Venom vulnerability poisons Xen hypervisor

Cloud providers are facing another round of patching virtualisation hypervisor layers thanks to a newly-discovered serious vulnerability.

Security vendor Crowdstrike is credited with finding the flaw, dubbed Venom, in the virtual floppy disc drive code for the open source Quick Emulator (QEMU). 

Two commands for the floppy drive can be used to overflow data buffers, allowing attackers to execute arbitrary code with the privileges of the hypervisor process, making it possible to escape virtual machine security contexts.

While floppy drives are by and large outdated, virtualised devices are added to virtual machines by default, Crowdstrike said. Furthermore, a bug in Xen not related to Venom causes the vulnerable code to remain active even with the virtual floppy drives disabled.

The active code on hypervisors with the virtual floppies disabled can be exploited by attackers, Crowdstrike said.

The security firm said the flaw has been in the QEMU code since 2004, but there are no reports of the vulnerability being exploited in the wild.

The Xen, Linux KVM and native QEMU clients are all affected by Venom, Crowdstrike said. 

Cloud providers have started patching their infrastructure.

Rackspace told its customers that FirstGen Cloud servers running Windows are affected, as are NextGen systems built from Xen para-virtualised hardware virtual machine (PVHVM) images.

"For the patch to be effective in resolving the vulnerability, the customer VM must be power cycled, either by the customer or by Rackspace. Our preference is that customers do this themselves, and we strongly recommend that customers take this action as quickly as possible," Rackspace said.

Since the vulnerability is rated as severe, Rackspace customers have less than 24 hours to power cycle the machines themselves, or the provider will do it for them.

Soft reboots are not sufficient to make the patch fully effective, Rackspace warned.

Other cloud providers, however, say they are safe from Venom.

Linode said customers don't need to take any action as the Venom flaw does not affect the provider's infrastructure.

Citrix, which also uses Xen, said it was analysing the impact of the vulnerability and would add required remediation steps once they are available.

Amazon Web Services is not vulnerable to Venom, the company said. Customers don't need to take any action.

Crowdstrike said VMware and Microsoft's Hyper-V hypervisor layer were not affected by Venom, nor was the Bochs virtual machine.