There's an extremely critical bug in the Xen, KVM, and native QEMU virtual machine platforms and appliances that makes it possible for attackers to break out of protected guest environments and take full control of the operating system hosting them, security researchers warned Wednesday.
The vulnerability is serious because it pierces a key protection that many cloud service providers use to segregate one customer's data from another's. If attackers with access to one virtualized environment can escape to the underlying operating system, they could potentially access all other virtual environments. In the process, they would be undermining one of the fundamental guarantees of virtual machines. Compounding the severity, the vulnerability resides in a low-level disk controller, allowing it to be exploited when guest or host OSes alike run Linux, Windows, Mac OS X, or possibly other OSes. Researchers from security firm CrowdStrike, who first warned of the vulnerability, wrote:
Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.
CVE-2007-1744 – Directory traversal vulnerability in shared folders feature
CVE-2008-0923 – Path traversal vulnerability in VMware’s shared folders implementation
CVE-2009-1244 – Cloudburst (VMware virtual video adapter vulnerability)
CVE-2012-0217 – 64-bit PV guest privilege escalation vulnerability
CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple memory corruption vulnerabilities
VENOM (CVE-2015-3456) is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.
