VENOM Zero-Day May Affect Thousands Of Cloud, Virtualization Products

This in from Trend Micro:

Critical vulnerability in the open-source QEMU hypervisor lets attackers break out of a virtual machine, execute code on a host machine and access all the other VMs on the host.

A zero-day vulnerability affecting a variety of virtualization platforms and cloud services allows attackers to break out of a virtual machine (VM), execute code on the host machine and access any other VMs running on it, CrowdStrike researchers revealed today.

"The good feeling is that we discovered this before the bad guys did," says CrowdStrike senior security researcher Jason Geffner, who found the bug, which CrowdStrike dubbed the vulnerability Virtualized Environment Neglected Operations Manipulation (VENOM).

The vulnerability is in the virtual floppy disk controller of Quick Emulator (QEMU), a free, open-source hypervisor. It's another example of little-used, but on-by-default legacy code (like a floppy disk controller) being manipulated for malicious use -- hence the word "neglected" in the name.

Some of QEMU's code, including the vulnerable bit, has been used by other virtualization platforms, like the popular Xen and Kernel-based Virtual Machine (KVM), which are often used in infrastructure-as-a-service, and Oracle VM VirtualBox, which is commonly used in test-dev environments. So hundreds or thousands of products that use virtualization technology -- on servers, clients, appliances, and in the cloud -- are vulnerable to VENOM. Since most hypervisors run with root access to the host machine, the potential damage is severe.

This is precisely the kind of nightmare scenario that has caused some organizations to avoid the cloud and virtualization altogether -- putting all your corporate eggs in one questionably secure basket and perhaps sharing server space with a cybercriminal.

For that reason, CrowdStrike has declared VENOM a critical vulnerability. The company has worked with QEMU, Xen, KVM -- and through them, with other affected vendors -- on a coordinated patch release. CrowdStrike CTO and co-founder Dmitri Alperovitch stresses that organizations should check with their cloud providers to ensure they have already issued the patch, and to patch their own on-premise applications and appliances immediately.

"Obviously it's a great risk for on-premise," says Geffner, "because usually it takes months" for companies to completely remediate vulnerabilities.

Although VENOM may legitimize concerns about attackers busting out of a public cloud instance and accessing other customers' cloud instances, the coordinated patch release today legitimizes some cloud vendors' assertion that they can do a more efficient job on security than individual organizations.

Either way, says Geffner, organizations still weighing their options, "can take solace from the fact these kind of security findings are extremely rare ... and not this broadly scoped."

Like Heartbleed and ShellShock before it, VENOM is a severe, wide-ranging vulnerability in an open-source tool... but worse, according to the researchers.

As Alperovitch describes it: Heartbleed would let an attacker look through the windows of your house; Shellshock would let them inside your house; VENOM gives them complete access to everything in your house, including all your locked-up valuables, and, Geffner says, "an underground tunnel in which [they] can access all your neighbors' houses."

For more information, see CrowdStrike will also host a Twitter chat (#VENOMbug) Friday at 2 p.m. to answer questions.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.