• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   Understanding the VENOM Vulnerability

Understanding the VENOM Vulnerability

  • Posted on:May 13, 2015
  • Posted in:Security, Vulnerabilities & Exploits
  • Posted by:Christopher Budd (Global Threat Communications)
0

Jason Geffner, a security researcher at Crowdstrike, has released information about a new, unchecked buffer vulnerability called VENOM affecting the open source QEMU virtualization platform which provides virtualization capabilities similar to VMWare or Microsoft’s Hyper-V.

The initial reports indicate this is a serious vulnerability, and while the vulnerability itself is serious, the overall scope is limited. People should treat this as a serious situation, but not view it as a broad crisis like “Heartbleed,” for instance.

The Vulnerability 

The unchecked buffer vulnerability (CVE-2015-3456) occurs in the code for QEMU’s virtual floppy disk controller. A successful buffer overflow attack exploiting this vulnerability can enable an attacker to execute his or her code in the hypervisor’s security context and escape from the guest operating system to gain control over the entire host.

Because QEMU is an open source package it’s nearly impossible to know all affected products or services. However, Crowdstrike has indicated that it does affect Xen, KVM and the native QEMU client.

We do know that neither VMWare’s nor Microsoft’s virtualization products are vulnerable. Amazon has also stated that their AWS platform is not affected.

QEMU and XEN already have patches available. Other vendors are presumably working on patches, as well.

The Risks 

In terms of the vulnerability itself, a determined attacker could potentially compromise all virtual instances on the host. A compromised host could also be used to stage lateral movement attacks against the hosting environment, putting other hosts and virtual instances at risk. To do this, an attacker would need to have a virtual machine on a vulnerable host and be able to load and execute code of their choosing onto the host. The attacker would also need administrator privileges on the guest OS. At that point, the attacker could have control of the host and potentially leverage that compromised host to launch other attacks on the network.

For environments that have the vulnerable code on their systems, this is a very serious vulnerability that should be addressed as quickly as possible. Similar to other open source vulnerabilities, like Heartbleed and Shellshock, obtaining and deploying patches will be a challenge due to the fractured nature of the ecosystem. Administrators should be prepared for these difficulties and plan for contingencies to mitigate those risks.

The Ramifications 

While this isn’t a vulnerability that would appear to affect the industry as broadly as some others, it is virtual machine escape vulnerability in the default configuration: this is the worst type of vulnerability for virtual machine environments. Even if you’re not directly affected by this vulnerability, if you run virtual machines in your environment, you should use this new vulnerability as an indication it is time to plan your response and mitigations for the day when a vulnerability just like this will affect your environment.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Related posts:

  1. Experts uncover vulnerability affecting Xen virtualization platform
  2. Threat Update on Remote Root Vulnerability in HID Door Controllers
  3. Understanding the Attack Surface for Critical Infrastructure
  4. Why Security is Essential for the Success of Cloud Computing

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.