Security Experts:

VENOM Bug Poison to Virtual Environments, Not Bigger Than Heartbleed: Experts

Perhaps it is not surprising that any time a critical new bug appears comparisons to other notorious bugs come soon after.

In this case, the publication of the VENOM vulnerability affecting virtual environments touched off immediate comparisons to Heartbleed, a serious security bug disclosed last year affecting the OpenSSL cryptographic library. But while both bugs have gotten plenty of attention, a number of experts told SecurityWeek VENOM may not be as poisonous.

"VENOM is comparable to Heartbleed, but five years from now, looking back, we will likely not remember it as causing quite as much heartburn," said Mike Lloyd, CTO at security firm RedSeal Networks.

The name VENOM stands for 'Virtualized Environment Neglected Operations Manipulation'. The bug resides in QEMU's virtual Floppy Disk Controller, and is used in numerous virtualization platforms including Xen and the native QEMU client. The vulnerability was discovered by a researcher at CrowdStrike. According to the security firm, the vulnerability has existed since 2004, and no evidence has been observed of it being exploited in the wild.

"The vulnerability [VENOM] is serious, allowing not just arbitrary code execution, but escape out of one virtual system into the host OS," said Lloyd. "This is a widely feared form of vulnerability, since many business systems in the last few years have moved to public and private clouds. This virtualization means we often cannot tell which other outside organizations might have their workloads running on the same physical server as our systems, and so in principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect."

VENOM is agnostic of both the host and guest operating system. In order to exploit it, an attacker - or their malware -would need administrative or root privileges in the guest operating system.

"Heartbleed enabled anyone to directly access information stored in server memory, including certificate key material, passwords- all kinds of stuff," explained Trey Ford, global security strategist at Rapid7. "VENOM can only bite a system if the attacker already has a root level account on the system, and, thankfully, there is a rapidly shrinking population of vulnerable systems."

"With Heartbleed, the attack was trivial – your mom, dad, nieces and nephews, anyone -- could use a browser plugin to test websites," he added. "VENOM exploitation requires the perpetrator to have access to a vulnerable virtual machine, with a root account, and exploit code your relatives probably don’t have access to."

According to CrowdStrike, the VMware, Microsoft Hyper-V and Bochs hypervisors are not affected by the issue, and Amazon released a statement today saying that it poses no threat to Amazon Web Services instances or customer data.

Symantec's Security Response Team noted that the OpenSSL library is one of the most commonly used implementations of the SSL and TLS cryptographic protocols, which is why Heartbleed affected a large number of websites, applications, servers, network appliances and virtual private networks. VENOM however only impacts virtualization systems that use QEMU's Floppy Disk Controller. While it is locally serious and could allow an attacker to do much more than Heartbleed, the number of vulnerable systems is much smaller, Symantec noted.

"When compared to Heartbleed, I do not see it on the same level," said Adam Kujawa, head of the malware intelligence team at Malwarebytes. "Heartbleed was so bad because it was a vulnerability discovered in one of the most commonly used applications for servers and had been for many years. VENOM doesn’t come close to that kind of potential damage since the target group is so small and every minute it is shrinking as more systems get patched -- not to mention the fact that target identification, the development of an exploit and weaponization development for the exploit would be a very time-consuming process. The bad guys couldn't push out something to attack this vulnerability in less than a few weeks, at the very least, so that gives developers and heads of IT plenty of time to fix the problems." 

Nevertheless, experts are advising affected parties to patch immediately. 

"For users of external public cloud services, the responsibility to apply the remediation falls to the service provider, and so customers are likely to burn up the phone lines calling in to make sure this has been done promptly," said Lloyd. "For organizations running private cloud infrastructure, the responsibility falls to internal IT, as a part of routine patch management. Businesses can expect some brief disruptions as this patch is applied; if your business uses the affected virtualization systems, the patch should be treated with very high priority, and is well worth a brief service interruption in almost all cases."

view counter