VENOM threatens data centers, but it's not the next Heartbleed
A researcher at CrowdStrike has discovered a security vulnerability that could allow hackers to break through the barriers between virtual machines, allowing them access to information stored in data centers that rely on the technology.
CrowdStrike has decided to call the bug VENOM, an acronym for "virtualized environment neglected operations manipulation," and has said that the bug affects multiple services based on the popular QEMU virtual machine platform.
Here's how Fortune explains the vulnerability in its report on VENOM:
Picture an apartment building. That represents a cloud server, for our purposes. Now picture the apartments contained within that apartment building. These represent virtual machines. While different apartments may share resources such as water, electricity, heating, and gas—all managed, in this case, by a cloud infrastructure provider—all are locked and unable to access each other.
What [CrowdStrike researcher Jason] Geffner has found, effectively, is a backdoor: a shared key that unlocks any apartment. The vulnerability was introduced in 2004 when tools used to emulate a floppy disk drive were added to QEMU. This feature isn't very popular, which helps explain why VENOM was able to avoid detection for a little more than a decade.
Companies whose products feature the vulnerability were warned about it in late April. Patches to several of those products have already been released, and experts have recommended that these fixes are installed as soon as possible.
Some have compared VENOM to Heartbleed, the OpenSSL vulnerability that shook the Internet when it was revealed in April 2014. But there's no evidence that anyone outside of CrowdStrike's research team has exploited VENOM.
It's hard not to think at least some of the hubbub stems from VENOM's name, branding, and presentation. Many threats are disclosed as a string of numbers that most people don't understand. Taking the time to dress VENOM up this way ensures that the press (hi!) is able to sink its teeth into the vulnerability.
Which isn't to say that companies shouldn't take the problem seriously. If they're vulnerable to attack through VENOM, they should go ahead and patch their virtual machines. Let's just avoid making a basilisk out of a king cobra.
[illustration by Brad Jonas]