Analysis A newly discovered vulnerability in many popular virtual machine platforms is serious, but nowhere near as bad as last year’s Heartbleed vulnerability, according to security experts.
Dubbed VENOM (Virtualized Environment Neglected Operations Manipulation), the zero-day flaw takes advantage of the “virtual floppy disk controller” and potentially allows attackers to escape out of the virtual machine and execute malicious code on its host. CrowdStrike, the security intelligence firm that discovered the flaw, reports that to take advantage of the flaw a hacker would have to gain access to a virtual machine with high or ‘root’ privileges of the system. This is a major (but not insurmountable) barrier to exploitation.
More ReadingGuest-host escape bug sees Xen project urge rapid upgradeCreationist: The Flintstones was an accurate portrayal of Dino-human coexistenceOracle releases antidote for VENOM vulnerabilityGoogle App Engine Java sandbox is leaking, say researchersHeartbleed, eat your heart out: VENOM vuln poisons countless VMs
“It’s serious, but not Heartbleed serious,” said Karl Sigler, threat intelligence manager at Trustwave. “There are no known in-the-wild attacks and a patch is available.”
Virtualisation products affected include XEN, KVM, QEMU and VirtualBox, but the absence of VMWare and Microsoft from the sick list makes the situation far less dangerous even before we consider the obstacles a hacker would need to get over in order to pull off an attack. In addition, it appears that AWS Xen instances are not affected by the VENOM VM escape bug.
“In order to exploit this vulnerability, an attacker would require access to an existing virtual machine,” Sigler said. “In other words, this attack can’t be pulled off remotely. Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack. In this regard the attack is very similar to a Privilege Escalation attack, where the attacker requires an initial foothold before exploitation.”
“I would see this attack typically used to target hosting companies that use virtual environments like KVM. An attacker would purchase a KVM instance then use VENOM to breach the hosting machine,” he added.
Tod Beardsley, research manager at Rapid7, the firm that markets the Metasploit penetration testing tool, added: “The people most affected by VENOM are those who run hosted VPS services (and therefore, do routinely give root access to strangers' guest machines), and those who subscribe to the same VPS [virtual private server] services. Customers of VPS services should pester their vendors until patches are applied, and the vendors should move on this rapidly."
"It's important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS. This circumstance leads me to believe that VENOM is an 'interesting' bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon," Beardsley added.
Mostly cloudy with a chance of meatballs
Patrick Wardle, a former NSA staffer and NASA intern who now heads up research at crowd-sourced security intelligence firm Synack, backed up assessments that VENOM is no Heartbleed.
“Is this the next HeartBleed? Unlikely. Heartbleed was a remote exploit and could be targeted by anyone at any time,” Wardle said. “VENOM requires code execution on a VM, so it’s not remote. Heartbleed affected a much wider range of servers and clients, and the responsibility to patch was often left up to the end user.
“VENOM affects virtualised environments, which are common in hosting and cloud environments. Because security is generally a priority in these environments, it is likely that the bug has already been patched in most instances,” he added.
Some experts, such as Wolfgang Kandek, CTO at cloud security services firm Qualys, are inclined to disagree with Wardle’s assessment on how easy it might be to patch VENOM – if not on the severity of the bug.
A proof-of-concept for VENOM (CVE-2015-3456) has already being developed. This is normally a sign that malicious exploitation is on the cards. Despite this, most experts remain sanguine. “VENOM doesn't appear to scale well (so no 'next Heartbleed') but looks easier to exploit than alternatives (so still serious),” said Martijn Grooten, editor of Virus Bulletin, in an update to his Twitter account.
Chris Eng, vice president of research at app security firm Veracode, commented that although the VENOM vulnerability affects a large number of products and services – like Heartbleed – it isn’t as serious because exploitation is going to be difficult, for a variety of reasons.
“There is little chance of mass exploitation; any exploit created around VENOM would have to be tailored against a specific target environment,” Eng explained. “Second, the attacker would have to already be on the target system to get at the vulnerability – certainly not impossible in a public cloud environment but nevertheless a complicating factor. Lastly, there isn’t currently a publicly available exploit, and creating one would require a non-trivial amount of effort.”
VENOM – not to be confused with the symbiotic alien arch-enemy of Spider-Man – is rare, but not unprecedented as a virtual machine exploit.
NSA staffer turned security researcher Charlie Miller noted: “didn't @Immunityinc have a VM guest to host bypass like 3 years ago and fully discuss it? What's new here?”
Cris Thomas, a strategist at security tools firm Tenable Network Security, argued that VENOM was slightly different from earlier VM environment exploits, while still presenting no particular cause for alarm.
“A virtual machine sandbox escape that allows you to attack other virtual machines is a sort of the brass ring for bug hunters. There have been previous bugs, but they typically required custom configurations and did not allow arbitrary code execution," he said. “While CVE 2015-3456 (VENOM) does exist in the default configuration and does allow arbitrary code execution, it only impacts three of the six major vendors – and two of those are already patched," he added.
Maybe the biggest difference is that like Heartbleed and Shellshock before it, VENOM has a catchy name and logo. “Maybe the next step in the evolution of software vulnerabilities is to star in a Marvel movie,” joked security researcher Keren Elazari in a Twitter update.
Chris Oakley, principal security consultant at cyber-security consultancy Nettitude, said that VENOM – much like Heartbleed before it – stemmed from flaws in legacy code.
“It is not surprising that the attack vector for VENOM lies in older and probably neglected code,” Oakley explained. “We often see the highest impact attacks resulting from legacy code; the floppy disk controller that yields the VENOM vulnerability is no exception. There are hints of Heartbleed in this regard, where the root cause was in the neglected but heavily relied upon OpenSSL library. In this case, though, the impact is arguably not as high.”
Some brief technical notes on VENOM by Robert Graham of Errata Security can be found here. ®
* For anyone who has never come across the bizarre pub concoction known as the Snakebite, it is an alcoholic beverage consisting of 50 per cent hard cider and 50 per cent lager. It has proven inexplicably popular with the Goth community and is famously also the subject of an inaccurate urban myth suggesting that serving it is illegal in British pubs, presumably because the subsequent cocktail is supposedly so volatile. As if a combination of lager and cider were not bad enough, a popular variation known as the Snakebite and Black includes a shot of blackcurrant cordial, making it not only hideous, but virtually impossible to get out of clothing.