To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We explain the Venom vulnerability, what the impact is & the steps major providers are taking to protect themselves.

Plus strategies to mitigate Cyber Intrusions, a truly genius spammer, great questions, a huge round up & more!

Thanks to:













Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

— Show Notes: —

A flaw in the way qemu emulates floppy disks could allow an attacker to break out of a virtual machine and take over the host

“This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”

This vulnerability affects qemu, KVM, VirtualBox, and some types of Xen, because they all share the same qemu floppy emulation code

Unaffected hypervisors include: VMWare, Hyper-V, Bochs, and bhyve

The issue has been assigned the identifier CVE-2015-3456

“Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, FreeBSD, etc.).”

“It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.”

“The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”

“The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.”

“After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.

After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.”

CrowdStrike blog about the disclosure

“While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”

“CrowdStrike would also like to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.”

Xen Advisory

Amazon Statement

Digital Ocean statement

Redhat Advisory

Working PoC exploit

This has refocused attention on some older work to exploit qemu/KVM, like this from DEFCON / BlackHat 2011

Or this paper from a Google researcher from 2007: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments

There is also some backlash against the naming and glamorization of vulnerabilities, as seen with the recent announcement of AnalBleed

“Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam”

The virus consisted of perl code packed into an ELF binary

During a 7 month monitoring period, Eset researchers saw 8,867 IP addresses connect to one of the command and control servers

“The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail.”

“These two main components are written in Perl and they’re obfuscated inside a custom “packer” that’s written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that’s arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.”

“Malware targeting Linux and BSD servers is becoming more and more complex,” researchers from Eset wrote. “The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”

The way the malware was architected, it polled a list of Command and Control servers, accepting commands from any of them

The list included some legitimate sites, to throw researchers off

“A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.”

At some point, one of the domains on the command and control list became available, so the researchers registered it and directed all of the infected machines to talk to their own command and control server

The communications with the C&C servers was cleverly hidden in what look like PHP Session cookies, and in the fake browser user-agent strings

One of the giveaways is the fact that the base browser user-agent string is for Firefox 7.0.1 on Windows 7

Part of the version string would be replaced with the command id, http status, and number of bytes downloaded by the infected machine

“The Eset researchers still aren’t certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.”

Eset research PDF

Feedback:

Round-Up: