The Cloud

‘Venom’ Bug Found in Virtual Machine Software

Cloud computing companies have been working to patch the bug, which could be used by hackers to take control of cloud netwworks.
Matthew HellerMay 14, 2015
‘Venom’ Bug Found in Virtual Machine Software

Cybersecurity experts have discovered a data center software bug that could be used by hackers to take control of cloud networks, though no exploits have so far been reported.

The flaw, dubbed “Venom” by the digital security vendor CrowdStrike, takes advantage of legacy code in hardware-emulating software, or “virtual machines.” According to a bulletin posted by CrowdStrike, it could allow “an attacker to escape from the confines of an affected virtual machine guest and potentially obtain code-execution access to the host.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The discovery of Venom follows last year’s revelations of the Heartbleed and Shellshock bugs in popular open-source products.

Venom bug snakeCrowdStrike Senior Security Researcher Jason Geffner warned that Venom could make millions of virtual machines vulnerable to hackers. “Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” he told ZDNet. “Venom allows a person to break into [the] house, but also every other house in the neighborhood as well.”

Cloud computing companies have been working to patch the bug and no malware for exploiting it has been found.

“It’s definitely a real bug for people running clouds to patch against,” Dan Kaminsky, a veteran security expert and researcher, said. “It shouldn’t be too much of a headache as the big providers who might expose systemic risk have all addressed the flaw.”

The defective code emulates the floppy disk software found on very old computers. An attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system to exploit Venom, CrowdStrike said.

Red Hat, distributor of  a popular version of the Linux operating system, and the open-source Xen and KVM projects, which distribute virtualization software, said their software was vulnerable to Venom, according to The Wall Street Journal.

Venom is “a way to escape out of the virtual machine and execute code on the host with full privileges,” CrowdStrike Chief Technology Officer Dmitri Alperovitch told CSO. “It can be used by attackers to do nasty things.”