VENOM Vulnerability Threatens Several Major VM Hosts

| by Jeff Martin Follow 16 Followers on May 19, 2015. Estimated reading time: 2 minutes |

Jason Geffner of CrowdStrike has discovered a security vulnerability that affects several virtual machine platforms, including Xen, KVM, VirtualBox, and QEMU.  Taking advantage of a bug in Floppy Disk Controller code that has existed since 2004, this flaw may allow “…attackers to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.”  This flaw is operating system agnostic, meaning it affects all host platforms running the VM software (including but not limited to Linux, Windows, and Mac OS X.) 

Once an attacker has reached the host, they can attack it or other VMs hosted on the affected machine.  The VENOM (Virtualized Environment Neglected Operations Manipulation) website prepared by CrowdStrike illustrates how the flaw can affect a system.  VENOM has been classified as CVE-215-3456 in the US National Vulnerability Database.  According to the report, the following hypervisors are NOT affected:  VMware, Microsoft Hyper-V, and Bochs.

In order for an attacker to benefit from VENOM, they would require administrative/root privileges on their guest operating system.  To date, no exploits utilizing VENOM have been seen in the wild, but this does not mean that none exist.  The VENOM site describes the vulnerability as follows:

“The guest operating system communicates with the FDC [floppy disk controller] by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.

This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”

Administrators are cautioned that just because they do not actively use their virtual drive does not mean they are immune to attack.  Floppy drives are added by default to new virtual machines by default, and “an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.”  (Emphasis added.)

[5-21-2015 - Minor title change to reflect vulnerability rather than exploit]

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you