Significant virtual machine vulnerability has been hiding in floppy disk code for 11 years

CrowdStrike researchers announced this morning that they have discovered a buffer overflow vulnerability in many of today’s most popular virtual machine platforms that could potentially allow hackers access to the host.

They named the vulnerability VENOM — Virtualized Environment Neglected Operations Manipulation — because it takes advantage of long-neglected code, the virtual floppy disk controller.

“We suspect that there are millions of virtual machines around the world that are vulnerable,” said researcher Jason Geffner, who discovered the flaw.

Affected platforms include Xen hypervisors, KVM, Oracle VM VirtualBox and the native QEMU client. Geffner estimates that these machines account for the majority of the virtual machine market, due to their widespread use by cloud computing services, infrastructure as a service providers and appliance vendors.

The vulnerability allows a hacker to send malformed commands to the virtual floppy drives, cause a buffer overflow, and gain administrator access to the host machine.

“It’s a way to escape out of the virtual machine and execute code on the host with full privileges,” said CrowdStrike CTO Dmitri Alperovitch. “It can be used by attackers to do nasty things.”

It’s a stealthy back door into corporate networks that is hard to detect with current security technology, he said.

To add insult to injury, even if administrators have disabled the virtual floppy drive code — because really, who uses floppy drives? — another, totally unrelated bug, still allows that code to be accessed.

CrowdStrike notified affected vendors in late April and patches are now available for the both the VENOM vulnerability and the second bug that prevents floppy drive code to be completely deactivated.

“We’ve worked very closely to with the software vendors to make sure they understand the vulnerability, developed patches, and released patches and information to their predisclose lists yesterday,” said Geffner.

The patch itself will be publicly released tomorrow, but CrowdStrike is not releasing proof of concept exploit code.

“The big concern now is with anyone using virtual machines in-house,” he said. “They need to be patched right away.”

He added that the vulnerability was an original discovery, and that CrowdStrike has not seen it in the wild.

“Nor have the vendors with whom we’ve spoken,” he added.

The floppy drive legacy code dates back to 2004, said Geffner, and hasn’t been touched since.

“This is legacy technology that, for the most part, hasn’t been used in 20-plus years,” said Alperovitch. “It is coming back to haunt us and cause major problems now.”

According to Geffner, the floppy drive controller code continues to be included because there are still a couple of situations where virtual floppy drives are needed.

For example, there are still old-school computers out there with floppy drives, and some tools, such as hard disk recovery tools, need to be installed on floppies. Developers test the code for these tools on virtual machines — and so need access to virtual floppy disks.

Another application of virtual floppy disks is to run legacy software that requires a specially formatted floppy disk to be present. Some software vendors used to do this to ensure that the software was being used by a legitimate customer and wasn’t an illegal copy.