'Venom' Vulnerability: Serious Computer Bug Shatters Cloud Security Security researchers have discovered a critical flaw that allows attackers to move freely across virtual machines.

By Robert Hackett

This story originally appeared on Fortune Magazine

venom.crowdstrike.com | Enhanced by Entrepreneur
VENOM - Virtualized Environment Neglected Operations Manipulation

Inside some data center miles away, a portion of your cloud-hosted network may be running on the same system as someone else's.

Normally, this isn't a problem. So-called virtual machines—basically, computers simulated within other computers—prevent networks on the same machine from impacting one another. They're an efficient way to manage large amounts of computing resources while, presumably, keeping them isolated and secure.

That's not the whole story though, say researchers at the Irvine, Calif.-based security firm CrowdStrike. It turns out that an attacker can burst out of certain virtual machines and manipulate whatever's running adjacently, thus shattering the notion that these vessels have hard and fast, protective boundaries.

"This destroys the isolation myth that you can have something run a virtual machine and have it be isolated from everything else," says Jason Geffner, the senior security researcher at CrowdStrike who uncovered the flaw. "This bug lets you escape a container and get into all other containers."

On Wednesday morning, Geffner's team announced its discovery of a zero-day vulnerability, meaning a previously unknown computer bug, within a common virtual machine platform. The bug, dubbed Venom for "virtualized environment neglected operations manipulation," affects a technology, known technically as a hypervisor, that controls and coordinates the virtual machines running on a system.

The vulnerability specifically affects the decade-old free and open source hypervisor called Quick Emulator (QEMU), which is used in a number of common virtualization products including Xen hypervisors, KVM (or "kernel-based virtual machine"), Oracle VM VirtualBox, and the native QEMU client. The popular products of EMC-owned VMWare and Microsoft Hyper-V, on the other hand, are not affected.

Various security products also rely on the vulnerable technology to isolate and inspect malware—a potentially dangerous proposition given that certain virtual machines can, as now shown, leak.

"Even if you don't use these services directly, chances are that accounts which store your personal data run these products," Geffner says. In fact, CrowdStrike estimates that the bug could put thousands of organizations and millions of users at risk.

"With Venom, you're able to break out of a virtual machine on a system and get access to other data on that system's network," Geffner says, adding that attackers can use it to "execute whatever code they like" by overwriting critical parts of a machine's memory.

What does that mean exactly? To use a more familiar analogy: Picture an apartment building. That represents a cloud server, for our purposes. Now picture the apartments contained within that apartment building. These represent virtual machines. While different apartments may share resources such as water, electricity, heating, and gas—all managed, in this case, by a cloud infrastructure provider—all are locked and unable to access each other.

What Geffner has found, effectively, is a backdoor: a shared key that unlocks any apartment.

Dmitri Alperovitch, the chief technology officer and co-founder of CrowdStrike, says it's a particularly bad bug. He compares Venom to other recently discovered vulnerabilities with high profiles such as "heartbleed" and "shellshock," and says, "this is potentially much worse," given just how much an attacker can compromise. Unlike those other bugs, he says, Venom tends to run on systems that have root level access, or heightened administrative privileges, which gives an attacker full access to an entire system, rather than just a single application.

"If the impact of heartbleed is akin to someone being able to walk up to your house and look through the window, and shellshock let's them get inside the house and take out the TV," Alperovitch says, "with venom someone can not only get inside your house and take the TV, they can also take your safe, steal your jewelry, and get into the neighbor's house."

Interestingly, Venom affects an almost entirely unused component of the QEMU hypervisor: its floppy disk controller. (In order to make virtual machines act enough like physical machines and have operating systems run on them, they require code that can speak to all parts of an actual system, even what may seem like outdated artifacts.) The vulnerability appears to have slipped through the cracks as no one was focusing on the security of that neglected area.

Dan Kaminsky, a security researcher and co-founder and chief scientists of the security firm White Ops, who was consulted about the bug during CrowdStrike's period of responsible disclosure beginning in late April, plays it a little cooler. "These happen from time to time," he says. "It's not the first and it won't be the last."

Pressed on what similar vulnerabilities predate Venom, Kaminsky demurs. "None that can speak of publicly." He pauses. Then qualifies his assessment by adding a superlative: "This is the most generic of these bugs that I've seen."

"Everyone sort of absorbed this bug and no one thought to audit it," he says. That's why, he says, it's important to hunt for bugs in non-obvious places. His advice for everyone right now? In the short-term, he says, "if your system doesn't auto-patch, you need to go patch it today. If it needs to be rebooted, it needs to be rebooted today."

In the longer term, he advises that people should, whenever possible, tell their cloud providers that they only want to share workflow with other people in their domain or company. Isolate your hardware to yourself. "If you have this sort of bug that can jump from their little piece of a server to your little piece of a server," Kaminsky says, "the best way to avoid that is to not have anyone else on your server."

"It costs more," he says, "but you're basically outbidding your attackers."

Geffner says CrowdStrike has notified all the major software vendors that use this vulnerable QEMU code, and has worked with them to close their holes. He has not seen the bug exploited in the wild so far, though that may change now that the news has gone public.

"My hope and expectation is that the good guys are able to patch their systems before the bad guys get access to it," Geffner says.

Robert Hackett is a writer at Fortune, writing frequently about technology.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Science & Technology

From Silicon Valley to Everywhere — How AI Is Democratizing Innovation and Entrepreneurship

AI is no longer just a tool for big corporations — it's a global equalizer, empowering entrepreneurs from every corner of the world to innovate, scale and compete like never before.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

'Enormous Chaos and Confusion': Do You Need to File a BOI Report? After Another New Ruling, Here's What Business Owners Need to Know.

Failing to file the report could cost small businesses $591 per day—if you even have to file it at all.

Franchise

5 Benefits of 'Ick' Franchise Industries

What makes "ick" franchise industries so valuable? As a franchise consultant of many years, I've learned is that there is real value in everyday essential industries that, if given the chance, have real material benefits that just might be the right fit for your goals.

Data & Recovery

Portable, Durable, and Fast: the Dual-USB Flash Drive Every Entrepreneur Needs

Streamline your data management with this drive's 1TB of storage and speedy file transfers.

Data & Recovery

Join the Highest-Growing Industry in 2025 With This $60 Cybersecurity E-Learning Bundle

You could land your dream job as a cloud security specialist, ethical hacker, or security analyst.