Security researchers at CrowdStrike on Wednesday discovered a security vulnerability that is arguably on par with Heartbleed, last year’s serious vulnerability that rendered communications with many popular web services insecure, potentially exposing millions of passwords. This time, however, it’s harder to wrap your head around.
Dubbed “Venom,” the vulnerability impacts many popular virtualization platforms, specifically Xen, KVM and QEMU virtual machines and appliances. It works by exploiting a buffer-overflow bug in the QEMU’s Floppy Disk Controller.
If exploited, it could allow attackers who have access to one virtual machine to potentially access all other virtual machines running on the same hardware.
What does all that mean in plain English? I’ll get to that in a second, but the TL;DR on Venom is that it’s a nasty exploit and it’s still something data centers and system administrators need to be aware of. Fortunately, most of the major datacenter operators are aware of Venom and have patched it.
Like Heartbleed, Venom was announced to the public with its own logo and FAQ page. The good news, according to security experts, is that although this is serious, Venom is in no way as serious as Heartbleed.
Heartbleed hit the web just over a year ago and set new grounds for public bug disclosure, thanks to its slick marketing campaign.
To understand Venom, it’s important to understand how modern cloud computing works. Rather than running applications or processes on individual servers, companies and individuals frequently spin up a virtual machine as part of a bigger server.
Think of a virtual machine (VM) as kind of a “PC in the cloud” — a separate instance of an operating system that has its own resources, RAM and bandwidth. The way resources are allocated, however, means that one dedicated server can now provide server power and memory for lots and lots of different VMs.
There are tons of various virtualization technologies out there, with some of the most common being Xen, KVM, QEMU, VMWare, Microsoft Hyper-V and Bochs hypervisors.
It’s important to note with Venom that VMWare, Microsoft and Bochs are not impacted by this vulnerability.
A lot of cloud hosts, including Amazon’s AWS, Rackspace, Linode and DigitalOcean use Xen or KVM virtualization technology.
The way this vulnerability works is that it uses a bug in an old virtual Floppy Disk Controller to potentially take over the whole underlying system. According to CrowdStrike, the bug has existed since 2004.
Yes, that’s more than 11 years. What took so long to find it? Well, for good or for bad, there isn’t a lot of tinkering happening with legacy floppy drive controllers.
For its part, CrowdStrike says that it hasn’t seen any exploitations of this vulnerability in the wild, at least, not yet.
The good news, at least so far, is that most of the major cloud vendors are not affected by Venom.
Amazon, whose AWS is the largest cloud provider, issued an update on Wednesday saying “We are aware of the QEMU security issue assigned CVE-2015-3456, also known as ‘VENOM,’ which impacts various virtualized platforms. There is no risk to AWS customer data or instances.”
Linode a company who offers lower-cost virtual private servers (VPSs) based on Xen (and in beta, KVM) said on its blog that its security team has reviewed the vulnerability and that it wanted to “reassure Linode customers that this vulnerability does not affect any part of the Linode infrastructure and no action is required on your part.”
Rackspace, another major cloud vendor, said Wednesday that Venom does affect “a portion of our Cloud Servers fleet” and that it is patching the part of its infrastructure impacted by the vulnerability.
DigitalOcean, another budget VPS company, posted a blog entry about the vulnerability, outlining the companies plans to reboot some of its hypervisors in order to update against the threat.
In an email, Tod Beardsley from Rapid 7 said:
The people most affected by VENOM are those who run hosted VPS services (and therefore, do routinely give root access to strangers’ guest machines), and those who subscribe to the same VPS services. Customers of VPS services should pester their vendors until patches are applied, and the vendors should move on this rapidly.
So, given this barrier to entry, how “easy” is it to exploit VENOM and gain control of the host operating systems and neighboring guests? As of this moment, no one has released public proof of concept code to demonstrate the reported VENOM bug, so we’re left with some measure of speculation as to whether or not this is as “easily” exploitable.”
It’s important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS. This circumstance leads me to believe that VENOM is an “interesting” bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later.
Venom is real, even if its actual impact isn’t as bad as its marketing campaign is making it out to be.
As Steve Ragan at CSO notes, although it’s certainly possible that a lot of systems can be impacted by the flaw, that doesn’t mean it will be easy to exploit.
As the bigger cloud companies and cloud hosts patch their servers, the bigger problem might be for smaller datacenters and hosts who don’t have as much of a pressing need to update against the vulnerability.
As Rob Graham at Errata Security writes on his Errata Security blog, the problem for some hosts are that the data center will need to reboot the host systems in order to install the patch. Customers generally hate reboots and would rather have the off-chance of being exploited over a patch.
And with the wave of reseller VPS accounts and fly-by-night VPS hosts out there, it’s also possible there are plenty of hosts or even data centers that just won’t care.
As a result, it’s important to contact your host or VPS provider to see whether they are impacted and how they plan on addressing the problem.