Venom vulnerability: toxic threat or hissing hyperbole?
Venom vulnerability: toxic threat or hissing hyperbole?

Reports of the undoubtedly serious 'Virtualized Environment Neglected Operations Manipulation', or 'Venom', vulnerability have suggested that cloud security is now broken and even that this is a perfect spy tool for the National Security Agency (NSA). But putting the Heartbleed-level hyperbole aside for one moment, just how real a threat is venom to the virtual machine environment?

As reported by yesterday, CrowdStrike security researchers were first to discover the zero-day which affects virtual machines, and which could allow an attacker to "escape out of the virtual machine and execute code on the host with full privileges."

CrowdStrike were quick to point out that neither it nor their industry partners had seen Venom being exploited in the wild, but this didn't stop the deluge of virtual flashing red light reports from hitting the web within hours. We've stepped back a little, and have been talking to a plethora of security professionals to get a more balanced perspective on just how serious a threat Venom actually is.

PJ Kirner, CTO and founder of Illumio, is firmly in the 'serious' camp when it comes to Venom. He told SC that while it represents just the latest salvo in bugs that have caused enterprises to scramble to address serious security concerns in commonly used computing resources, this vulnerability is especially concerning. Why so? Because it affects virtual machines which have become pervasive across enterprises and are the bedrock of public cloud platforms.

"Potential exploits of the vulnerability would mean that systems relying on the hypervisor or another artificial perimeter to protect the guest VMs would be compromised through lateral movement of the attack" he warns.

Wolfgang Kandek, the CTO at Qualys, is equally in no doubt that this is a serious and high profile threat. He reminds us that virtualization adds a layer to the stack, and that's a layer that can come with its own issues. Not only does Kandek point out that Venom impacts those organisations that depend on their vendor to update their infrastructure, but that it's just a toxic taste of things to come. "I am sure there will be more vulnerabilities found in virtualisation software" he told SC "as security researchers direct their attention that way."

Gavin Reid, VP of threat intelligence at Lancope, is just as sure that Venom will become a big deal. It's the first large-scale vulnerability of its type, that is a virtualised system known to host vulnerabilities, and such has to come with some pretty serious considerations. Not least when thought of in the light of other mass compromises of hosting infrastructures such as was seen in the Darkleech Apache malware a couple of years ago. These are "an integral part of creating the underground economies backbone infrastructure and ability to scale" Reid warns, continuing "miscreants will be turning attention to weaponising this and once that is done a mass-hack of a virtualised environment could be just one rented server away."

So maybe the early Heartbleed comparisons were not just headline hyperbole after all then? Certainly there are justifiable similarities between the two, not least the fact that this is an old vulnerability that has existed since 2004 and only luck would seem to be responsible for it not being exploited so far as we are aware.

But there's the stick with which to beat the hyperbole-busting drum: while a sandbox escape such as this could lead to very serious breaches there actually isn't any known exploit out there in the wild…yet.

"Venom isn't in the same league as Heartbleed or Shellshock" Gavin Millard, technical director at Tenable Network Security concedes "but if proof of concept code is released, that could change." Which is true enough, but even then the exploits would only work on unpatched code; and that's where the real risk may emerge.

There's no doubting that courtesy of responsible disclosure, and some pretty rapid work carried out by the major vendors, as far as most public cloud players are concerned the impact is likely to be 'very limited' to put it mildly.