Crowdstrike disclosed this week the existence of VENOM, a serious vulnerability affecting many virtualized environments.
VENOM (Virtualized Environment Neglected Operations Manipulation) has existed since 2004 in the virtual Floppy Disk Controller (FDC) of QEMU, and it affects virtualization solutions such as Xen, KVM, and the native QEMU client. VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted.
An attacker with a root level account on the system can exploit the vulnerability (CVE-2015-3456) to escape the virtual machine and execute arbitrary code on the host.
Several vendors have already released patches and advisories, including QEMU, the Xen Project, Red Hat, FireEye, Citrix, Linode, Rackspace, Ubuntu, Debian, Suse, Digital Ocean, F5 Networks, Liquid Web, UpCloud, and Joyent.
Following recent trends, the VENOM vulnerability has a logo, a fancy name, and a dedicated website, and many rushed to compare it with the notorious Heartbleed bug. While experts agree that this is a serious vulnerability that could expose sensitive information, many have noted that it’s not as dangerous as Heartbleed.
And the feedback begins…
Paco Hope, Principal Software Security Consultant, Cigital:
“VENOM represents hackers hacking something relatively new: the media. The profile of vulnerabilities like Heartbleed and shellshock was amplified by how easy they were to report on. Just like hackers package their exploit payloads in padding and structure so that computers execute the right code, marketing departments use technical details coupled with catchy names, logos, and visuals to get the media to execute stories.
The good news is that virtualized environments tend to be the most scalable, monitored, and thoroughly managed. If any segment of the industry is well positioned to distribute a fix to a vulnerability quickly and get back to business, it is cloud and virtualized environments.”
Cris Thomas, Strategist at Tenable Network Security:
“A virtual machine sandbox escape that allows you to attack other virtual machines is a sort of the ‘brass ring’ for bug hunters. There have been previous bugs, but they typically required custom configurations and did not allow arbitrary code execution.
While CVE 2015-3456 (VENOM) does exist in the default configuration and does allow arbitrary code execution, it only impacts three of the six major vendors—and two of those are already patched.
Though potentially serious if unpatched, this bug requires the attacker to get admin or root privileges in the root operating system and has not yet been seen in the wild. So while CVE 2015-3456 has been getting a lot of press, we have yet to see if its bite is as bad as the hype.”
Bogdan Botezatu, Senior E-Threat Analyst, Bitdefender:
“While vulnerabilities in virtualization software are extremely important, the VENOM flaw requires that a specific set of prerequisites be met. However, there are circumstances in which companies using QEMU-powered private clouds could face denial of service attacks – or worse yet – physical infrastructure compromise (i.e. services that use QEMU-based virtualization to analyze unknown or untrusted binaries).
To summarize, VENOM is definitely not the cloud killer as cloud services usually rely on different virtualization technologies such as VMWare or VirtualBOX. But companies that expressly rely on QEMU for specific virtualization tasks should take the proper measures to address this critical issue as soon as possible. While VENOM cannot be used as a shotgun technique to take down all clouds, for some entities running a vulnerable configuration, exploitation would be devastating.”
Tomer Schwartz, Sr. Director of Threat Research, Adallom:
“Unlike remotely exploitable vulnerabilities such as Heartbleed or Shellshock, Venom is a privilege escalation vulnerability, affecting specific Virtualization software. This is a serious vulnerability that might be exploited as part of attack campaigns, but cannot be used as the initial point of infiltration. This can only directly affect IaaS providers who use affected Virtualization software. The impact for SaaS users is negligible, as it is extremely indirect. SaaS providers who operate on their own infrastructure should patch if their environment is vulnerable. Providers who use IaaS or PaaS should check with the relevant infrastructure providers on whether or not they are still vulnerable.”
Mark Orlando, Director of Cyber Operations, Foreground Security:
“There are far more serious vulnerabilities routinely disclosed with less fanfare. We have to remember that cloud services are software-driven, and software will always have flaws and vulnerabilities. This is why transparency at the hypervisor level is so critically important, or at least some assurance that the cloud service vendor is monitoring for exploits of vulnerabilities such as ‘Venom.’
It’s also important for business and consumers to think about segmenting their virtual machines based on data classification, versus adopting a “flat network” approach to their VM deployments. As with physical networks, prevention will eventually fail; we need to think about how we’ll detect and respond when it does, even in virtual environments.”
Scott Hazdra, Senior Security Consultant with Cisco Systems:
“The Venom vulnerability announced by Crowdstrike is a serious risk to many organizations and their customers. What caught many people’s attention is that this is the first non-contrived vulnerability that allows an attacker with admin privileges to perform a VM escape and gain elevated privileges on other VMs and the host server networks.
However, Venom is not a stake to the heart of cloud computing despite what many headlines are shouting. First, not all cloud providers are impacted. Second, this is a software bug that has both workarounds and patches users can use to reduce the risk of exploit. Third, as of this writing there have been no known exploits in the wild. And finally, this announcement does get everyone affected aware very quickly and demonstrates the constructive impact of security researchers who notify impacted vendors before announcing a vulnerability.”
Dave Clemente, Senior Research Analyst, Information Security Forum:
“While the discovery of Venom is useful for the security community, there is a lot of hype surrounding its potential impact. Exploitation of Venom requires an attacker to compromise an administrator account, or to be a malicious administrator. This is an added level of difficulty for attackers, compared to other open source vulnerabilities such as Heartbleed and Shellshock.
Venom is nowhere near as severe as Heartbleed or Shellshock, and affects far fewer organizations. Venom affects some popular virtualization products, such as XEN and KVM, but big providers, such as Amazon and Microsoft are unaffected, reducing its total potential impact. Tl:dr – Venom is potentially severe, but only for a limited number of organizations. Patches are already available. Use them if needed and move on.”
Anup Ghosh, founder and CEO of Invincea:
“While many people will focus on the potential large-scale impacts of the VENOM vulnerability in cloud-based systems, this disclosure also serves as a good “teachable moment” for security professionals who believe in the infallibility of hypervisors for isolation. Specifically VENOM belies the facts around “hardware isolation” via hypervisors. In fact, hypervisors are built from software and have a long history of software vulnerabilities that are exploitable, similar to kernel and application code.
The consequences from these vulnerabilities are potentially severe, however, with Ring 0 access to the machine. Bottom line, when someone says they have a silver bullet security solution from hardware-based isolation because they are using a hypervisor, you now know this is poppycock.”
Devin Egan, Co-Founder and CTO, LaunchKey:
“The largest threat to businesses utilizing cloud services affected by VENOM is the unauthorized access to their data such as keys, passwords and intellectual property including code and documents. Although no public exploit is currently available, it is widely expected to be published in a matter of hours or days. Ensure not only your cloud systems are patched, but that the entire cloud platform has been patched before you update credentials as you are exposed until providers ensure all hosts in a cloud are up to date.”
Cody Pierce, Senior Director of Research & Development at Endgame:
“The key thing to remember about VENOM is that it requires elevated privileges to run. This severely limits its impact. To successfully exploit this vulnerability, an attacker would have to provision a new virtual instance, or gain unauthorized access and elevate privileges, and reliably exploit an unpatched host system using sophisticated techniques. This means it is unlikely to be widely exploited like Heartbleed, which required zero privileges and where any Internet-facing service was potentially remotely exploitable.
Additionally, with backend VM vulnerabilities like VENOM, the VPS provider simply needs to apply the existing patch to their VM host, and all of the guests are protected without any guest OS patching necessary. This means that defenses against widespread exploitation of this vulnerability are easier to implement.”
Ryan Smith, vice president, R&D and chief scientist, Accuvant:
“Venom as a vulnerability is interesting since it breaks down the security walls between Virtual Hosts. Ever since the move to cloud computing and virtualized hosting, businesses took on an increased risk of allowing potentially competing, potentially hostile third parties to execute code on the same machine. If we were pre-“cloud computing,” this would be the equivalent of having an exploit that allowed attackers to jump from one computer in the data center to a completely disconnected computer in the same data center.
The naming of vulnerabilities is also an interesting trend. CVE filled a gap by providing unique identifiers for vulnerabilities that allowed automated systems to easily correlate information with vulnerabilities, patches, and exploits. However, CVE-2015-0001 is not an easily recognizable human name whereas Venom is easily recognizable. This naming pattern allows traditional and social media to speak about a vulnerability in a lot more fluid manner.
When considering vulnerabilities and remediation priorities you have to take into account the potential impact, the difficulty of remediation, and estimate the likelihood of in-the-wild exploitation. With this particular vulnerability if a few virtual hosting and cloud computing providers remediate the vulnerability it reduces the population of affected machines by 90 percent. If there are only a few machines affected by the vulnerability a few days after a patch is available, then it is unlikely attackers will invest the time to exploit the vulnerability.”
Mike Davis, CTO, CounterTack:
“Venom is a larger impact for cloud providers than enterprises. Cloud providers have no control over what their customers do within the guests that run in the virtual environment the cloud provider has. Essentially, this attack allows any customer to take over the cloud provider’s network.
Enterprises have less of a concern except from their administrative users; which should be a low number in most organizations.
Using technology that can detect when drivers are loaded, such as CounterTack, or even prevent them from loading through things, like Group Policy, greatly reduces the risk of this attack. It is another example of controlling what users and applications can do on a system can prevent unknown attacks.”
James Bindseil, CEO, Globalscape:
“Venom is yet another reminder that when it comes to information security, the Internet’s mishmash of legacy and obsolete tech make it a risky place for high-value information. Thoughtful management and governance should always be foremost on the minds of IT executives, managers and anyone who handles “crown jewel” corporate data. This is especially true in the cloud era when companies are becoming increasingly reliant on shared infrastructure as a means of collaboration and data transfer. While there will likely be a lot of Venom hype, we recommend using it as an opportunity to review current security policy and to raise awareness of sound practice.”
Patrick Wardle, Director of Research at Synack:
“The Venom bug has interesting security implications and should not be taken lightly. Venom affects virtualized environments, which are common in hosting and cloud environments. Because security is generally a priority in these environments, it is likely that the bug has already been patched in most instances.
Is this the next HeartBleed? Unlikely. Heartbleed was a remote exploit and could be targeted by anyone at any time. Venom requires code execution on a VM, so it’s not remote. Heartbleed affected a much wider range of servers and clients, and the responsibility to patch was often left up to the end user.
With Venom, a single patch at the hypervisor level should secure all virtualized machines. In a cloud environment, the cloud provider is likely responsible for patching the bug (as opposed to the end users or ‘owners’ of the VM) — and has probably already done so.”
Solutionary Threat Intelligence Team Lead, Chad Kahl:
“At this time, VENOM poses the same level of risk as any new remote-code execution vulnerability. It is bad, but readily fixed or mitigated. First off, it only affects certain platforms. While popular, it doesn’t span almost the entire Internet like Heartbleed did. On top of this, no proof of concept code or active exploitation has been observed. Finally, there are already patches available for many of the affected systems. If you have a standard patch management program in place, as you should, patches will be inspected, tested and applied rapidly. If for some reason, such as legacy software restrictions, you can’t update an affected hypervisor, ensuring the guest OS does not have root access will also mitigate this vulnerability.”
Caspida CEO, Muddu Sudhakar:
“The nature of the beast in the case of zero-day vulnerabilities is that they cannot be predicted nor are there signatures or rules to apply in order to preempt them. These are flaws that no one knows exist, and the malware can manifest in any way that standard tools cannot anticipate. Therefore, a new threat detection paradigm that serves as another layer of cyber-defense and observes the manifestation of attacks through such vulnerabilities and recognizes suspicious change of behavior is what is needed to trap attacks before they cause damage.”
Jason Trost, Director of ThreatStream Labs, ThreatStream:
“Venom’s Hypervisor Security Bypass technique uses an overflow when making specific commands against the ‘Floppy Disk Controller’ component of XEN, Qemu and KVM. These hypervisors are widely used for inexpensive Virtual Private Server (VPS) providers. If these providers haven’t patched their systems yet it could be very bad and it would mean that customer’s using these systems could be left open to compromise.
I would expect that anyone who exploits this flaw would likely do so as part of a large scale effort since targeting specific servers deployed over the same provider may be a challenge. These hypervisors are also commonly used as low cost options for malware sandboxes and some honeypots so security teams need to make sure they patch these systems as well. As with any vulnerability, timely deploying of patches is critical.”
Danny Banks, Vice President, Worldwide Solutions Engineering, Hexis Cyber Solutions:
“The nature of the Venom vulnerability illustrates the need for defense from within the network. Security teams need to understand what is happening on the endpoint and correlate it with what is happening within the network. Using endpoint sensors delivers that type of information and tracks outbound communication to detect incidents, corroborates those events, and assess the severity of an attack.
Looking ahead, while public and private cloud vendors may have taken steps to protect end user data within their environments, the Venom vulnerability is the latest hit against the security of public and private clouds. I wouldn’t be surprised if it further drives the conversation about holding vendors against increased compliance requirements. To ensure cloud security, advanced threat detection – endpoint and internal network security – is the only way to truly protect data.”
Jo Lintzen, vice president of business development at Utimaco:
“In the era of cloud computing and the Internet of Things, attackers will always find a way to break into your system and the next vulnerability. VENOM is the latest example in a seemingly never ending stream of zero day vulnerabilities. It has been quoted many times, that there are only two types of companies: those that have been hacked and those that will be.
To secure your companies’ valuable data and ultimately your reputation and your customers’ well-being, it is best to stick to industry best practices when it comes to PII (personal identifiable information), like Social Security numbers or credit card numbers. Encryption has proven over and over again to be a strong countermeasure – even if the bad guys find a way in (which they eventually will). Add a base layer of hardware to generate, store and manage your secret keys in a physically secure environment and you have raised the bar to counter attacks – and can eventually relax a bit and focus on your core business (and get some sleep).”
