Venom vulnerability: toxic threat or hissing hyperbole?

News by Davey Winder

Anyone reading the news headlines on the Venom flaw over the last 24 hours might be forgiven for thinking that the sky, or at least the cloud, is falling down.

Reports of the undoubtedly serious 'Virtualized Environment Neglected Operations Manipulation', or 'Venom', vulnerability have suggested that cloud security is now broken and even that this is a perfect spy tool for the National Security Agency (NSA). But putting the Heartbleed-level hyperbole aside for one moment, just how real a threat is venom to the virtual machine environment?

As reported by yesterday, CrowdStrike security researchers were first to discover the zero-day which affects virtual machines, and which could allow an attacker to "escape out of the virtual machine and execute code on the host with full privileges."

CrowdStrike were quick to point out that neither it nor their industry partners had seen Venom being exploited in the wild, but this didn't stop the deluge of virtual flashing red light reports from hitting the web within hours. We've stepped back a little, and have been talking to a plethora of security professionals to get a more balanced perspective on just how serious a threat Venom actually is.

PJ Kirner, CTO and founder of Illumio, is firmly in the 'serious' camp when it comes to Venom. He told SC that while it represents just the latest salvo in bugs that have caused enterprises to scramble to address serious security concerns in commonly used computing resources, this vulnerability is especially concerning. Why so? Because it affects virtual machines which have become pervasive across enterprises and are the bedrock of public cloud platforms.

"Potential exploits of the vulnerability would mean that systems relying on the hypervisor or another artificial perimeter to protect the guest VMs would be compromised through lateral movement of the attack" he warns.

Wolfgang Kandek, the CTO at Qualys, is equally in no doubt that this is a serious and high profile threat. He reminds us that virtualization adds a layer to the stack, and that's a layer that can come with its own issues. Not only does Kandek point out that Venom impacts those organisations that depend on their vendor to update their infrastructure, but that it's just a toxic taste of things to come. "I am sure there will be more vulnerabilities found in virtualisation software" he told SC "as security researchers direct their attention that way."

Gavin Reid, VP of threat intelligence at Lancope, is just as sure that Venom will become a big deal. It's the first large-scale vulnerability of its type, that is a virtualised system known to host vulnerabilities, and such has to come with some pretty serious considerations. Not least when thought of in the light of other mass compromises of hosting infrastructures such as was seen in the Darkleech Apache malware a couple of years ago. These are "an integral part of creating the underground economies backbone infrastructure and ability to scale" Reid warns, continuing "miscreants will be turning attention to weaponising this and once that is done a mass-hack of a virtualised environment could be just one rented server away."

So maybe the early Heartbleed comparisons were not just headline hyperbole after all then? Certainly there are justifiable similarities between the two, not least the fact that this is an old vulnerability that has existed since 2004 and only luck would seem to be responsible for it not being exploited so far as we are aware.

But there's the stick with which to beat the hyperbole-busting drum: while a sandbox escape such as this could lead to very serious breaches there actually isn't any known exploit out there in the wild…yet.

"Venom isn't in the same league as Heartbleed or Shellshock" Gavin Millard, technical director at Tenable Network Security concedes "but if proof of concept code is released, that could change." Which is true enough, but even then the exploits would only work on unpatched code; and that's where the real risk may emerge.

There's no doubting that courtesy of responsible disclosure, and some pretty rapid work carried out by the major vendors, as far as most public cloud players are concerned the impact is likely to be 'very limited' to put it mildly.

"The most vulnerable targets will be users running downstream packages as they rely on package maintainers at several levels pushing the update down" Adrian Lewis, a consultant at Context Information Security told SC

What this means is that companies running their own in-house virtualisation stack with poor patch management processes are likely to become the next target. Even then, it has to be said, an attacker would need remote code execution to a guest VM in order to successfully exploit this. "Which increases the difficulty of this exploit compared with other Heartbleed style exploits" Lewis concludes.

The Venom flaw itself is to be found specifically within the QEMU virtual Floppy Disk Controller, used in KVM and Xen hypervisors, and other hugely popular hypervisors such as those implemented by VMware and Microsoft Azure are not affected. Indeed, Red Hat has already issued updates to QEMU, Xen, and KVM while Amazon Web Services has assured customers there is no risk to data or instances courtesy of the security measures it has in place.

That's not to say there aren't circumstances in which companies using QEMU-powered private clouds could face denial of service attacks - or worse yet – physical infrastructure compromise (i.e. services that use QEMU-based virtualisation to analyse unknown or untrusted binaries) but that's really not the same thing as being a cloud killer.

"While Venom cannot be used as a shotgun technique to take down all clouds" Catalin Cosoi, chief security strategist at Bitdefender, admits "for some entities running a vulnerable configuration, exploitation would be devastating."

Mitigating against Venom is largely a matter of ensuring that cloud service providers and in-house teams have applied the available patches. It's a vulnerability with a serious enough potential, albeit one unlikely to be realised in your average real world scenario right now, that as Webroot threat researcher Roy Tobin puts it, requires "users of affected software to update immediately even if it impacts productivity."

This message is reinforced by Paul McEvatt, senior cyber threat intelligence manager with Fujitsu, who told us that any business holding a system with the affected software must "speak with their supplier and quickly apply the necessary patches."

Like the vulnerable code of Venom and Heartbleed, this is nothing new: expedient patching is crucial to defend against the risk of exploit. That expedited patching has already taken place amongst all the major cloud companies impacted by the bug, now it's down to businesses using the budget end of the cloud service provider spectrum to ensure they have done the same.

What is new, and particularly unsavoury in the case of Venom, is just how easily the mainstream tech media has moved onto the story and reported it in the same way that the Y2K bug got hyped.

The real danger of Venom, Paco Hope, principal consultant at Cigital, told SC is that it "represents hackers hacking something relatively new: the media." So just like hackers who package their exploit payloads in padding and structure so that computers execute the right code, security vendor marketing departments "use technical details coupled with catchy names, logos, and visuals to get the media to execute stories" Hope explains.

The good news, as far as Venom is concerned, is that virtualised environments tend to be the most scalable, monitored, and thoroughly managed. "If any segment of the industry is well positioned to distribute a fix to a vulnerability quickly and get back to business, it is cloud and virtualised environments" Hope concludes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews