This morning a computer security researcher revealed his discovery of a new, severe software vulnerability that potentially impacts millions of businesses; business owners and IT departments need to be aware of the relevant issue and take action to protect themselves.
Here is what you need to know:
A major vulnerability has been found in the software used to operate virtual machines, a technology staple at hosting providers that is used to run many small business websites, databases, and cloud-based applications. The same technology is also used within the computer infrastructure of many businesses and on various network appliances.
What has been done so far?
The vulnerability was discovered by Jason Geffner, a Senior Security Researcher at cybersecurity firm CrowdStrike. While Geffner and his colleagues did not publicize the vulnerability until 8:00 a.m. today, they began notifying affected vendors of the vulnerability in late April; a team at QEMU – a free, open-source system for creating and managing virtual machines (sometimes known as a hypervisor) whose code was the source of the vulnerability – wrote a patch which it distributed to various vendors that leverage QEMU code and were impacted by the vulnerability. By the time you read this, those vendors should have patches available for their customers, and many hosting providers should have already deployed them.
This does not mean that all businesses who need a patch have one. It also does not mean that the vendors involved have pushed the patches to all of their customers yet. Small businesses are less likely to have received it, unless their exposure is strictly at major hosting providers or on systems maintained by other parties.
What is the issue?
Technologically speaking, virtual machines are software implementations of computers that function and execute programs as if they were their own physical machines, even though they are not. Over the past decade virtualization has become increasingly common as it allows owners of today’s powerful computer systems or data centers full of such systems to run multiple “computers” on each physical machine.
The vulnerability exists in the floppy disk controller driver for QEMU, which, over time, has been integrated into numerous virtualization platforms and network appliances. The vulnerable QEMU code, now termed VENOM by Geffner, is installed and activated by default as part of many virtualization systems, including, according to Geffner, Xen hypervisors, Kernel-based Virtual Machine (KVM), Oracle VM VirtualBox, and the native QEMU client.
What exactly is the vulnerability, and what are the consequences of doing nothing?
The problem that VENOM creates is potentially severe: one of the data structures used for communication by the faulty driver can be loaded with too much data so that the data extends beyond the intended memory space and overwrites critical data structures in memory. A hacker can easily cause the hypervisor and all virtual machines it is managing to crash (causing a denial of service to all the virtual machines on the system), and, by carefully constructing the contents of the data to overflow the buffer, he or she may be able to gain control of the physical computer and all the virtual machines running on it, and perhaps even to the network to which the physical device is connected. Such an attack would put at risk any sensitive data being processed on any of the virtual machines, and possibly even on other machines on the network.
The magnitude of this risk is obvious when one considers that hosting providers often use virtualization to house systems and data belonging to different businesses on the same physical computers. In fact, the entire virtualization model relies on the concept that anything running on a virtual machine cannot escape from it; nothing within a virtual machine should be able to access either its parent hypervisor or any other virtual machines. VENOM undermines this fundamental requirement of virtualization.
Furthermore, VENOM is especially scary because it is cross platform, exploitable in default configurations, and allows for the execution of code by an attacker. It is also not necessarily solvable by disabling the vulnerable code: on some platforms it was found that an unrelated software flaw caused disabling the vulnerable driver code to create other security problems.
What do business owners or IT departments need to do?
There does not yet seem to be exploit code floating around “in the wild” for VENOM; it does not seem that hackers have as of yet successfully exploited the vulnerability. (Of course, one cannot be positive about this, nor can one be sure that no governments have ever exploited it.) But, the publication of details about the vulnerability now does mean that hackers are likely to try to exploit it going forward. So:
- Do not leverage the vulnerable code. If you are hosting any virtual machines within your computer infrastructure, and are using a vulnerable platform, you want to address the situation ASAP. Ask the appropriate vendor for a patch — and then test and deploy it. You can check if a platform is vulnerable here. (Note: According to Geffner, hypervisors from VMware, Microsoft (Hyper-V), and Bochs do not leverage the VENOM code, and are, therefore, not vulnerable).
- If you have “appliances” on your network that may use virtualization within them – check with the relevant vendors about a patch.
- Confirm that your hosting provider/s, and any third-parties that house your data or applications in the “cloud,” are aware of this issue and are addressing it.
What else should we learn from this episode?
It is hard to believe that in 2015 many people really need a floppy disk controller in a virtual machine, and it is easy to see why this driver for what can politely be termed a “legacy technology” has not been given a lot of attention in recent years. In fact, according to Geffner, the VENOM vulnerability has existed in the QEMU code for over a decade. The fact that a serious security risk was created by code that should have long since been removed from default installations serves as a reminder that good security practice is to limit services and drivers running on servers to those that are actually needed. That’s something business owners should also ask their technical team in web application development and mobile application development to check on – disabling unnecessary services may prevent other problems in the future as well.