Over the last few days there’s been a lot of hype surrounding the recently released (and patched) VENOM vulnerability. This post hopes to address this hype and provide an insight into the real risks it poses and what can be done if you are affected.
So, what is the VENOM vulnerability about? It’s basically a way for an attacker to jump between two virtual machines if they are running on the same hardware.
Firstly, if you’re not hosting anything in a shared virtualised environment (e.g, on a 3rd party cloud provider), then you can stop reading now.
Secondly, a lot of people seem to be drawing parallels between VENOM and Heartbleed, however, apart from the levels of marketing hype both received, they are not very similar at all. The main difference being that Heartbleed could be exploited remotely against vulnerable servers. VENOM is not remotely exploitable, and requires the cloud provider to have provisioned the attacker with a virtual machine on the same hardware as their target, which is not something the attacker can control.
While VENOM is a serious vulnerability, there are a few things worth noting:
- It’s not remotely exploitable. The attacker requires local access to a virtual machine on the same hardware as their target.
- It only affects QEMU based virtualisation, such as Xen, and does not affect other solutions such as Hyper-V or VMWare.
- As of 14th May, there is no publically available exploit code an attacker can use to exploit this vulnerability.
- A patch, fixing the issue in QEMU was issued on the 13th May (https://bugzilla.redhat.com/show_bug.cgi?id=1218611)
If you are still worried about the impact of this vulnerability; there are a few things you can do:
- Find out if your hosting provider uses Xen, or another QEMU based virtualisation software. If they don’t, then you’re not affected.
- If they do, find out if they’ve patched the software supporting your virtual machines.
- If you provision your hosts automatically and it is easy to do so, you could consider re-deploying all your hosts.
Overall, it is unlikely that you will have been exploited by this vulnerability, due to the difficulty of attack. However, if you host particularly sensitive data in the cloud, it would be worth following the above advice.