Venom is serious, but no Heartbleed, say experts

Security researchers have discovered a zero-day vulnerability in the virtual floppy drive code used by many virtualisation platforms

Security researchers have discovered a zero-day vulnerability in the virtual floppy drive code used by many virtualisation platforms, but experts say Venom is no Heartbleed.

The vulnerability (CVE-2015-3456) discovered by Jason Geffner, senior security researcher at CrowdStrike, could allow an attacker to escape the confines of an affected virtual machine (VM) guest operating system (OS) and potentially obtain code-execution access to the host OS.

Geffner warned this VM escape could open access to the host system and all other VMs running on that host OS, potentially giving attackers privileged access to the host’s local network.

According to Geffner, exploitation of the Venom vulnerability could allow access to corporate intellectual property (IP) and sensitive and personally identifiable information (PII), potentially affecting the thousands of organisations and millions of users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security and privacy.

The vulnerability is serious because it breaks through a key protection used by many cloud service providers to segregate customer data and, unlike most previously discovered VM escape vulnerabilities, Venom applies to a wide array of virtualisation platforms, works on default configurations and allows for direct arbitrary code execution.

Previous VM escape bugs have typically required custom configurations and did not allow arbitrary code execution.  

However, even though the vulnerability has existed for more than a decade, and despite warnings that the newly discovered bug could allow a hacker to take over vast portions of a datacentre from within, security experts say Venom lacks the severity of the Heartbleed vulnerability that exists in all versions of OpenSSL released between 14 March 2012 and 7 April 2014.

Read more about zero-day vulnerabilities

  • Exploits of Adobe Flash Player zero-day vulnerability highlight threat to the enterprise of web-based exploit kits.
  • Google's Project Zero has added more leeway to its vulnerability disclosure policy.
  • Though notified of the IE zero-day months ago, Microsoft failed to address the vulnerability before it was made public.
  • Exploitable vulnerabilities are becoming harder to find in popular software, but information on such flaws is increasingly valuable.

The news of the Venom vulnerability is concerning in breadth – similar to what we saw with Heartbleed in terms of the number of products affected – but the severity of this zero-day is not nearly as alarming,” said Chris Eng, vice-president of research at Veracode.

Unlike Heartbleed, Eng and others believe there is little chance of mass exploitation because any exploit created around Venom would have to be tailored against a specific target environment.

The second limiting factor is that an attacker would have to already be on the target system to get at the vulnerability. So although potentially serious if unpatched, this bug requires the attacker to get administration or root privileges in the root operating system.

Karl Sigler, threat intelligence manager at Trustwave, said because most corporate virtual environments are isolated from anonymous or public access, they would be would be immune to attack.

“In this regard the attack is very similar to a privilege escalation attack, where the attacker requires an initial foothold before exploitation. I would see this attack typically used to target hosting companies that use virtual environments like [kernel-based virtual machine] KVM. An attacker would purchase a KVM instance then use Venom to breach the hosting machine,” he said.

A third limiting factor is that there is currently no publicly available exploit, and creating one would require a “non-trivial” amount of effort, said Eng, which is probably why no attacks exploiting the vulnerability have been seen in the wild.

“While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, Venom would not be exploitable at the same scale,” he said.

According to security experts, vulnerabilities like Venom are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like.

For this reason, they advise companies to apply patches as they become available. But Cris Thomas, strategist at Tenable Network Security, pointed out that Venom affects only three of the six major suppliers – and two of those are already patched, further limiting potential impact.

“Users of QEMU or Xen should patch their systems as soon as they can. Users of KVM should contact their supplier to find out when a patch will be available,” he said.

Tod Beardsley, research manager at Rapid7, said the most likely targets are organisations that run hosted virtual private server (VPS) services, and therefore routinely give root access to strangers guest machines and those who subscribe to the same VPS services. 

“Customers of VPS services should pester their suppliers until patches are applied, and the suppliers should move rapidly,” he said.

Beardsley noted that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS. 

“This circumstance leads me to believe that Venom is an ‘interesting’ bug to the sorts of people who do exploit research for a living.

“To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later,” he said.

Read more on Hackers and cybercrime prevention