Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-05-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VENOM - Does it live up to the hype?

Published: 2015-05-16
Last Updated: 2015-05-16 04:17:04 UTC
by Rick Wanner (Version: 1)
4 comment(s)
Unless you have been hiding under a rock this week you have heard about VENOM.  The first article that I saw was from ZDNet with the headline of "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters".  Pretty provocative stuff.  Is VENOM really worth that much hype?
 
VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cute acronym basically means that the exploit takes advantage of a vulnerability in legacy code. In short the vulnerability is CVE-2015-3456 and it is found in fdc.c, the floppy disk controller software, used in some virtualization products. the most popular ones being QEMU, Xen and KVM.  The  vulnerability will permit someone with administrator access in the virtual machine (VM) to potentially escape the VM and execute arbitrary code from within the host virtualization software, with the permissions of the host virtualization software. The worst case scenario is that the attacker could escape to the guest operating system and access other guests on the same machine. To the best of my knowledge nobody has succeeded in demonstrating the worst case.
 
Should we panic?
 
This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic. 
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms. 
 
Certainly not of the significance of Heartbleed or FREAK.  While it is important to get vulnerable systems patched as soon as reasonable there is no reason to panic.
 

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
4 comment(s)
Diary Archives