VENOM - Does it live up to the hype?
Unless you have been hiding under a rock this week you have heard about VENOM. The first article that I saw was from ZDNet with the headline of "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters". Pretty provocative stuff. Is VENOM really worth that much hype?
VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cute acronym basically means that the exploit takes advantage of a vulnerability in legacy code. In short the vulnerability is CVE-2015-3456 and it is found in fdc.c, the floppy disk controller software, used in some virtualization products. the most popular ones being QEMU, Xen and KVM. The vulnerability will permit someone with administrator access in the virtual machine (VM) to potentially escape the VM and execute arbitrary code from within the host virtualization software, with the permissions of the host virtualization software. The worst case scenario is that the attacker could escape to the guest operating system and access other guests on the same machine. To the best of my knowledge nobody has succeeded in demonstrating the worst case.
Should we panic?
This vulnerability is important because it has the potential to affect a significant portion of the virtualization platforms that are in common use today, but there is no reason to panic.
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access as an administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms.
Certainly not of the significance of Heartbleed or FREAK. While it is important to get vulnerable systems patched as soon as reasonable there is no reason to panic.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
Keywords:
4 comment(s)
×
Diary Archives
Comments
Best,
Craig
Anonymous
May 18th 2015
9 years ago
If you are in control of the environment and have access to a vulnerability scanner that can log into the guest VM's as Administrator then it should be possible to figure out which guests are vulnerable. I haven't, up to this point, seen any vulnerability scanners which have a test for this vulnerability.
Anonymous
May 18th 2015
9 years ago
Anonymous
May 18th 2015
9 years ago
Cool, but I don't think I would lose any sleep over it. The more likely attack vector is a brute force on an administrator shell account followed by a local compromise of a virtualization box. Far juicier targets there.
Anonymous
May 18th 2015
9 years ago