A new vulnerability that affects a number of popular virtualization platforms could put millions of virtual machines at risk of total compromise.
Dubbed VENOM, the vulnerability in the code related to virtual floppy drives is known to be present in the Xen, KVM, and VirtualBox QEMU-based virtualization platforms widely used in data centers around the world. When exploited, it could give an attacker the ability “to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.” In other words, it could give an attacker total access to and control over the physical host machine, regardless of the operating system the guest VMs are running.
According to Jason Geffner, the CrowdStrike security researcher who discovered the VENOM bug, this vulnerability is in theory more menacing than the Heartbleed SSL bug that caused countless headaches last year. “Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” he explained to ZDNet’s Zack Whittaker. “VENOM allows a person to break in to a house, but also every other house in the neighborhood as well.”
The VENOM bug is not the first bug of its kind. Other vulnerabilities have been discovered that could potentially give attackers the ability to take over a host from a guest VM. But VENOM is particularly worrisome because, unlike those bugs, it is present in default configurations and because of another bug, can be exploited even when a VM administrator disables the virtual floppy drive functionality.
The good news is that, according to Geffner, the code required to exploit VENOM was not simple to create and most of the vendors of affected virtualization platforms have already issued advisories or patches. While the rise of the cloud means that use of the affected virtualization platforms has never been higher, cloud providers are already taking action. Rackspace, for instance, is on record as stating that it has patched its affected machines.
What else lurks?
Heartbleed, Shellshock, and now VENOM demonstrate that despite the watchful eyes of security researchers and incentives like bug bounties, serious, potentially highly damaging vulnerabilities can remain unnoticed for years.
That’s concerning for a number of reasons, not the least of which is the likelihood that many more such bugs are waiting to be discovered. The fact that VENOM wasn’t brought to light for more than a decade also highlights the fact that sophisticated attackers who find these bugs first might have the potential to exploit them undetected for a very long period of time.