VENOM Bug Poison to Virtual Environments, Not Bigger Than Heartbleed: Experts

Thursday, May 14, 2015

Brian Prince


Perhaps it is not surprising that any time a critical new bug appears comparisons to other notorious bugs come soon after.

In this case, the publication of the VENOM vulnerability affecting virtual environments touched off immediate comparisons to Heartbleed, a serious security bug disclosed last year affecting the OpenSSL cryptographic library. But while both bugs have gotten plenty of attention, a number of experts told SecurityWeek VENOM may not be as poisonous.

"VENOM is comparable to Heartbleed, but five years from now, looking back, we will likely not remember it as causing quite as much heartburn," said Mike Lloyd, CTO at security firm RedSeal Networks.

The name VENOM stands for 'Virtualized Environment Neglected Operations Manipulation'. The bug resides in QEMU's virtual Floppy Disk Controller, and is used in numerous virtualization platforms including Xen and the native QEMU client. The vulnerability was discovered by a researcher at CrowdStrike. According to the security firm, the vulnerability has existed since 2004, and no evidence has been observed of it being exploited in the wild.

"The vulnerability [VENOM] is serious, allowing not just arbitrary code execution, but escape out of one virtual system into the host OS," said Lloyd. "This is a widely feared form of vulnerability, since many business systems in the last few years have moved to public and private clouds. This virtualization means we often cannot tell which other outside organizations might have their workloads running on the same physical server as our systems, and so in principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect."

VENOM is agnostic of both the host and guest operating system. In order to exploit it, an attacker - or their malware -would need administrative or root privileges in the guest operating system.

"Heartbleed enabled anyone to directly access information stored in server memory, including certificate key material, passwords- all kinds of stuff," explained Trey Ford, global security strategist at Rapid7. "VENOM can only bite a system if the attacker already has a root level account on the system, and, thankfully, there is a rapidly shrinking population of vulnerable systems."

Read the rest of this article on  

Firewalls IDS/IDP Network Access Control Network->General SCADA Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked