Modern field guide to security and privacy

Just how lethal is the software flaw dubbed 'Venom'?

It's not as widespread as the Heartbleed vulnerability, according to experts. But the flaw threatens the security of data centers and virtual computer environments.

|
AP
A West African Green Mamba at the Dallas Zoo, which has one of the country’s most extensive collections of venomous snakes.

A recently discovered software bug known as "Venom" could give criminal hackers access to business data stored in the cloud or on in-house systems.

But the scope of the problem has been the subject of some debate in the security community since the flaw was revealed. Early media reports on the bug described it as similar in size to last year’s massive Heartbleed flaw, a bug in multiple versions of a software program used widely to encrypt Internet communications.

Many experts, however, have dismissed outright any comparisons to Heartbleed and have noted that impressions about the severity of the bug are based largely on vendor-driven hype.

The vulnerability was discovered by the security firm CrowdStrike and was revealed this week along with the name, which stands for Virtualized Environment Neglected Operations Manipulation. Like the Heartbleed bug, Venom also has its own logo – fittingly this one is a cobra. 

The flaw can be found within software tools used by businesses to "virtualize" hardware environments – a way for organizations to carve out multiple, independent virtual machines inside a single, larger computer. Tech giants such as Amazon, Google, and Microsoft offer virtualization services to host applications and data belonging to multiple customers, on single, physical systems.

Venom gives attackers a way of worming their way through the virtual environment and into the applications and data running on all the virtual machines hosted on a system, thereby undermining one of the core security tenets of cloud computing and of virtualization.

The bug is present in numerous virtualization platforms and appliances such as Xen, KVM, and emulation software from QEMU. Amazon is a big user of Xen and is one of the largest cloud service providers in the world. But in an advisory issued Wednesday, Amazon said its services were not affected. Major virtualization tools such as VMware, Microsoft Hyper-V, and Bochs are also not impacted.

While the discovery of a vulnerability of this scale is indeed troubling, there are no known cases yet of it being used in an attack. What's more, the flaw is not easy for a hacker to use for nefarious purposes.

Assessing the severity of the flaw is really about perspective, according to the security firm Symantec.

“If your system is vulnerable and you have a lot of critical services running on it with plenty of sensitive data, then an attack could be devastating,” the company said in a blog post. At the same time, Venom is nowhere near as widespread a problem as Heartbleed was in terns of scope, the company wrote. 

“Venom is locally serious and could allow an attacker to do much more than Heartbleed,” it said. “But the number of vulnerable systems is much smaller, making it a less serious problem in the greater scheme of things.”

CrowdStrike discovered the flaw within the code for controlling a virtual floppy disk drive that is present in many virtualization platforms.

Floppy disks were once the standard for storing data but have been obsolete for several years. But code pertaining to the drive is still present in QEMU and in multiple virtualization platforms including Xen and KVM, two popular open-source virtualization technologies.

Perhaps one of the most pressing risks associated with the bug is that it could give an attacker a way to access the physical systems that host virtual machines, says Dan Kaminsky, chief scientist of White Ops, a security firm. That is never supposed to happen with such systems and represents a major security problem, he says.

What makes the bug especially dangerous is that virtual infrastructures are much more difficult to patch and fix than normal network equipment, says Mr. Kaminsky. 

Another seasoned security researcher, Robert Graham of Errata Security, described Venom as the perfect bug for a spy agency such as the National Security Agency. An attacker could use it to access a system and read the memory of other hosted virtual machines – and do it virtually undetected.

Items such as Bitcoin wallets, RSA encryption keys, and passwords can easily be found searching through memory, Mr. Graham wrote in a blog post. "Once you've popped the host, reading memory of other hosted virtual machines is undetectable."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Just how lethal is the software flaw dubbed 'Venom'?
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0514/Just-how-lethal-is-the-software-flaw-dubbed-Venom
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe