The Venom security flaw has been described by some as bigger than Heartbleed, the vulnerability in OpenSSL which allowed adversaries to eavesdrop on internet communications, steal data and impersonate services and users. Elias Manousos assesses this claim
Heartbleed sent ripples through the internet community – site admins and security folks alike scrambled to patch vulnerable websites in an effort to prevent data leaks.
Venom and Heartbleed are only similar in scale. Both vulnerabilities were distributed across thousands if not millions of machines. Otherwise, it’s like comparing apples and oranges. Crowdstrike, the security firm that discovered Venom explains:
“VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.”
This is why systems administrators, IT managers and CIOs don’t fully trust cloud environments with sensitive data or valuable IP. Public cloud hosting services don’t allow customers to install their own security controls and monitor for threats or vulnerabilities below the guest OS.
Crowdstrike points out that, while other hypervisor vulnerabilities have been discovered in the past, “VENOM (CVE-2015-3456) is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.”
That’s the bad news; the good news is that security researchers discovered the exploit, and there haven’t been any recorded examples of it being exploited in the wild. Researcher Dan Kaminsky from White Ops believes that:
“The ‘long tail’ of problems associated with Heartbleed, a bug which affected a large number of websites due to the widespread use of the broken encryption library OpenSSL, won’t be seen with Venom. That’s because ‘95 per cent of the risk’ is held by the various cloud and virtual private server (VPS) providers affected who will likely act fast.”
In other words Xen and KVM are most used today within controlled third-party ecosystems – of which the infrastructure owners have a vested interest in aggressively patching.
"This incident once again shows that CISOs need visibility into all their IT infrastructure that connects to the internet"
Organizations leveraging cloud-based hosting services using Xen and KVM can rest easy, right? Well, data from the 2015 Verizon Data Breach Investigations Report shows that 99% of vulnerabilities were exploited over a year after their CVE was published.
Indeed, even in the case of the highly publicized Heartbleed vulnerability, breaches still resulted months after the news broke, including the exfiltration of millions of PII records from CHS systems. In most cases, patches either weren’t installed or the infrastructure that was exploited was previously unknown by security.
The question is, how much better are cloud hosters at patching their systems than everyone else and do you trust them? They should have a better handle on their infrastructure, but one can never be certain. Plus, virtualization using Xen and KVM has been around forever. Are there undocumented boxes in shadowy corners of data centers that might be vulnerable?
This incident once again shows that CISOs need visibility into all of their IT infrastructure that connects to the internet. With a system to discover and inventory all digital assets, further scans can be performed to help vulnerability management teams determine if any vulnerable infrastructure remains unpatched and vulnerable to Venom, Heartbleed, Poodle and the hundreds of other potentially unpatched CVEs in their environment. It pays to know exactly what your digital footprint is.
About the Author
Elias Manousos is CEO of RiskIQ. He is an online security expert with more than 15 years’ experience developing and delivering enterprise security technologies. Prior to RiskIQ, Manousos was vice president of R&D at Securant Technologies, which pioneered identity and access management for web applications. At Securant, he was instrumental in creating now-commonplace technologies for web single sign-on security.