Much has been said about the VENOM vulnerability, the latest in an increasingly long line of bugs affecting vast swaths of the Internet. It’s an old-school bug of the relatively new-age phenomena of Virtualization.
Virtual machines are independently operational computers within computers. The co-called cloud is merely a vast network of virtual machines. An attacker could exploit VENOM in order to escape one virtualized environment and run code in another.
Some of the more enthusiastic or perhaps sensational journalists have called VENOM more impactful than the now-infamous Heartbleed OpenSSL vulnerability. However, I think the best response came from noted security researcher, Dan Kaminsky.
“I think that we’ve really lost something when we move to these linear rankings of bug versus bug,” Kaminsky told Dennis Fisher on Threatpost’s Digital Underground podcast. “This isn’t Iron Man versus Captain America. This isn’t the freaking Avengers; this is science.”
Such is the nature of the security industry today when every major bug is assigned a unique, hashtag-ready name, has it’s own logo and a public relations team crowing it the worst vulnerability ever.
“Bad bugs happen,” Kaminsky explained later on in the podcast. “They’re still bad, but we go ahead and deal with them… It was a big problem. We went ahead and we fixed it. Things were a lot worse; we privately went around and did everything we could on a private scale and now we’re talking about it publicly to get the rest of the stuff. That’s what we do. That’s the game we play.”
— Threatpost (@threatpost) May 13, 2015
This is not to downplay the severity of VENOM, because it is quite severe. Virtualization and virtual machines play an increasingly critical and important role in the modern Internet. Virtual machines enable cloud-computing, which our service providers rely on more now than ever, mainly because it’s cheaper to buy virtual space from, say, Amazon than it is to run your own server farm. In this way, an able attacker could buy space from a cloud server provider, escape the virtual environment he paid for, and move into any other virtual machine operating under the same host.
All you need to know about #VENOM #virtualization #vulnerabilityTweet
Beyond that, this bug could have an impact on malware testers too. Most malware analysts intentionally infect virtual machines with malware. From there they can examine how the malware works in a safe, quarantined environment. VENOM has the potential to let that malware move out of the quarantine environment and into other, connected computing spaces.
As mentioned above, the bug is an old one. In fact, it exists in the virtual floppy disk controller component that is included in a number of popular virtualization platforms. That’s right: floppy disks. Feel free to let us know in the comments the last time you used one of those, let alone saw a floppy disk drive on a usable computer.
— Yael Grauer (@yaelwrites) May 14, 2015
In an interview for a news story published before the podcast, Kaminsky told Threatpost’s Fisher that VENOM is something of a pay-to-play bug. An attacker can buy cloud space from a provider and then exploit VENOM to gain local privilege within the cloud-space of a target using the same provider. Certain cloud companies, he explained, offer enhanced hardware isolation at a premium. He claims its worth paying this premium in order to outbid potential attackers.
Full technical details of VENOM (CVE-2015-3456) vulnerability now live on CrowdStrike's official blog – http://t.co/Pmp6u7mTp3
— Jason Geffner (@JasonGeffner) May 15, 2015
There isn’t really anything we, users can do to protect ourselves here, as is so often the case, other than to hope that our cloud service and other virtualization providers fix the problem as soon as possible. The good news is twofold. Firstly, most affected vendors have already issued a patch for the problem and secondly, a new proof-of-concept has illustrated that VENOM is actually harder to exploit than experts initially thought.
— Kaspersky Lab (@kaspersky) May 18, 2015
From the perspective of the every-day-Internet-user, I think the real lesson here is to realize just how ubiquitous virtualization is online in 2015.