‘Venom’ – a word which conjures images of deadly coiled snakes about to strike; a word associated with viciousness, infection, lethality and destruction. No one can deny the linguistic power of ‘venom’, but does that same power and deadly meaning apply to the newly discovered Venom vulnerability?
The Venom vulnerability (CVE-2015-3456) allows an attacker to escape a guest virtual machine (VM) and access the host system along with other VMs running on this system.
Existing in the virtual Floppy Disk Controller for the open-source hypervisor QEMU, the bug could potentially let attackers steal sensitive data on any of the virtual machines on the system and gain elevated access to the host’s local network and its systems.
Since its discovery, the industry has been less than quiet in comparing it to the notorious Heartbleed bug – to see if this hype is true and to gain insights in how to fight this vulnerability, CBR has turned to the security frontline, asking 10 experts their reaction and advice.
VENOM Vulnerability Explained
1. A rare and powerful bug
Rapid7’s Tod Beardsley, technical lead for the Metasploit Framework, said:
"As of this moment, no one has released public proof of concept code to demonstrate the reported VENOM bug, so we’re left with some measure of speculation as to whether or not this is as "easily" exploitable as suggested. However, the advisory from Crowdstrike does give a pretty solid hint of where to look to rediscover the VENOM issue.
"It’s important to note that while this vulnerability is technically local-only, successful exploitation leads to breaking out of a guest OS to the host OS. This circumstance leads me to believe that VENOM is an "interesting" bug to the sorts of people who do exploit research for a living. To be able to break out of a guest OS to a host OS is a rare and powerful ability, and such bugs are uncommon. Given this incentive of interestingness, I would expect to see a public proof of concept exploit appear sooner rather than later."
2. Serious, but not Heartbleed serious
Karl Sigler, threat intelligence manager at Trustwave, said:
"It’s serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available.
"The virtualisation products it does affect are popular (XEN, KVM, QEMU, and VirtualBox), but the absence of VMWare and Microsoft as affected eases the blow in a lot of cases.
"In order to exploit this vulnerability an attacker would require access to an existing virtual machine. In other words, this attack can’t be pulled off remotely. Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack. In this regard the attack is very similar to a Privilege Escalation attack where the attacker requires an initial foothold before exploitation."
3. Avenue for corporate espionage
Chris Eng, vice president of research at Veracode, said:
"The news of the VENOM vulnerability is concerning in breadth – similar to what we saw with Heartbleed in terms of the number of products affected. However, the severity of this zero-day is not nearly as alarming for a few reasons.
"First, there is little chance of mass exploitation; any exploit created around VENOM would have to be tailored against a specific target environment. Second, the attacker would have to already be on the target system to get at the vulnerability – certainly not impossible in a public cloud environment but nevertheless a complicating factor. Lastly, there isn’t currently a publicly available exploit, and creating one would require a non-trivial amount of effort.
"While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale. Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like."
4. The prognosis is positive
Chris Oakley, Principal Security Consultant at Nettitude, said:
"It remains to be seen exactly how widespread an impact this will have, but the prognosis is looking relatively positive. There is currently no public exploit code available and there is no known example of this vulnerability being exploited in the wild.
"Additionally, all of the affected major cloud companies have confirmed that they have patched Venom or are unaffected by it."
Beating the bug
5. Have a strong relationship with your supplier
Paul McEvatt, Senior Cyber Threat Intelligence Manager at Fujitsu, said:
"The news of the Venom vulnerability has again reinforced the scale of the threat landscape. Security threats are rapidly evolving and this is not the "quick fire attack" of old. This advanced and unique bug brings fresh security risks to the table with businesses’ third party cloud and virtual private servers now the area of concern.
"Businesses must feel confident in the security and protection they have in place in order to deliver the services required to their customers. To do this effectively they need hold a strong relationship with their suppliers and focus on what’s important to them when it comes to the related threats which will have the most impact.
"Customer security is at front of mind for all third party suppliers, if a business holds a system that contain the affected software, its first step must be to speak with their supplier and quickly apply the necessary patches."
6. Control the admins!
Chris Pace, Head of Product Marketing at Wallix, said:
"The biggest concern here is not that some technology has a vulnerability, we know that’s a fact of life. But that this is another situation where exploits, hackers, insiders or targeted malware all need administrative or root privileges to do damage or gain access to more data.
"Organisations that are doing a good job of managing the use and security of privileged accounts will be able to respond to something like this much more operationally and without as much reliance on their datacentre provider.
"However, evidence would suggest that many businesses do not have a handle on managing access to data and infrastructure of admins and super-users, i.e. those with the log in details to access to anonymously log on and gain complete control over the target system with full access to all information and infrastructure.
"The security threat posed by insiders was recently highlighted in a survey for the Department for Business Innovation & Skills conducted by PWC in which it was found that 30% of the most damaging data breaches were as a result of those inside the company."
7. Protect the virtualisation layer
Wolfgang Kandek, CTO of Qualys, said:
"I see this attack as a reminder that the virtualisation layer within a cloud implementation can have its own issues, and that protecting that layer is essential for service providers.
"Security researchers continue to investigate virtualisation software and I am sure more issues will be found over time. It’s therefore important to check these layers within the computing stack for issues, and protect against any potential threat."
8. Look at the bigger picture
Andrew Rubin, CEO and founder at Illumio, said:
"Venom, Heartbleed and the many other computer vulnerabilities causing breaches are just symptoms of a bigger problem — static, perimeter-centric security strategies are no longer working with enterprise’s dynamic, virtualized computing environments.
"Truly securing the whole data center requires a new security approach — one that secures every workload instance and automatically adapts to changes in the computing environment to provide persistent protection. We need a shift in the industry to focus security strategies that reduce the attack surface.
"When you reduce the real estate that the hackers have the ability to move in enterprises have a higher probability of containing threats such as VENOM just by virtue of having less attack space to monitor."
9. Build a cybersecurity arsenal – don’t rely on a single silver bullet
Dr Guy Bunker, CTO at Clearswift, said:
"As with all good security, organisations need to look for a defence in depth strategy, concentrating on keeping the bad stuff out, ensuring that there is only good stuff inside and keeping the critical information safe and not letting that out. Comprehensive security is not about a single silver bullet, it is about an arsenal.
"In the case of Venom there is a patch available for the VMs today – and it’s worth finding out if your provider is applying the patch and how soon. However, the odds are this won’t be the last of it. As with Heartbleed, the notification of one flaw led to further investigations which led to finding more.
"Unfortunately for the CIO, the cyber-attacker only has to get it right once, whereas they need to get it right all the time."
10. Nowhere to hide
John Worrall, CMO at CyberArk, said:
"Moving to cloud and virtualised environments results in the creation of new and often unmanaged privileged credentials. These powerful accounts act in the same manner as their on premise counterparts. When an attacker gains privileged access, they exploit it to anonymously survey a company’s security posture, often for months at a time.
"With this knowledge, they can easily execute their attacks undetected, whether it’s exfiltrating information as part of espionage campaign, implanting malware as part of a financially motivated attack, or simply destroying a company’s ability to do business, as was done to Sony Pictures.
"Privileged exploitation is the most critical step in the advanced attack cycle. There is no a safe haven from privileged compromise in the face of motivated attackers, which is why businesses need to identify, secure and monitor all privileged account activity, whether on premise, or in the cloud and virtualised environments."