Venom (or the Venom alien life) is a fictional character from the Marvel universe, created by cartoonist David Michelinie and Canadian artist Todd McFarlane to the American publisher Marvel Comics. It is one of the most ruthless and dangerous inside Marvel universe and one of the main enemies of Spider-Man.
This week, we have awakened a vulnerability called VENOM, qwhich could expose virtual machines to unauthorized access and the consequent chance of data theft. It has been discovered by Jason Geffner, who works as a senior safety engineer at the company CrowdStrike.
A new vulnerability known as VENOM is just released, which could allow an attacker to escape from a guest virtual machine (VM) and access the host system, along with other virtual machines running on this system. VENOM could allow an attacker to steal sensitive data on any of the virtual machines in the system and gain privileged access to the local network and host systems.
The VENOM bug exists in the virtual Floppy Disk Controller for the open-source hypervisor QEMU, which is installed by default in a number of virtualization infrastructures such as Xen hypervisors, the QEMU client, and Kernel-based Virtual Machine (KVM). VENOM does not affect VMware, Microsoft Hyper-V, and Bochs hypervisors.
The VENOM bug has existed since 2004, though it has reportedly not been exploited in the wild yet. QEMU’s developers and other affected vendors have since created and distributed patches for this bug.
How does VENOM work?
Cloud service providers often host their customers’ VMs on the same hardware within a data center, though they keep each VM isolated from one another to maintain their security. While businesses rely on their cloud service provider to prevent other customers from accessing other VMs, the VENOM vulnerability could allow an attacker to escape these protections and gain access to resources on other VMs.
According to the website specifically set up to publicize this vulnerability, guest VMs can send commands and associated data parameters to a virtualization platform’s Floppy Disk Controller. This controller uses a fixed-size buffer to store commands and data parameters, and it is supposed to clear the buffer once it fully processes all of its commands. However, the Floppy Disk Controller did not perform this buffer reset for two of the defined commands, which has now been found to have enabled the flaw.
If an attacker wants to take advantage of the VENOM vulnerability, they could instigate an attack by renting out space on a cloud hosting provider to get a suitable account and then access this service through a guest VM. They could then exploit this vulnerability by sending one of the two commands that are known to trigger the vulnerability along with specially crafted data parameters to the Floppy Disk Controller, causing a buffer overflow. If the exploit is successful, the attackers could cause the system to run arbitrary code. This would allow the attacker to perform any action they wish, including stealing data or downloading and running other code not only on their own VM, but on any other VM hosted on the same system.
The potential impact of VENOM
While floppy disks are an obsolete technology, many virtualization products add a default virtual floppy drive, leaving the platforms subject to the floppy disk controller errors. The vulnerable technology is enabled in Xen, QEMU, FireEye’s hypervisor, and KVM by default. For Oracle’s VirtualBox, the Floppy Disk Controller is optional, meaning that customers’ VirtualBox installations should not be vulnerable to VENOM by default. VMware, Microsoft Hyper-V, and Bochs hypervisors are not reported to be vulnerable to VENOM.
There is already a lot of hype suggesting that VENOM is even “bigger than Heartbleed,” but this is not likely to be the case in terms of scale, at least. The Heartbleed vulnerability affected the OpenSSL library, which is one of the most commonly used implementations of the Secure Sockets Layer (SSL) and TLS Transport Layer Security (TLS) cryptographic protocols. Heartbleed affected a huge number of websites, applications, servers, virtual private networks, and network appliances. Meanwhile, VENOM only affects virtualization systems that specifically use QEMU’s Floppy Disk Controller and does not impact some of the most widely used VM platforms.
Is it as bad as Heartbleed VENOM?
The answer depends. If your system is vulnerable and has a lot of critical services running on it with a lot of sensitive data, an attack could be devastating. Heartbleed is considered a fundamentally important issue because vulnerable systems are widespread and are commonly used. VENOM is serious and could allow an attacker to do much more than Heartbleed, but the number of vulnerable systems is much lower, so it is a less serious problem in today's ecosystem.
According to recent research, many companies plan to increase their spending on cloud significantly, suggesting that the cloud is fashionable and confident in the technology market. Such problems may give reason to pause for reflection.
Fortunately, today there are no reports of any attacks actively exploits VENOM. In addition, QEMU and other manufacturers have been informed about the bug prior to the disclosure and have released patches to fix the problem.