A new zero-day exploit has been discovered by Jason Geffner, a Senior Security Researcher at CrowdStrike, and its target is the virtual data center. VENOM (short for Virtualized Environment Neglected Operations Manipulation) allows a malicious user to send a command to their own virtual instance that will cause it to crash and open the door for exploitation of the entire hypervisor and connected network. This means that the attacker could gain full bare metal control of other companies’ virtual machines, if they’re hosted in the same virtual data center or cloud. The command targets a commonly ignored component of most virtual machines -the legacy floppy disk drive.
While this is starting to be touted as the “Heartbleed of 2015”, we at Alpine want to remind you to remain calm and look at all of the facts. Companies have had a few weeks now to address this vulnerability and two of the three named virtualization platforms have been patched. On top of that, this vulnerability does NOT affect the two most popular enterprise hypervisors – VMWare and Microsoft Hyper-V, so the enterprise is largely safe. This vulnerability was discovered in a CloudStrike lab and there is no known malicious code out in the wild to exploit this flaw. CloudStrike also notes that ARM systems and Xen systems running x86 paravirtualized guests are not vulnerable.
So the moral of the story is – PATCH IT! And do it quickly – just as you would with any other critical vulnerability.
To those raising the alarms and screaming from the rooftops, please calm down. This is just another in the never-ending stream of flaws that we as security professionals have to triage and remediate to keep people safe. Inciting panic by adding another named-and-logo’d member to the pantheon of armageddon bugs is only going to further muddy the waters so that the rank and file users will have no idea when to really put their guard up. Let’s leave the wolf-crying for another day.
You can find more specific information about the vulnerabilities in CVE-2015-3456 for QEMU/KVM and XSA-133 for Xen. At the time of this post, patches are available for QEMU and Xen.