A vulnerability has been discovered in widely-used virtualization software, which may allow an attacker to escape an affected virtual machine and potentially obtain code-execution access to the host—compromising whole clouds.
What does that mean? In a nutshell, the flaw, dubbed Virtualized Environment Neglected Operations Manipulation (VENOM), can allow an attacker to take over whole data centers (and thus whole clouds) by compromising just one virtual machine.
Technically, VENOM is a legacy virtual floppy disk controller that, if sent specially crafted code, can crash the hypervisor. This allows the attacker to break out of their own VM to access other machines, including those owned by other people or companies. Modern virtualization platforms, including Xen, KVM, and Oracle’s VirtualBox are affected (but, thankfully, VMware, Microsoft Hyper-V and Bochs hypervisors are not).
How this plays out will depend on the level of customization within virtual environments.
“We are discovering that potentially high impact vulnerabilities can live almost anywhere,” Ken Westin, security analyst from Tripwire, told Infosecurity. “This latest vulnerability, although potentially dangerous, does not affect one of the biggest Xen users: Amazon Web Services, as they have a pretty heavily customized version of Xen that is used in their environments. Cloud providers such as Amazon have also developed a robust and rapid process for deploying fixes for vulnerabilities once they hit rapidly across their environments.”
“Since many business systems in the last few years have moved to public and private clouds, this virtualization means we often cannot tell which other outside organizations might have their workloads running on the same physical server as our systems, and so in principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect,” said Mike Lloyd, CTO at RedSeal, in an email.
Thankfully, VENOM is a bit different from Heartbleed, because patches are already available.
“VENOM is comparable to Heartbleed, but five years from now, looking back, we will likely not remember it as causing quite as much heartburn (as it were),” said Lloyd. “The vulnerability is serious, allowing not just arbitrary code execution, but escape out of one virtual system into the host OS…That said, the patch and remediation for this attack are already well known and well publicized. For users of external public cloud services, the responsibility to apply the remediation falls to the service provider, and so customers are likely to burn up the phone lines calling in to make sure this has been done promptly. For organizations running private cloud infrastructure, the responsibility falls to internal IT, as a part of routine patch management. Businesses can expect some brief disruptions as this patch is applied; if your business uses the affected virtualization systems, the patch should be treated with very high priority, and is well worth a brief service interruption in almost all cases.”