Last Wednesday, news broke about a new zero-day vulnerability that has the web hosting community hissing. Originally discovered by security firm CrowdStrike, VENOM - or Virtualized Environment Neglected Operations Manipulation - is a buffer bug that lives in the virtual floppy drive code of the open source QEMU platform that could potentially allow hackers to compromise entire data centers by gaining access to virtual instances on the hosts within.
Just how serious is this CVE-2015-3456 security concern? Which computer virtualization platforms have been affected and which have released patches? Almost a week after detecting this flaw, are we right to equate its impact with Heartbleed or should we shed that comparison like an old layer of skin? Learn more about the VENOM virtualization vulnerability, how hackers can exploit it to gain access to virtual machines and what web hosts can do to mitigate the damage!
How VENOM Exploitation Works
If you're wondering how the VENOM vulnerability is able to compromise a whole network of connected devices in a data center, CrowdStrike has created this helpful visual for you:
According to The Hacker News, this flaw that has remained unchecked since 2004 "was discovered in the open-source virtualization package QEMU, affecting its Virtual Floppy Disk Controller (FDC) that is being used in many modern virtualization platforms and appliances, including Xen, KVM, Oracle's VirtualBox, and the native QEMU client." Though there have yet to be any successful attacks launched, web hosts are worried that hackers will have the ability to gain access to or crash an entire hypervisor by sending malicious code to the FDC.
"Heartbleed lets an adversary look through the window of a house and gather information based on what they see. Venom allows a person to break in to a house, but also every other house in the neighborhood as well." ~ Jason Geffner, CrowdStrike researcher who found VENOM~
After the virtual machine is on a vulnerable host, an attacker would need high or "root" administrative permissions on the guest operating system (OS) to access the FDC. It is important to note, however, that this controller isn't as protected on Windows guest as with other OSes. After successfully exploiting the VENOM vulnerability, hackers are able to gain access to the host's OS from the guest OS. From here, they can wage cyber war on your whole hosting environment, launching lateral attacks on other virtual machines (VMs) running on that host.
Which Hosting Platforms Are Affected?
Since the QEMU FDC code vulnerability is open-sourced and used in several virtualization platforms, it is difficult to determine which hosting platforms may be compromised. CrowdStrike has identified XEN, KVM, and the QEMU native client as affected hypervisors, however.
Absent from this list are VMware, Microsoft Hyper-V, and Bochs.
Cloud Providers That Have Released Patches or Advisories
Many web hosts are worried because their cloud providers rely heavily on QEMU-based virtualization, leaving them at risk. If you rely on any of the following services, you need to patch ASAP! Click on the provider for the appropriate update.
- Xen Project
- Red Hat
- Liquid Web
The preceding list was taken from CrowdStrike's VENOM awareness site, but all concerned web hosts should still contact their vendors separately to make sure they've received the latest protection.
So what do you think? Are analysts right to describe the ramifications of VENOM as "bigger than Heartbleed?" Considering that this bug has only been detected in-house, has the vulnerability been blown out of proportion? Let us know in the comments section below!
For more information on VENOM, check out:
- Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters
- Understanding the VENOM Vulnerability
- How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?
- The Venom vulnerability: Little details bite back