Before It Strikes: 6 Things You Need To Know About VENOM Vulnerability

Very Venomous Vulnerability

The latest vulnerability making waves in the security space is Virtualized Environment Neglected Operations Manipulation, or VENOM. Discovered by CrowdStrike, the "critical" vulnerability has drawn many comparisons to the notorious Heartbleed vulnerability for its wide reach.

Here are six things you need to know about this potential danger.

It Affects Virtual Machines

The source of VENOM stems from the virtual floppy disk controller that is included in QEMU, a generic open source processor emulator and virtualizer. QEMU allows operating systems and applications written for one platform to be run on another. According to the QEMU open source project, QEMU offers "very good performance" with dynamic translation, as well as "near native performance" with virtual machines.

QEMU is used in Xen and KVM versions of Linux.

How VENOM Works

VENOM could work by letting an attacker running a virtual machine in a virtualized or cloud environment escape its virtual machine guest and "obtain code-execution access to the host," according to CrowdStrike. It also has the potential to open up access to the host system and all other virtual machines in the host, and potentially gain access to the host's network and other systems.

That, according to CrowdStrike, could lead to unauthorized access of corporate intellectual property and personally identifiable information stored in other virtual machines.

Wait ... Floppy Disks?

Although floppy disk drives haven't been sold with new PCs for years, and floppy disk use is limited to very old machines or in certain legacy equipment, QEMU has had a virtual floppy disk controller since 2004 as part of an effort to emulate as much of a PC system as possible.

CrowdStrike said that administrators in Xen and QEMU environments can disable the virtual floppy drive, but an unrelated bug "causes the vulnerable FDC code to remain active and exploitable by attackers."

Who Should Be Concerned

CrowdStrike warns that the QEMU virtual floppy disk controller is used in several virtualization environments, including Xen, KVM and the native QEMU client. The reason VENOM is not an issue in VMware or Microsoft Hyper-V virtualized environments or in Bochs-based IBM PC emulators is that they do not use QEMU.

"Since the VENOM vulnerability exists in the hypervisor's codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.)," CrowdStrike wrote.

However, VENOM is not that easy to exploit, CrowdStrike wrote, because an attacker or malware would need guest operating system administrative or root privileges to wreak havoc.

Patch Available

The vulnerability does now have a patch available for it. Once the bug was discovered, CrowdStrike said in a blog post, the company worked with the maintainers of QEMU and other hypervisor and operating system vendors to coordinate a patch. CrowdStrike recommends that all users with vulnerable machines update their systems with the patch, as even those who don't use their virtual floppy drive or have it disabled could be vulnerable, because the code the vulnerability affects is still active.

A list of available patches for different vendor systems is available on the CrowdStrike vulnerability page.

Is This As Bad As Heartbleed?

Security experts said that, while it is potentially serious and broad-reaching, the publicity around the Venom vulnerability helped mitigate some of its danger, as it allowed security professionals to patch systems and get ahead of hackers. Heartbleed also had many known exploits, while there are no known exploits of Venom at this point.

’I do not see it on the same level. Heartbleed was so bad because it was a vulnerability discovered in one of the most commonly used applications for servers and had been for many years," Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said in an email. "VENOM doesn’t come close to that kind of potential damage since the target group is so small and every minute it is shrinking as more systems get patched."