Virtual drive leak allows attack on host system VMs

Spread the love

CrowdStrike has discovered a vulnerability in QEMU’s virtual floppy disk controller. This component is used by Xen and KVM, among others. The hole makes it possible to access the host system that virtual machines run on top of.

The security hole, dubbed Venom, has been discovered in the virtual floppy controller. It is used by several hypervisors, including Xen, KVM, and the native QEMU client. Hyper-V hypervisors from Microsoft, VMware and Bochs are not vulnerable.

According to CrowdStrike, QEMU’s virtualized floppy drive controller contains a bug when certain commands are sent. This creates a buffer overflow and allows malicious code to be executed in the hypervisor. As a result, an attacker could potentially attack other virtual machines or the underlying operating system.

To exploit the bug in the virtual floppy controller, an attacker or the malware used must have root rights or administrator access to the affected guest virtual system. Furthermore, all underlying host operating systems running the hypervisor are vulnerable to the Venom security hole.

The bug is said to have been present in the source code of QEMU since 2004 and can partly be exploited if the virtual floppy drive controller is disabled in the hypervisor. Many virtualization software would have received an update by now, which fixes the vulnerability.

You might also like