VENOM Vulnerability Poses Serious Threat to Cloud Service Providers And Their Customers

Data security research player CrowdStrike is reporting a security flaw that could allow hackers to exploit and take over data centers from within. Given the nasty moniker "VENOM" (for "Virtualized Environment Neglected Operations Manipulation"), the vulnerability CrowdStrike uncovered is present in a common component — a legacy floppy drive controller — that is widely used in virtualization platforms and appliances.

The seriousness of the VENOM vulnerability rests on how it circumvents an essential barrier used by cloud service providers to segregate customer data. Thus, infiltrators who are able to gain access to one virtual environment can subsequently move from there into the cloud entity's base operating system and thereafter tap into all of the other virtual environments in that particular data center. And because VENOM enters through such an old-tech disk controller, it is ripe for exploitation across the gamut of common operating systems, including Windows, OS X, Linux, and perhaps others.

In reference to previous VM escape vulnerabilities, CrowdStrike writes:

Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.

VENOM is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.

VENOM is said to date back to 2004, and as such quite a large number of virtualization platforms are affected, including Xen, KVM, Oracle's VirtualBox, and QEMU client software. VMware, Microsoft Hyper-V, and Bochs hypervisors, though, are not affected.

Jason Geffner, CrowdStrike's discoverer of VENOM, said in a ZDNet phone interview on Tuesday, "Millions of virtual machines are using one of these vulnerable platforms." He went on to to draw a parallel between last year's infamous Heartbleed bug and Venom, saying "Heartbleed lets an adversary look through the window of a house and gather information based on what they see. Venom allows a person to break in to a house, but also every other house in the neighborhood as well."

Upon uncovering and verifying VENOM CrowdStrike communicated it to affected companies on April 30 and worked to help patch the bug before publicly disclosing it yesterday. CrowdStrike found VENOM in-house, and as such no attack code is thought to currently be in the ether, nor has the vulnerability been previously exploited. And though the vulnerability can be put to use via both the guest and host ends of the affected OS, any code looking to attack must first gain administrative or root privileges. The development of malicious code intended to leverage VENOM for nefarious purposes, however, is thought to be a relatively simple matter, and for this reason service providers should scramble to patch their systems. And to this end, patches are already available from the following vendors:

• QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c 
• Xen Project: http://xenbits.xen.org/xsa/advisory-133.html 
• Red Hat: https://access.redhat.com/articles/1444903 
• Citrix: http://support.citrix.com/article/CTX201078 
• FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf 
• Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/ 
• Rackspace: https://community.rackspace.com/general/f/53/t/5187 
• Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/ 
• Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456 
• Suse: https://www.suse.com/support/kb/doc.php?id=7016497 
• DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/ 
• f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html 

Various workarounds are also said to be available, which users can employ to reduce risk.

At this point VENOM looks to already be well in-hand, though considering the potential reach of the vulnerability and the high-value assets involved — the wide range of the platforms affected are comprised of servers in use by every imaginable security-dependent service (e-commerce providers being only one eyebrow-lifting example) — the handling and eradication of the bug has to be seen as paramount.