A zero-day vulnerability affecting a variety of virtualization platforms and cloud services allows attackers to break out of a virtual machine (VM), execute code on the host machine and access any other VMs running on it, CrowdStrike researchers revealed today.
"The good feeling is that we discovered this before the bad guys did," says CrowdStrike senior security researcher Jason Geffner, who found the bug, which CrowdStrike dubbed the vulnerability Virtualized Environment Neglected Operations Manipulation (VENOM).
The vulnerability is in the virtual floppy disk controller of Quick Emulator (QEMU), a free, open-source hypervisor. It's another example of little-used, but on-by-default legacy code (like a floppy disk controller) being manipulated for malicious use -- hence the word "neglected" in the name.
Some of QEMU's code, including the vulnerable bit, has been used by other virtualization platforms, like the popular Xen and Kernel-based Virtual Machine (KVM), which are often used in infrastructure-as-a-service, and Oracle VM VirtualBox, which is commonly used in test-dev environments. So hundreds or thousands of products that use virtualization technology -- on servers, clients, appliances, and in the cloud -- are vulnerable to VENOM. Since most hypervisors run with root access to the host machine, the potential damage is severe.
This is precisely the kind of nightmare scenario that has caused some organizations to avoid the cloud and virtualization altogether -- putting all your corporate eggs in one questionably secure basket and perhaps sharing server space with a cybercriminal.
For that reason, CrowdStrike has declared VENOM a critical vulnerability. The company has worked with QEMU -- and through them, with other affected vendors -- on a coordinated patch release. CrowdStrike CTO and co-founder Dmitri Alperovitch stresses that organizations should check with their cloud providers to ensure they have already issued the patch, and to patch their own on-premise applications and appliances immediately.
"Obviously it's a great risk for on-premise," says Geffner, "because usually it takes months" for companies to completely remediate vulnerabilities.
Although VENOM may legitimize concerns about attackers busting out of a public cloud instance and accessing other customers' cloud instances, the coordinated patch release today legitimizes some cloud vendors' assertion that they can do a more efficient job on security than individual organizations.
Either way, says Geffner, organizations still weighing their options, "can take solace from the fact these kind of security findings are extremely rare ... and not this broadly scoped."
Like Heartbleed and ShellShock before it, VENOM is a severe, wide-ranging vulnerability in an open-source tool... but worse, according to the researchers.
As Alperovitch describes it: Heartbleed would let an attacker look through the windows of your house; Shellshock would let them inside your house; VENOM gives them complete access to everything in your house, including all your locked-up valuables, and, Geffner says, "an underground tunnel in which [they] can access all your neighbors' houses."
Vulnerabilities like VENOM may renew some fears about cloud security, but that doesn't mean it will slow cloud adoption.
"Everything is moving to the cloud," says Dan Kaminsky, chief scientist at White Ops, who collaborated with CrowdStrike on VENOM, says. "Even Zynga is shutting down their $100 million data center because it's better to deploy in minutes than months."
"There is a cost to this move [to the cloud]," he says, "which is that attackers who once needed to find an exploit may get some degree of local privilege using money. There's a lot riding on the code that isolates VMs, but like all code there's a risk of bugs. Many cloud providers offer enhanced isolation of hardware, such that at minimum you're only exposed to other VM's from your own organization. When feasible it's worth outbidding attackers to acquire this isolation."
For more information about VENOM, see http://venom.crowdstrike.com.