'Venom' VM zero-day draws comparisons with Heartbleed

CrowdStrike security researchers have discovered a zero-day affecting virtual machines, dubbed 'Venom', which could allow an attacker to "escape out of the virtual machine and execute code on the host with full privileges", thus putting data centres potentially in danger.

'Venom' VM zero-day draws comparisons with Heartbleed
'Venom' VM zero-day draws comparisons with Heartbleed

The zero-day flaw, officially known as 'Virtualised Environment Neglected Operations Manipulation' and which is believed to have existed since 2004, relates to the virtual floppy drive code which is used by many computer virtualisation platforms, as well as cloud providers, such as Amazon, Citrix, Oracle and Rackspace. 

Amazon has already issued an advisory to alert customers that they are not at risk, while Red Hat, Xen Project, QEMU and others have rolled out patches.

On a micro-site dedicated to the flaw – which has already been compared to Heartbleed, researchers said that that attackers could exploit the flaw by gaining access to a virtual machine with high or ‘root' privileges on the system.

They added that a lack of mitigation could result in the attacker escaping the VM and accessing “the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host's local network and adjacent systems.”

CrowdStrike said that successful exploitation of the flaw could result in hackers gaining access to “corporate intellectual property, in addition to sensitive identifiable information (PII), potentially impacting the thousands of organisations and millions of end users that rely on VMs for the allocation of shared computing resources, as well as connectivity, storage, security and privacy.”

Fortunately, the firm adds: "Neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild."

"If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability," the company advises.

"If you have a vendor service or device using one of the affected hypervisors, contact the vendor's support team to see if their staff has applied the latest VENOM patches."

CyberArk chief marketing officer John Worrall said in an email to SCMagazineUK.com: “The Venom zero-day exploit is the latest attack pathway hackers can take to steal privileged credentials – the keys to the IT infrastructure. Once attackers gain these critical credentials, they can easily elevate privileges and compromise the entire corporate network,” he said.

“Moving to cloud and virtualised environments results in the creation of new and often unmanaged privileged credentials. These powerful accounts act in the same manner as their on premise counterparts. When an attacker gains privileged access, they exploit it to anonymously survey a company's security posture, often for months at a time. With this knowledge, they can easily execute their attacks undetected, whether it's exfiltrating information as part of an espionage campaign, implanting malware as part of a financially motivated attack, or simply destroying a company's ability to do business, as was done to Sony Pictures.

“Privileged exploitation is the most critical step in the advanced attack cycle. There is no a safe haven from privileged compromise in the face of motivated attackers, which is why businesses need to identify, secure and monitor all privileged account activity, whether on premise, or in the cloud and virtualised environments.”

Tod Beardsley, research manager at Rapid7, said in an email to SC. “The people most affected by Venom are those who run hosted VPS services (and therefore, do routinely give root access to strangers' guest machines), and those who subscribe to the same VPS services. Customers of VPS services should pester their vendors until patches are applied, and the vendors should move on this rapidly.

“As of this moment, no one has released public proof of concept code to demonstrate the reported Venom bug, so we're left with some measure of speculation as to whether or not this is as "easily" exploitable as suggested. However, the advisory from Crowdstrike does give a pretty solid hint of where to look to rediscover the Venom issue.

“It's important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS. This circumstance leads me to believe that Venom is an "interesting" bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later.”

Further analysis to follow on Thursday...