Venomous Floppy Legacy | TechSNAP 214

chris

7 years ago

We explain the Venom vulnerability, what the impact is & the steps major providers are taking to protect themselves.

Plus strategies to mitigate Cyber Intrusions, a truly genius spammer, great questions, a huge round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

VENOM: Virtualized Environment Neglected Operations Manipulation

A flaw in the way qemu emulates floppy disks could allow an attacker to break out of a virtual machine and take over the host
“This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
This vulnerability affects qemu, KVM, VirtualBox, and some types of Xen, because they all share the same qemu floppy emulation code
Unaffected hypervisors include: VMWare, Hyper-V, Bochs, and bhyve
The issue has been assigned the identifier CVE-2015-3456
“Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, FreeBSD, etc.).”
“It needs to be noted that even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.”
“The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command. This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.”
“The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.”
“After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.”
CrowdStrike blog about the disclosure
“While it seems obvious that infrastructure providers could be impacted, there are many other less obvious technologies that depend on virtualization. For example, security appliances that perform virtual detonation of malware often run these untrusted files with administrative privileges, potentially allowing an adversary to use the VENOM vulnerability to bypass, crash or gain code execution on the very device designed to detect malware.”
“CrowdStrike would also like to publicly recognize Dan Kaminsky, Chief Scientist at White Ops, who is a renowned researcher with extensive experience discovering and disclosing major vulnerabilities. Dan provided invaluable advice to us throughout this process on how best to coordinate the release of open source patches across the numerous vendors and users of these technologies.”
Xen Advisory
Amazon Statement
Digital Ocean statement
Redhat Advisory
Working PoC exploit
This has refocused attention on some older work to exploit qemu/KVM, like this from DEFCON / BlackHat 2011
Or this paper from a Google researcher from 2007: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
There is also some backlash against the naming and glamorization of vulnerabilities, as seen with the recent announcement of AnalBleed

Strategies to Mitigate Targeted Cyber Intrusions – From the Australian Signals Directorate

The Australian equivalent to the NSA has published a study on the top 35 mitigation methods to protect networks for targeted cyber attacks
They say that 85% of all network intrusions could be prevented if organizations adopted just the top 4 recommendations
These 4 recommendations are:
- Use application whitelisting, to prevent malicious software from being able to run
- Install application updates (especially java, flash, PDF readers, browsers, etc)
- Install OS updates (quickly!), Do not use Windows XP
- Do not give administrator privileges to more people than absolutely required
Video: Catch, Patch, and Match
Table: The full list of 35 mitigation strategies
How to employ the top 4 mitigations in a Linux environment
The ASD even goes so far as to rank each mitigation strategy by its effectiveness, how much users will resist/complain, how much work it will be to setup, and how much work it will be to maintain.
“Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached. “
Of these, only the application whitelisting is likely to rise the ire of the average end user
Additional Coverage – SecureList
The list of 35 mitigation methods can be roughly divided into 4 categories:
Administrative — Training, physical security
Networking — These measures are easier to implement at a network hardware level
System administration — The OS contains everything needed for implementation
Specialized security solutions — Specialized security software is applicable
Kaspersky SecureList has broken its analysis of the ASD publication down into 4 parts in its Security Encyclopedia:
Part 1. How to mitigate APTs. Applied theory
Part 2. Top-4 mitigation strategies which address 85% of threats
Part 3. Strategies outside the Top-4. For real bulletproof defense
Part 4. Forewarned is Forearmed: the Detection Strategy against Advanced Persistent Threats (APTs)
Gartner: Best Practices for Mitigating Advanced Persistent Threats

Mumblehard — Muttering spam from your servers

“Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam”
The virus consisted of perl code packed into an ELF binary
During a 7 month monitoring period, Eset researchers saw 8,867 IP addresses connect to one of the command and control servers
“The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail.”
“These two main components are written in Perl and they’re obfuscated inside a custom “packer” that’s written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that’s arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.”
“Malware targeting Linux and BSD servers is becoming more and more complex,” researchers from Eset wrote. “The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption.”
The way the malware was architected, it polled a list of Command and Control servers, accepting commands from any of them
The list included some legitimate sites, to throw researchers off
“A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes.”
At some point, one of the domains on the command and control list became available, so the researchers registered it and directed all of the infected machines to talk to their own command and control server
The communications with the C&C servers was cleverly hidden in what look like PHP Session cookies, and in the fake browser user-agent strings
One of the giveaways is the fact that the base browser user-agent string is for Firefox 7.0.1 on Windows 7
Part of the version string would be replaced with the command id, http status, and number of bytes downloaded by the infected machine
“The Eset researchers still aren’t certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program.”
Eset research PDF