{"id":4838,"date":"2015-05-20T07:02:44","date_gmt":"2015-05-20T11:02:44","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4838"},"modified":"2019-11-15T15:24:35","modified_gmt":"2019-11-15T11:24:35","slug":"venom-virtualization-vulnerability","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/venom-virtualization-vulnerability\/4838\/","title":{"rendered":"All you need to know about VENOM virtualization vulnerability"},"content":{"rendered":"<p>Much has been said about\u00a0<a href=\"https:\/\/threatpost.com\/venom-flaw-in-virtualization-software-could-lead-to-vm-escapes-data-theft\/112772\" target=\"_blank\" rel=\"noopener nofollow\">the VENOM vulnerability<\/a>, the latest in an increasingly long line of bugs affecting vast swaths of the Internet. It\u2019s an old-school bug of the relatively new-age phenomena of Virtualization.<\/p>\n<p>Virtual machines are independently operational computers within computers. The so-called cloud is merely a vast network of virtual machines. An attacker could exploit VENOM in order to escape one virtualized environment and run code in another.<\/p>\n<p>Some of the more enthusiastic, or perhaps sensational, journalists have called VENOM more impactful than the now-infamous Heartbleed OpenSSL vulnerability. However, I think the best response came from noted security researcher,\u00a0<a href=\"https:\/\/twitter.com\/dakami\" target=\"_blank\" rel=\"noopener nofollow\">Dan Kaminsky<\/a>.<\/p>\n<p>\u201cI think that we\u2019ve really lost something when we move to these linear rankings of bug versus bug,\u201d Kaminsky told Dennis Fisher on\u00a0<a href=\"https:\/\/threatpost.com\/dan-kaminsky-on-venom\/112810\" target=\"_blank\" rel=\"noopener nofollow\">Threatpost\u2019s Digital Underground podcast<\/a>. \u201cThis isn\u2019t Iron Man versus Captain America. This isn\u2019t the freaking Avengers; this is science.\u201d<\/p>\n<p>Such is the nature of the security industry today when every major bug is assigned a unique, hashtag-ready name, has it\u2019s own logo and a public relations team crowing it the worst vulnerability ever.<\/p>\n<p>\u201cBad bugs happen,\u201d Kaminsky explained later on in the podcast. \u201cThey\u2019re still bad, but we go ahead and deal with them\u2026 It was a big problem. We went ahead and we fixed it. Things were a lot worse; we privately went around and did everything we could on a private scale and now we\u2019re talking about it publicly to get the rest of the stuff. That\u2019s what we do. That\u2019s the game we play.\u201d<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/VENOM?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#VENOM<\/a> Flaw in <a href=\"https:\/\/twitter.com\/hashtag\/Virtualization?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Virtualization<\/a> Software Could Lead to VM Escapes, Data Theft \u2013  <a href=\"https:\/\/t.co\/p2CXHhX6Gb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/p2CXHhX6Gb<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/598481978577543168?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 13, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This is not to downplay the severity of VENOM, because\u00a0<a href=\"https:\/\/threatpost.com\/venom-flaw-in-virtualization-software-could-lead-to-vm-escapes-data-theft\/112772\" target=\"_blank\" rel=\"noopener nofollow\">it is quite severe<\/a>. Virtualization and virtual machines play an increasingly critical and important role in the modern Internet. Virtual machines enable cloud-computing, which our service providers rely on more now than ever, mainly because it\u2019s cheaper to buy virtual space from, say, Amazon than it is to run your own server farm. In this way, an able attacker could buy space from a cloud server provider, escape the virtual environment he paid for, and move into any other virtual machine operating under the same host.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>All you need to know about #VENOM #virtualization #vulnerability<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FeUU5&amp;text=All+you+need+to+know+about+%23VENOM+%23virtualization+%23vulnerability\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Beyond that, this bug could have an impact on malware testers too. Most malware analysts intentionally infect virtual machines with malware. From there, they can examine how the malware works in a safe, quarantined environment. VENOM has the potential to let that malware move out of the quarantine environment and into other, connected computing spaces.<\/p>\n<p>As mentioned above, the bug is an old one. In fact, it exists in the virtual floppy disk controller component that is included in a number of popular virtualization platforms. That\u2019s right: floppy disks. Feel free to let us know in the comments the last time you used one of those, let alone saw a floppy disk drive on a usable computer.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"qme\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/micahflee?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@micahflee<\/a> <a href=\"http:\/\/t.co\/bZWwbxgiN7\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/bZWwbxgiN7<\/a><\/p>\n<p>\u2014 Yael @yaelwrites@mastodon.social (@yaelwrites) <a href=\"https:\/\/twitter.com\/yaelwrites\/status\/598660712588648448?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 14, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In an interview published before the podcast, Kaminsky told Threatpost\u2019s Fisher that VENOM is something of a pay-to-play bug. An attacker can buy cloud space from a provider and then exploit VENOM to gain local privilege within the cloud-space of a target using the same provider. Certain cloud companies, he explained, offer enhanced hardware isolation at a premium. He claims its worth paying this premium in order to outbid potential attackers.<\/p>\n<p>VENOM, which, for what it\u2019s worth, stands for Virtualized Environment Neglected Operations Manipulation,\u00a0<a href=\"http:\/\/blog.crowdstrike.com\/venom-vulnerability-details\/\" target=\"_blank\" rel=\"noopener nofollow\">was discovered<\/a>\u00a0by\u00a0<a href=\"https:\/\/twitter.com\/JasonGeffner\" target=\"_blank\" rel=\"noopener nofollow\">Jason Geffner<\/a>, a senior security researcher at CrowdStrike.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Full technical details of VENOM (CVE-2015-3456) vulnerability now live on CrowdStrike's official blog \u2013 <a href=\"http:\/\/t.co\/Pmp6u7mTp3\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/Pmp6u7mTp3<\/a><\/p>\n<p>\u2014 Jason Geffner (@JasonGeffner) <a href=\"https:\/\/twitter.com\/JasonGeffner\/status\/599313376825643008?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 15, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>There isn\u2019t really anything we, the users, can do to protect ourselves here \u2013 as is so often the case \u2013 other than to hope that our cloud service and other virtualization providers fix the problem as soon as possible. The good news is twofold. Firstly, most affected vendors have already issued a patch for the problem and secondly, a new proof-of-concept has illustrated that VENOM is actually\u00a0<a href=\"https:\/\/threatpost.com\/several-factors-mitigate-venoms-utility-for-attackers\/112841\" target=\"_blank\" rel=\"noopener nofollow\">harder to exploit than experts initially thought<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Several factors mitigate the <a href=\"https:\/\/twitter.com\/hashtag\/Venom?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Venom<\/a> bug's utility \u2013 <a href=\"http:\/\/t.co\/eiT6AYVsgG\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/eiT6AYVsgG<\/a> <a href=\"http:\/\/t.co\/ksUpvwvrOS\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/ksUpvwvrOS<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/600300024686374913?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 18, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>From the perspective of the every-day-Internet-user, I think the real lesson here is to realize just how ubiquitous virtualization is online in 2015.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Much has been said about\u00a0the VENOM vulnerability, the latest in an increasingly long line of bugs affecting vast swaths of the Internet. It\u2019s an old-school bug of the relatively new-age<\/p>\n","protected":false},"author":42,"featured_media":4857,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[996,779,97,997,998,610],"class_list":{"0":"post-4838","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-bug","9":"tag-cloud-services","10":"tag-security-2","11":"tag-venom","12":"tag-virtualization","13":"tag-vulnerability"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/venom-virtualization-vulnerability\/4838\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/venom-virtualization-vulnerability\/3394\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/venom-virtualization-vulnerability\/5353\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/venom-virtualization-vulnerability\/5777\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/venom-virtualization-vulnerability\/6099\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/venom-virtualization-vulnerability\/6082\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/venom-virtualization-vulnerability\/7803\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/venom-virtualization-vulnerability\/8743\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/venom-virtualization-vulnerability\/7658\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/venom-virtualization-vulnerability\/7803\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/venom-virtualization-vulnerability\/8743\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/venom-virtualization-vulnerability\/8743\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/bug\/","name":"bug"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4838"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4838\/revisions"}],"predecessor-version":[{"id":14959,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4838\/revisions\/14959"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4857"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}