News Security

Is VENOM bigger than Heartbleed

The VENOM vulnerability (CVE-2015-3456) could expose VMs to unauthorized access and data theft. But is it really “bigger than Heartbleed?”

Touted to be bigger than Heartbleed, the new vulnerability, VENOM could allow an attacker to escape a guest virtual machine (VM) and access the host system along with other VMs running on this system – although does not affect VMware, Microsoft Hyper-V, and Bochs hypervisors.
The VENOM bug could potentially allow an attacker to steal sensitive data on any of the virtual machines on this system and gain elevated access to the host’s local network and its systems.
The VENOM bug (CVE-2015-3456) exists in the virtual Floppy Disk Controller for the open-source hypervisor QEMU, which is installed by default in a number of virtualization infrastructures such as Xen hypervisors, the QEMU client, and Kernel-based Virtual Machine (KVM).

The VENOM bug has existed since 2004, though it has reportedly not been exploited in the wild yet. QEMU’s developers and other affected vendors have since created and distributed patches for this bug.
Cloud service providers often host their customers’ VMs on the same hardware within a data center, though they keep each VM isolated from one another to maintain their security. While businesses rely on their cloud service provider to prevent other customers from accessing other VMs, the VENOM vulnerability could allow an attacker to escape these protections and gain access to resources on other VMs.

According to the website specifically set up to publicize this vulnerability, guest VMs can send commands and associated data parameters to a virtualization platform’s Floppy Disk Controller. This controller uses a fixed-size buffer to store commands and data parameters, and it is supposed to clear the buffer once it fully processes all of its commands. However, the Floppy Disk Controller did not perform this buffer reset for two of the defined commands, which has now been found to have enabled the flaw.

If an attacker wants to take advantage of the VENOM vulnerability, they could instigate an attack by renting out space on a cloud hosting provider to get a suitable account and then access this service through a guest VM. They could then exploit this vulnerability by sending one of the two commands that are known to trigger the vulnerability along with specially crafted data parameters to the Floppy Disk Controller, causing a buffer overflow. If the exploit is successful, the attackers could cause the system to run arbitrary code. This would allow the attacker to perform any action they wish, including stealing data or downloading and running other code not only on their own VM, but on any other VM hosted on the same system.

There is already a lot of hype suggesting that VENOM is even “bigger than Heartbleed,” but this is not likely to be the case in terms of scale, at least. The Heartbleed vulnerability affected the OpenSSL library, which is one of the most commonly used implementations of the Secure Sockets Layer (SSL) and TLS Transport Layer Security (TLS) cryptographic protocols. Heartbleed affected a huge number of websites, applications, servers, virtual private networks, and network appliances. Meanwhile, VENOM only affects virtualization systems that specifically use QEMU’s Floppy Disk Controller and does not impact some of the most widely used VM platforms.

Users should check with their cloud providers to see if they have released a patch for the VENOM vulnerability. Administrators of VM systems who rely on Xen, KVM, or the native QEMU client should apply the VENOM patches as soon as possible.

Related posts

Canon India with JIM enhances its Training Program Under Skill India Initiative


IFS to acquire Copperleaf


Navigating the Deepfakes Challenge with Proactive measures