Black Friday Sale! 50% Off All Access

'Venom' Vulnerability: Serious Computer Bug Shatters Cloud Security Security researchers have discovered a critical flaw that allows attackers to move freely across virtual machines.

By Robert Hackett

Entrepreneur+ Black Friday Sale

Our biggest sale — Get unlimited access to Entrepreneur.com at an unbeatable price. Use code SAVE50 at checkout.*

Claim Offer

*Offer only available to new subscribers

This story originally appeared on Fortune Magazine

venom.crowdstrike.com | Enhanced by Entrepreneur
VENOM - Virtualized Environment Neglected Operations Manipulation

Inside some data center miles away, a portion of your cloud-hosted network may be running on the same system as someone else's.

Normally, this isn't a problem. So-called virtual machines—basically, computers simulated within other computers—prevent networks on the same machine from impacting one another. They're an efficient way to manage large amounts of computing resources while, presumably, keeping them isolated and secure.

That's not the whole story though, say researchers at the Irvine, Calif.-based security firm CrowdStrike. It turns out that an attacker can burst out of certain virtual machines and manipulate whatever's running adjacently, thus shattering the notion that these vessels have hard and fast, protective boundaries.

"This destroys the isolation myth that you can have something run a virtual machine and have it be isolated from everything else," says Jason Geffner, the senior security researcher at CrowdStrike who uncovered the flaw. "This bug lets you escape a container and get into all other containers."

On Wednesday morning, Geffner's team announced its discovery of a zero-day vulnerability, meaning a previously unknown computer bug, within a common virtual machine platform. The bug, dubbed Venom for "virtualized environment neglected operations manipulation," affects a technology, known technically as a hypervisor, that controls and coordinates the virtual machines running on a system.

The vulnerability specifically affects the decade-old free and open source hypervisor called Quick Emulator (QEMU), which is used in a number of common virtualization products including Xen hypervisors, KVM (or "kernel-based virtual machine"), Oracle VM VirtualBox, and the native QEMU client. The popular products of EMC-owned VMWare and Microsoft Hyper-V, on the other hand, are not affected.

Various security products also rely on the vulnerable technology to isolate and inspect malware—a potentially dangerous proposition given that certain virtual machines can, as now shown, leak.

"Even if you don't use these services directly, chances are that accounts which store your personal data run these products," Geffner says. In fact, CrowdStrike estimates that the bug could put thousands of organizations and millions of users at risk.

"With Venom, you're able to break out of a virtual machine on a system and get access to other data on that system's network," Geffner says, adding that attackers can use it to "execute whatever code they like" by overwriting critical parts of a machine's memory.

What does that mean exactly? To use a more familiar analogy: Picture an apartment building. That represents a cloud server, for our purposes. Now picture the apartments contained within that apartment building. These represent virtual machines. While different apartments may share resources such as water, electricity, heating, and gas—all managed, in this case, by a cloud infrastructure provider—all are locked and unable to access each other.

What Geffner has found, effectively, is a backdoor: a shared key that unlocks any apartment.

Dmitri Alperovitch, the chief technology officer and co-founder of CrowdStrike, says it's a particularly bad bug. He compares Venom to other recently discovered vulnerabilities with high profiles such as "heartbleed" and "shellshock," and says, "this is potentially much worse," given just how much an attacker can compromise. Unlike those other bugs, he says, Venom tends to run on systems that have root level access, or heightened administrative privileges, which gives an attacker full access to an entire system, rather than just a single application.

"If the impact of heartbleed is akin to someone being able to walk up to your house and look through the window, and shellshock let's them get inside the house and take out the TV," Alperovitch says, "with venom someone can not only get inside your house and take the TV, they can also take your safe, steal your jewelry, and get into the neighbor's house."

Interestingly, Venom affects an almost entirely unused component of the QEMU hypervisor: its floppy disk controller. (In order to make virtual machines act enough like physical machines and have operating systems run on them, they require code that can speak to all parts of an actual system, even what may seem like outdated artifacts.) The vulnerability appears to have slipped through the cracks as no one was focusing on the security of that neglected area.

Dan Kaminsky, a security researcher and co-founder and chief scientists of the security firm White Ops, who was consulted about the bug during CrowdStrike's period of responsible disclosure beginning in late April, plays it a little cooler. "These happen from time to time," he says. "It's not the first and it won't be the last."

Pressed on what similar vulnerabilities predate Venom, Kaminsky demurs. "None that can speak of publicly." He pauses. Then qualifies his assessment by adding a superlative: "This is the most generic of these bugs that I've seen."

"Everyone sort of absorbed this bug and no one thought to audit it," he says. That's why, he says, it's important to hunt for bugs in non-obvious places. His advice for everyone right now? In the short-term, he says, "if your system doesn't auto-patch, you need to go patch it today. If it needs to be rebooted, it needs to be rebooted today."

In the longer term, he advises that people should, whenever possible, tell their cloud providers that they only want to share workflow with other people in their domain or company. Isolate your hardware to yourself. "If you have this sort of bug that can jump from their little piece of a server to your little piece of a server," Kaminsky says, "the best way to avoid that is to not have anyone else on your server."

"It costs more," he says, "but you're basically outbidding your attackers."

Geffner says CrowdStrike has notified all the major software vendors that use this vulnerable QEMU code, and has worked with them to close their holes. He has not seen the bug exploited in the wild so far, though that may change now that the news has gone public.

"My hope and expectation is that the good guys are able to patch their systems before the bad guys get access to it," Geffner says.

Robert Hackett is a writer at Fortune, writing frequently about technology.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Making a Change

This All-Access Pass to Learning Is Now $20 for Black Friday

Unlock more than 1,000 courses to fit your schedule.

Health & Wellness

How to Improve Your Daily Routine to Strike a Balance Between Rest and Business Success

Here's how entrepreneurs can balance their time and energy to prevent burnout.

Money & Finance

Why Donald Trump's Business-First Policies Trump Harris' Consumer-Centric Approach

President Donald Trump's pro-business agenda is packed with policy moves encouraging investment to drive economic growth. The next Congress has a unique opportunity to support entrepreneurship and innovation, improving U.S. competitiveness with the rest of the world.

Business News

The Two Richest People in the World Are Fighting on Social Media Again

Jeff Bezos and Elon Musk had a new, contentious exchange on X.

Business News

Barbara Corcoran Says This Is the Interest Rate Magic Number That Will Make the Market 'Go Ballistic'

Corcoran said she praying for lower interest rates and people are "tired of waiting."