PSA: VENOM Exploit on Citrix XenServer
I’ve had some clients ask about a new exploit making it’s way around security desks lately. It’s called VENOM and it leverages a buffer overrun scenario that has been detected in certain code used to process commands from a Virtual Floppy controller on a VM to gain unauthorized access across the entire HOST and all VMs running within it. VENOM exploits the hypervisors specifically to gain unauthorized access to additional Virtual Machines running on the host platform.
After some research, it looks as though this is primarily an issue with the QEMU floppy controller code found in some open source Hypervisors including Citrix’s XenServer.
EDIT: As of this post, Citrix has
not issued patches for XenServer but AND has opened up a KB article to track the progress of the exploit. (https://support.citrix.com/article/CTX201078)
This is also a good time to discuss whether it makes sense to even have Virtual Floppy Drives on VMs. It’s such a legacy thing and is typically a default configuration setting for new VMs. It might be worth looking at your templates to see if there are any unnecessary devices that should be removed to avoid future exploits.