VENOM Vulnerability CVE-2015-3456 Explained

In today’s Whiteboard Wednesday, Justin Pagano, Security Engineer at Rapid7, will discuss the VENOM vulnerability. VENOM is a vulnerability that takes place within the virtual floppy drive code of a virtual machine. If properly exploited, attackers can laterally move from the affected VM and have access to the host, putting your critical assets in jeopardy.

Read Video Transcript

Hi. My name's Justin Pagano. I'm a security engineer here at Rapid7. For today's Whiteboard Wednesday we're going to go over the recently disclosed VENOM vulnerability. VENOM stands for virtualized environment neglected operations manipulation. This vulnerability is present in the virtual floppy disk controller or FDC code that's present in a hypervisor package called QEMU. This FDC code is also used in other hypervisor packages such as Xen and KVM.

If an attacker were to exploit this vulnerability, they would be sending malicious parameters to the FDC that's running on a virtual machine. That FDC allows the virtual machine to communicate with the underlying host and act like a floppy disk drive when really there isn't a physical one present. The attacker can cause a buffer overflow within the FDC, break out of the VM, and potentially access other VMs within that hypervisor. They could also have access to the underlying bare metal systems hardware and use that to see other systems on the hypervisor's network. There's a pretty big risk here of an attacker lateraling out of a VM to other virtual machines that are supposed to be sealed off from the one they're on and also to other stand alone systems and other hypervisors that might be on that same network. We're talking about the potential for an attacker to get access to your company's intellectual property or to sensitive information such as PII