VENOM Vulnerability Poses Serious Threat to Cloud Service Providers And Their Customers
Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.
VENOM is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.
VENOM is said to date back to 2004, and as such quite a large number of virtualization platforms are affected, including Xen, KVM, Oracle's VirtualBox, and QEMU client software. VMware, Microsoft Hyper-V, and Bochs hypervisors, though, are not affected.
Jason Geffner, CrowdStrike's discoverer of VENOM, said in a ZDNet phone interview on Tuesday, "Millions of virtual machines are using one of these vulnerable platforms." He went on to to draw a parallel between last year's infamous Heartbleed bug and Venom, saying "Heartbleed lets an adversary look through the window of a house and gather information based on what they see. Venom allows a person to break in to a house, but also every other house in the neighborhood as well."
Upon uncovering and verifying VENOM CrowdStrike communicated it to affected companies on April 30 and worked to help patch the bug before publicly disclosing it yesterday. CrowdStrike found VENOM in-house, and as such no attack code is thought to currently be in the ether, nor has the vulnerability been previously exploited. And though the vulnerability can be put to use via both the guest and host ends of the affected OS, any code looking to attack must first gain administrative or root privileges. The development of malicious code intended to leverage VENOM for nefarious purposes, however, is thought to be a relatively simple matter, and for this reason service providers should scramble to patch their systems. And to this end, patches are already available from the following vendors:
- QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
- Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
- Red Hat: https://access.redhat.com/articles/1444903
- Citrix: http://support.citrix.com/article/CTX201078
- FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
- Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
- Rackspace: https://community.rackspace.com/general/f/53/t/5187
- Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
- Suse: https://www.suse.com/support/kb/doc.php?id=7016497
- DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
- f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html
Various workarounds are also said to be available, which users can employ to reduce risk.
At this point VENOM looks to already be well in-hand, though considering the potential reach of the vulnerability and the high-value assets involved — the wide range of the platforms affected are comprised of servers in use by every imaginable security-dependent service (e-commerce providers being only one eyebrow-lifting example) — the handling and eradication of the bug has to be seen as paramount.