Critical System Protection

On Wednesday, May 13, Crowdstrike researchers revealed a new zero-day vulnerability affecting a variety of virtualization platforms and cloud services. Dubbed VENOM, it allows attackers to break out of a virtual machine (VM), execute code on the host machine, and access any other VMs running on it. More information on this can be found on Crowdstrike’s VENOM website.

What is VENOM?

VENOM (CVE-2015-3456) is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.

What Customers Need to Know:

• VMware, Microsoft Hyper-V, and Bosch hypervisors are not impacted by this vulnerability.
• The bug is in QEMU’s virtual Floppy Disk Controller (FDC) and has been around since 2004.
• Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code.
• The VENOM vulnerability is agnostic of the guest operating system, and an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
• This vulnerability affects enterprise customers that use the affected virtualization platforms and appliances, notably Xen, KVM, Oracle’s VirtualBox, and the native QEMU client.  
• This vulnerability is not remotely exploitable. Attackers must have local access to the guest to launch an attack.  This means that customers should consider enforcing privileged access control to mitigate insider threats from exploiting this vulnerability.
• Customers cannot stop the vulnerability at the device driver level. RHEL has confirmed that removing the driver does not stop an exploit as attackers can directly write to the FDC ports.
• Openstack is a cloud management layer on top of the hypervisor and is not applicable for this vulnerability.  However, Symantec recommends that enterprises running OpenStack/KVM  review and monitor their systems for exploits that would take advantage of this vulnerability.

Symantec Customers Can Utilize Symantec Data Center Security: Server Advanced (formerly known as “Critical System Protection”) to secure their infrastructure

Although there are no reported and known exploits of this vulnerability in the wild, Symantec recommends that customers running potentially affected virtualization platforms and appliances (including OpenStack), supported by Symantec Data Center Security: Server Advanced (DCS:SA), to perform the following actions until they have patched the potentially affected platforms:

• For the affected Hypervisor (KVM/XEN), customers can set policies to isolate the hypervisor application on the host so that it has the bare minimum access to the hosts resources or potentially to other hosts on the network.
• Enforce Privileged Access Control. Set DCS:SA policies to remove or deprecate the admin user or root permissions, to prevent malicious insiders from running the malware. 
• Enforce Application Control. Set DCS:SA policies to prevent software installation and changes to binary and executable code.

Symantec Data Center Security: Server Advanced (DCS:SA) monitors and orchestrates security hardening across on-premise data centers (both physical and virtual servers), public clouds (AWS), and private clouds (OpenStack).  To find out more, see the DCS:SA Data Sheet

Symantec Data Center Security: Server Advanced is part of the Symantec Data Center Security product family, which also includes Symantec Data Center Security: Server, Control Compliance Suite, and the Symantec Protection Engine Brands (for NAS and Clouds).