Venom – No, it’s not comparable to Heartbleed

how-to-create-super-strong-passwords-to-protect-yourself-from-the-heartbleed-bugHeartbleed was a vulnerability in one of the primary implementations of SSL used throughout the Internet. As a result, many systems using SSL were vulnerable to compromise by external attackers who did not need ANY access to the internals of the servers involved.

Venom, by contrast, is a bug in a relatively unused piece of open source VM software (the virtual floppy disk controller utility). This means that someone who is already INSIDE the VM environment can potentially crash the hypervisor and then perhaps gain access to other VMs, storage, etc. running on the same hypervisor. This is potentially bad, but the “you must already have access to at least one VM within the hypervisor” makes it MUCH less threatening.

Venom applies to most open source hypervisors, including common ones used in cloud SaaS offerings, but does NOT apply to VMware, which is by far the dominant enterprise hypervisor. If you are running critical VMs on Amazon Web Services or other cloud services, you might be vulnerable except that Amazon and others have already patched their hypervisors.

The main value of Venom is as a great example of why the first step in securing any environment is disabling/not running any unnecessary services. How many AWS customers actually need access to a virtualized floppy disk drive in their VMs? The answer is roughly 0%, and this entire vulnerability would have been avoided if the default configuration for the hypervisor was to not load this (almost always) unnecessary piece of code.

Venom and Heartbleed type of bugs and vulnerabilities will continue to exist, especially in lightly used portions of systems that don’t get tested as exhaustively. We need to continue to spend time to find and fix these vulnerabilities, and also avoid loading unnecessary programs and services whenever possible. But what is really needed is proactive, continuous monitoring of Cloud/ VM environments to detect attackers in real-time as operate inside networks, both real and virtual. There will always be new zero day vulnerabilities, it’s impossible to find and fix every one, so we need solutions that will find the bad guys based on their actions and them stop them in their tracks.