The vulnerability in the floppy controller made it possible to take over virtual machines

The vulnerability VENOM ( Virtualized Environment Neglected Operations Manipulation ) in popular hypervisors, Xen, KVM and QEMU, was localized by CrowdStrike's experts to allow the attacker to take control of neighboring instances of virtual machines as long as they were on the same network.

For the "escape" from the virtual machine to the physical machine and taking control of the entire platform, there is a gap in the virtual floppy disk controller (FDC - Floppy Disk Controller), which by default is added to new virtual machines. And it does not matter if the device is removed from the hardware configuration, because the code responsible for diskette support is still running in the background and is susceptible to buffer overflow.

The guest operating system that communicates with the FDC (host floppy disk drive) sends commands such as seek, read, write, format to the FDC input / output port. The virtual FDC controller in QEMU uses a fixed size buffer to store these commands and data-related parameters. The FDC, on the other hand, keeps track of how much data it can receive for each command. After receiving the commands, it executes them and clears the buffer (as it turns out not always) for the next command. So if you manage to send the appropriate sequence of commands, this may result in the execution of a code with operating system privileges. Fortunately, in order for the attack to theoretically refer to, the user in the guest machine system must have root or administrator rights.

According to the authors of the discovered vulnerability, this error existed already since 2004 when it was added support for the QEMU floppy disk drive. As of today, VMware and Hiper-V are not susceptible. However, updates for Xen, KVM and QEMU have already been released.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.