Updated at 8:30 AM PST. A security researcher has discovered a new vulnerability that he claims could allow a hacker to infiltrate potentially every machine on a datacenter’s network, leaving millions of virtual machines vulnerable to attack. According to CrowdStrike Senior Security Researcher Jason Geffner, ‘VENOM’ (CVE-2015-3456), which is an acronym for “Virtual Environment Neglected Operations Manipulation,” is a vulnerability that exists in the floppy disk controller driver for QEMU, an open-source computer emulator known as a hypervisor that is used for managing virtual machines. VENOM’s severity rests with the fact that attackers can overload one of the data structures used for communication by the faulty driver with too much data. This potentially allows attackers to crash the hypervisor, gain control of the physical computer and all virtual machines running on it, and possibly even access the network to which the physical computer is connected. The vulnerable section of QEMU’s code has been integrated into other virtualization platforms, including Xen, Kernel-based Virtual Machine (KVM), and Oracle VM, potentially leaving hundreds of thousands if not millions of virtual machines susceptible to attacks that exploit the VENOM bug. Other hypervisors, including VMware, Microsoft Hyper-V, and Bochs, are not affected. "Potentially high-impact vulnerabilities can live almost anywhere, as we are discovering," says Tripwire senior security analyst Ken Westin. "This latest vulnerability, although potentially dangerous, does not affect one of the biggest Xen users, Amazon Web Services, as they have a pretty heavily customized version of Xen that is used in their environments," explained Westin. Cloud providers like Amazon have also developed a robust and rapid process for deploying fixes for vulnerabilities once they hit across their environments, he added.
"High-impact vulnerabilities, such as Heartbleed and Shellshock, are going to be the new normal, and they can appear in your software or hardware stack."
Westin suggests the most important thing organizations can do to get ahead of these prolific vulnerabilities is to take an inventory of their hardware and software assets, and be able to quickly identify what systems are at risk. This should speed up the remediation process, hopefully before exploits are released into the wild, said Westin. CrowdStrike has been working with software vendors to develop a patch for the vulnerability, which will be released on Thursday, May 14. The security firm will not be publicly releasing a proof of concept exploit code, however.
