A new menace has arrived: “Virtualized Environment Neglected Operations Management,” better known as “VENOM” in tech circles. CrowdStrike Senior Security Researcher Jason Geffner found it in May 2015 after probing to find out why millions of servers were being impacted by what seemed to be a massive security issue. If VENOM strikes, it taps into a host machine and lets code execution roam free, ultimately allowing a hacker the chance to get into their assigned virtual machines and terrorize other computers and technology. Geffner wrote in his report, “Absent mitigation, this VM escape could open access to the host system and all over VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
What does this mean? Hackers can get into whole data center networks and access every client that’s potentially hosted by this provider. It’s a huge vulnerability, and even though the amount of servers impacted was in the millions, that doesn’t necessarily mean millions of people are active victims. In fact, it’s unclear what the hackers were actually intending with VENOM. Some hacks are actively malicious, intent on stealing sensitive data, while others are just a power play to “show they could do it.”
A Prime Environment
All data centers are different and feature different means and levels of security. However, many use hypervisor technology in order to power up their virtual machines (VMs). This is how they can host a number of operating systems (OSs) on just one server. From a data center manager’s perspective, this allows for resource sharing while still maintaining some separation. However, VENOM bypasses this approach thus allowing a hacker to get into the whole hypervisor as well as any other devices that might be linked up with the network.
Geffner says, “Heartbleed lets an adversary look through the window of a house and gather information based on what they see. Venom allows a person to break in to a house, but also every other house in the neighborhood as well.” Heartbleed, as many people know, was one of the most notorious of attacks in the past few years. It’s one of the major reasons the Year of the Security Breaches was dubbed so, and yet it’s already been far surpassed by the likes of VENOM.
The fact that VENOM can go so much farther than Heartbleed, and others like Poodle and Shellshock, makes it incredibly dangerous. There are a number of virtualization platforms hosting providers that are potentially vulnerable as they’re deep in the “virtual floppy drive code.” While floppy drives themselves are extinct, virtual floppy drives are automatically put into the latest VM’s. Geffner explains, “Even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.”
How far does the virtual floppy drive code spread? It’s on millions of VMs. Prior to Geffner discovering VENOM, and the public announcement, CrowdStrike was already working with software developers to create a patch. “As the bug was found in-house at CrowdStrike, there is no publicly known code to launch an attack,” notes ZDNet. “Geffner said the vulnerability can be exploited with relative ease, but said developing the malicious code was ‘not trivial.’”
That offers little comfort, but there are steps you can take. Updating to the most recent patches is critical. Customers should ask their host about any VENOM vulnerability, and take an active approach in ensuring their tech support, including hosts, are keeping pace with attacks.