which can not be disabled on the fly. This virtual floppy controller module has a bug that allows a malicious program to attempt to access the virtual floppy, and in the process interfere with other virtual computers, even if the other virtual computer do not use a virtual floppy, by causing unauthorized memory modification/corruption. Potentially this bug can cause malicious code insertion in QEMU hypervisor, and also in the other virtual computers, causing system compromise and hijack. In some scenarios, this malicious code can compromise the network and interfere with other hardware servers in the same server farm, thus widening the scope of damage.

How VENOM exploit would work

Malicious code in one virtual computer instructs the floppy to take some action, such as read a file, make a folder, move the read/write head to a certain location - through IO Control commands. This is done using a limited memory of 512 bytes, used as a FIFO (actually just a chunked data transfer mechanism). Next to this limited memory, other critical data and code relating to other virtual computers or QEMU hypervisor itself may reside. The bug causes, in certain limited situations, this adjacent memory to be modified, causing memory corruption/modification with malicious content. This is a classic buffer overflow vulnerability.

How was this bug fixed?

The bug manifests in case of 3 commands - two of which are read_data() and write_data() functions, when a large amount of data is being transferred, in chunks of 512-bytes. The transfer requires two references - one in the data to be transferred, and another in the 512-byte chunk. These functions have been updated to correctly use these two references. A third command handler function similarly has been patched to prevent buffer overflow.