Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
VENOM Zero-Day May Affect Thousands Of Cloud, Virtualization Products
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
 User Rank: Ninja
5/15/2015 | 9:28:37 AM
Re: Good Research Bad Media Reaction
@ kenwestin ... You said... "I do believe that some of the media surrounding this vulnerability has been a bit overblown, some stating that this vulnerability is has broken cloud security and millions of systems are in danger of being immediately hacked."

I think what is overblown is how everyone wants to compare one vulnerability to the other; I personally think that is dangerous. Why, because no two vulnerabilities are the same there is no way that you can compare this vulnerability to Heartbleed or to a vulnerability like BEAST. With Heartbleed it was pretty easy to say how big this would be because there was no denying it. With this particular vulnerability, it does confirm an argument that has been going on for a very long time that quite a few folks said could not happen. And this, as with Heartbleed has internal implications too if these affected systems are used inhouse.  And while this particular bug has not impacted all of the virtual space... I can bet you the rest are scrambling to make sure it doesn't affect them too. Remember, when Heartbleed was first reported nobody took as seriously as they did when the scope was finally realized.

"High impact vulnerabilities are becoming the new normal, some security analysts expecting us to see one big one per quarter. The industry as a whole needs to work on how to best address these vulnerabilities without overhyping them..."

Now this I can totally agree with, but my one bit of advice would be to assume that every vulnerability has the ability to disrupt your operations or possible damage your reputation.

Question, which was worse:

a)      Blaster

b)      SQL Slammer
sixscrews
50%
50%
sixscrews,
 User Rank: Apprentice
5/14/2015 | 6:31:46 PM
So, why is your disk floppy?
OK, we have a vlun - surprise.

But it's in a component that maybe 50% of us have never touched, much less know about.

And where's the next one coming from - the joystick interface?  the UV-EEPROM programmer?

I'm not surprised stuff shows up in negelceted interfaces but the thing that surprises me is why a bright shiny VM should have a floppy interface component at all.  Are people looking at the stuff that's added into a VM build and being sure it's necessary?

Hard drive interface - check

Video interface - check

Keyboard interface - check

Mouse interface - check

Serial port interface - check

Parallel port interface - check - uh - what's a parallel port?

Tin hat interface protection - check

Rubber band motor back up interface - check

And so it goes - the path to h#$l is paved with ignorance and obsolete interfaces.

wb/ss
ODA155
50%
50%
ODA155,
 User Rank: Ninja
5/14/2015 | 5:22:39 PM
Re: Re-thinking VM Deployement
... and the problem with vulnerabilities is what... they do not go away!  Because there will always be a management\admin team somewhere that doesn't get it... try to skate on that thin ice for as long as possible or not willing to spend what it takes to fix it.

And you're correct about the PCI Council, so in my opinion, (which I'm pretty sure they care nothing about) this vulnerability confirms what security folks have been saying for years, that this is possible and hopefully forces the PCI Council to do the right thing... but you can probably hear the crocodile tears hitting the floor already from the large vendors asking for exceptions and grandfather (not Santa) clauses.
Sara Peters
50%
50%
Sara Peters,
 User Rank: Author
5/14/2015 | 5:13:32 PM
Re: Re-thinking VM Deployement
@ODA155  Good point! That's been the question about virtualization forever, and the PCI Council was hesitant to make a ruling on it in the beginning. That said... ultimately, Venom is just a vulnerability. Until this, or a similar vuln, gets exploited in any significant fashion, I doubt the regulators would make any changes.
ODA155
50%
50%
ODA155,
 User Rank: Ninja
5/14/2015 | 4:27:22 PM
Re-thinking VM Deployement
So I aked this question internally just to speark discussion, so now I'll ask it here...

"If this is in fact a possibility then this would be a game-changer, especially in how organizations plan or decide what VM's reside on a specific host, such as can\should a VM subject to PCI or HIPAA be hosted on the same platform as non PCI or VM's. If so, do\should the non compliance required VM's have to me those compliance standards?"
kenwestin
100%
0%
kenwestin,
 User Rank: Apprentice
5/13/2015 | 4:41:57 PM
Good Research Bad Media Reaction
The research on this particular vulnerability is excellent,  Jason Geffner and the folks who researched and are patching this should be commended. However, I do believe that some of the media surrounding this vulnerability has been a bit overblown, some stating that this vulnerability is has broken cloud security and millions of systems are in danger of being immediately hacked.

However, the actual impact is nowhere near a doomsday scenario, or the same level of  Heartbleed to which this is being compared to in the media. This vulnerability did not affect Amazon AWS, Linode or a any other number of cloud service providers. There are also a number of factors that have to be in place for the vulnerability to pose an actual risk. 

High impact vulnerabilities are becoming the new normal, some security analysts expecting us to see one big one per quarter. The industry as a whole needs to work on how to best address these vulnerabilities without overhyping them, or we are going to run into a boy who cried wolf scenario and businesses and security leaders will become numb to the next real threat they need to patch in their environment. 


10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Here’s some insight on what's working – and what isn't – in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.