Millions of servers are affected by the security flaw discovered Wednesday by Jason Geffner, a senior security researcher at CrowdStrike Senior Security Researcher. Named ‘Venom’, an acronym for “Virtualized Environment Neglected Operations Manipulation” this vulnerability allows access to a host machine that can allow code execution and gives criminal the ability to escape the confines of an assigned virtual machine to wreak havoc on others.
“Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems,” according to the report. This could allow a hacker to access the entire network in a data center or all clients hosted by a particular providers utilizing this vulnerability.
Many data centers utilize hypervisor technology to power virtual machines, allowing them to host multiple operating systems on one single server, sharing resources yet remaining separate. Venom allows an attacker to access the entire hypervisor and every other device connected to the network.
“Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” said Geffner, to ZDNet. “Venom allows a person to break in to a house, but also every other house in the neighborhood as well.”
Many virtualization platforms used by hosting providers have this vulnerability in the virtual floppy drive code. Even though floppy drives are basically obsolete, a virtual floppy drive is added to new virtual machines by default. “…[E]ven if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers,” said the report.
This virtual floppy drive code is on millions of virtual machines. Before the security flaw was disclosed publicly on Wednesday, Crowdstrike worked with software makers to help patch the bug in late April.
“As the bug was found in-house at CrowdStrike, there is no publicly known code to launch an attack,” reported ZDNet. “Geffner said the vulnerability can be exploited with relative ease, but said developing the malicious code was ‘not trivial.’”
The report recommends that “If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability.”