10 security experts first explain the flaw, then how to protect against it.
‘Venom’ – a word which conjures images of deadly coiled snakes about to strike; a word associated with viciousness, infection, lethality and destruction. No one can deny the linguistic power of ‘venom’, but does that same power and deadly meaning apply to the newly discovered Venom vulnerability?
The Venom vulnerability (CVE-2015-3456) allows an attacker to escape a guest virtual machine (VM) and access the host system along with other VMs running on this system.
Existing in the virtual Floppy Disk Controller for the open-source hypervisor QEMU, the bug could potentially let attackers steal sensitive data on any of the virtual machines on the system and gain elevated access to the host’s local network and its systems.
Since its discovery, the industry has been less than quiet in comparing it to the notorious Heartbleed bug – to see if this hype is true and to gain insights in how to fight this vulnerability, CBR has turned to the security frontline, asking 10 experts their reaction and advice.
VENOM Vulnerability Explained
1. A rare and powerful bug
Rapid7’s Tod Beardsley, technical lead for the Metasploit Framework, said:
"As of this moment, no one has released public proof of concept code to demonstrate the reported VENOM bug, so we’re left with some measure of speculation as to whether or not this is as "easily" exploitable as suggested. However, the advisory from Crowdstrike does give a pretty solid hint of where to look to rediscover the VENOM issue.
"It’s important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS. This circumstance leads me to believe that VENOM is an "interesting" bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later."
2. Serious, but not Heartbleed serious
Karl Sigler, threat intelligence manager at Trustwave, said:
"It’s serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available.
"The virtualisation products it does affect are popular (XEN, KVM, QEMU, and VirtualBox), but the absence of VMWare and Microsoft as affected eases the blow in a lot of cases.
"In order to exploit this vulnerability an attacker would require access to an existing virtual machine. In other words, this attack can’t be pulled off remotely. Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack. In this regard the attack is very similar to a Privilege Escalation attack where the attacker requires an initial foothold before exploitation."
3. Avenue for corporate espionage
Chris Eng, vice president of research at Veracode, said:
"The news of the VENOM vulnerability is concerning in breadth – similar to what we saw with Heartbleed in terms of the number of products affected. However, the severity of this zero-day is not nearly as alarming for a few reasons.
"First, there is little chance of mass exploitation; any exploit created around VENOM would have to be tailored against a specific target environment. Second, the attacker would have to already be on the target system to get at the vulnerability – certainly not impossible in a public cloud environment but nevertheless a complicating factor. Lastly, there isn’t currently a publicly available exploit, and creating one would require a non-trivial amount of effort.
"While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale. Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like."
4. The prognosis is positive
Chris Oakley, Principal Security Consultant at Nettitude, said:
"It remains to be seen exactly how widespread an impact this will have, but the prognosis is looking relatively positive. There is currently no public exploit code available and there is no known example of this vulnerability being exploited in the wild.
"Additionally, all of the affected major cloud companies have confirmed that they have patched Venom or are unaffected by it."