A recently discovered software bug known as "Venom" could give criminal hackers access to business data stored in the cloud or on in-house systems.
But the scope of the problem has been the subject of some debate in the security community since the flaw was revealed. Early media reports on the bug described it as similar in size to last year’s massive Heartbleed flaw, a bug in multiple versions of a software program used widely to encrypt Internet communications.
Many experts, however, have dismissed outright any comparisons to Heartbleed and have noted that impressions about the severity of the bug are based largely on vendor-driven hype.
The vulnerability was discovered by the security firm CrowdStrike and was revealed this week along with the name, which stands for Virtualized Environment Neglected Operations Manipulation. Like the Heartbleed bug, Venom also has its own logo – fittingly this one is a cobra.
The flaw can be found within software tools used by businesses to "virtualize" hardware environments – a way for organizations to carve out multiple, independent virtual machines inside a single, larger computer. Tech giants such as Amazon, Google, and Microsoft offer virtualization services to host applications and data belonging to multiple customers, on single, physical systems.
Venom gives attackers a way of worming their way through the virtual environment and into the applications and data running on all the virtual machines hosted on a system, thereby undermining one of the core security tenets of cloud computing and of virtualization.
The bug is present in numerous virtualization platforms and appliances such as Xen, KVM, and emulation software from QEMU. Amazon is a big user of Xen and is one of the largest cloud service providers in the world. But in an advisory issued Wednesday, Amazon said its services were not affected. Major virtualization tools such as VMware, Microsoft Hyper-V, and Bochs are also not impacted.
While the discovery of a vulnerability of this scale is indeed troubling, there are no known cases yet of it being used in an attack. What's more, the flaw is not easy for a hacker to use for nefarious purposes.
Assessing the severity of the flaw is really about perspective, according to the security firm Symantec.
“If your system is vulnerable and you have a lot of critical services running on it with plenty of sensitive data, then an attack could be devastating,” the company said in a blog post. At the same time, Venom is nowhere near as widespread a problem as Heartbleed was in terns of scope, the company wrote.
“Venom is locally serious and could allow an attacker to do much more than Heartbleed,” it said. “But the number of vulnerable systems is much smaller, making it a less serious problem in the greater scheme of things.”
CrowdStrike discovered the flaw within the code for controlling a virtual floppy disk drive that is present in many virtualization platforms.
Floppy disks were once the standard for storing data but have been obsolete for several years. But code pertaining to the drive is still present in QEMU and in multiple virtualization platforms including Xen and KVM, two popular open-source virtualization technologies.
Perhaps one of the most pressing risks associated with the bug is that it could give an attacker a way to access the physical systems that host virtual machines, says Dan Kaminsky, chief scientist of White Ops, a security firm. That is never supposed to happen with such systems and represents a major security problem, he says.
What makes the bug especially dangerous is that virtual infrastructures are much more difficult to patch and fix than normal network equipment, says Mr. Kaminsky.
Another seasoned security researcher, Robert Graham of Errata Security, described Venom as the perfect bug for a spy agency such as the National Security Agency. An attacker could use it to access a system and read the memory of other hosted virtual machines – and do it virtually undetected.
Items such as Bitcoin wallets, RSA encryption keys, and passwords can easily be found searching through memory, Mr. Graham wrote in a blog post. "Once you've popped the host, reading memory of other hosted virtual machines is undetectable."