On Wednesday, CrowdStrike released details on CVE-2015-3456, also known as Venom. Venom is a vulnerability in the floppy drive emulation code used by many virtualization platforms.
However, while it’s possible that a large number of systems are impacted by this flaw, it isn’t something that can be passively exploited.
Several security experts discussed the flaw online, focusing on the marketing and the media attention that it generated – including some over-hyped headlines. Most media organizations were briefed ahead of time about the discovery and gagged by embargo until the Venom website launched, so they had plenty of time to write.
Many media articles compared Venom to Heartbleed, which is an apples to oranges comparison. If anything, the only commonality is the fact that both flaws had a pre-planned marketing campaign.
If exploited, Venom could allow an attacker to escape the Guest OS and use the host as a launching point for other network attacks. The core problem was introduced to QEMU in 2004 and exists in the Floppy Disk Controller code used to emulate disk drives. Disabling the FDC doesn’t work, as the core code remains running due to an unrelated bug.
However, given that Venom requires the attacker to have root / administrative permissions, the flaw is better defined – not as a wide reaching flaw such as Heartbleed, but something that can be used once an administrator account has been compromised – or if an administrator is a malicious actor.
If anything Venom will be a good tool for penetration testers, but it doesn’t seem like a tool criminals will use at random.
In terms of impact, AWS and Linode are not vulnerable to Venom, so enterprises using those platforms are safe. Likewise, VMware, Microsoft Hyper-V, and Bochs hypervisors are also unaffected. However, for VMs that are not based on those platforms or running on the aforementioned infrastructures, proper patches have been released and should be installed as soon as possible.
It’s worth mentioning that none of the experts who have shredded Venom coverage online are against the bug itself. Quite the opposite, most security professionals feel the research is outstanding and that CrowdStrike’s Jason Geffner is to be commended for his discovery.
So if your VM deployment is vulnerable, unpatched, and the administrator account is compromised – or the administrator is malicious – Venom is a real problem. Otherwise, it’s something to be aware of, but not something to panic over.
"It’s serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available," said Karl Sigler, Threat Intelligence Manager at Trustwave.
"The virtualization products it does affect are popular (XEN, KVM, QEMU, and VirtualBox), but the absence of VMWare and Microsoft as affected eases the blow in a lot of cases," he added.
"I would see this attack typically used to target hosting companies that use virtual environments like KVM. An attacker would purchase a KVM instance then use VENOM to breach the hosting machine."
Update: Added link to Linode blog.
"The people most affected by VENOM are those who run hosted VPS services (and therefore, do routinely give root access to strangers' guest machines), and those who subscribe to the same VPS services. Customers of VPS services should pester their vendors until patches are applied, and the vendors should move on this rapidly." -
Tod Beardsley, Research Manager at Rapid7
FireEye customers need to apply patches for Venom, as their appliances were affected, and some Rackspace customers were affected, but the company patched systems as needed, so clients will need to reboot their servers.
Bromium has reported to customers that vSentry is not vulnerable to Venom, as the FDC code was removed.
As previously mentioned, saying that Venom is as big as Heartbleed or worse is FUD.
Since CrowdStrike’s disclosure, at least one vendor had to issue a patch to customers because they used vulnerable code in their product (FireEye). But because CrowdStrike warned vendors ahead of time, many were able to release patches to address the flaw on day one.
Service providers were either not vulnerable to begin with, or they moved quickly to fix things.
In the days to come, it is likely that other services and products will be found vulnerable. If so, administrators must patch quickly. But unfortunately, the reality is that patching is still a widespread problem.
While Venom isn’t a major issue, and the world will not end because of it, leaving an easy path out of the Guest OS for an attacker is a serious concern - one that should be addressed immediately.