What’s Your VENOM Vulnerability?

Remember the Heartbleed Bug, the vulnerability in OpenSSL that enabled outside entities to eavesdrop on Internet communications, steal data, and impersonate services and users? Well, there’s a newer, and yes, more serious data center security threat in town – VENOM (CVE-2015-3456). And, true to its name, VENOM is deadly dangerous.

VENOM, which stands for Virtualized Environment Neglected Operations Manipulation, allows hackers to gain access elsewhere on a server and potentially elsewhere within a data center. In other words, hackers can take over large portions of a data center, potentially every machine, from within. The reason is because the bug lies at the heart of cloud providers’ infrastructure where it starts from virtual machines, several of which can run on each physical server.

VENOM vulnerability is most likely found in legacy QEMU components in widely-used virtualization software.

How VENOM Breaches Data Center Security

It’s not uncommon for today’s cloud-based data centers to condense their customers into virtualized machines. When this happens, multiple operating systems can sometimes be featured on one single server. While the intention of virtualized systems is to allow shared resources while at the same time enabling entities to remain separate within the host hypervisor, VENOM makes it possible for hackers to gain access to the entire hypervisor, which then enables them to access every network-connected device in that data center.

The VENOM bug was originally found in the open-source QEMU’s Floppy Disk Controller (FDC) emulation back in 2004. But, many popular virtualization platforms, including Xen, KVM, Oracle’s VirtualBox, and all x86 and x86-64 based HVM Xen and QEMU/KVM guests still include the buggy code within their code structures. Hypervisors not affected include VMware, Microsoft Hyper-V, and Bochs.

If you are a Red Hat customer, you can check for vulnerability and confirm remediation via the Red Hat Access Lab: VENOM: QEMU Vulnerability Detector. If your data center is vulnerable, then Red Hat has updates available.

If you are an Oracle customer, there are currently updates available for Oracle Linux, Oracle Virtual Compute Appliance, Oracle VM, and Oracle VM VirtualBox. Oracle Database Appliance, Oracle Exadata Database Machine, Oracle Exalogic Elastic Cloud, and Oracle Exalytics In-Memory Machine do not have updates at this time, but Oracle is working on them and should be rolling them out soon.

Reducing Your VENOM Vulnerability

The VENOM incident reminds us once again about the importance visibility plays in one’s IT infrastructure, especially when the network is cloud-based. A system should have in place the necessary tools for discovering and taking inventory of all digital assets so vulnerability management teams can determine if any aspect of their infrastructure is unpatched and/or vulnerable to bugs like Heartbleed, VENOM, and others.

For some data center managers, the solution may simply lie in updating the hardware within the data center to equipment that doesn’t feature the QEMU Floppy Disk Controller emulation. If you are in the process of upgrading your data center infrastructure and you need computer liquidation services to help you manage the end-of-life assets, Liquid Technology can help. We can be reached by calling our toll-free number, by email or by simply completing our online form. A Liquid Technology Assessment Specialist will promptly respond to you.