Just when you think it is safe to move data into the cloud, we get news about a vulnerability that puts cloud security at risk.
The new bug is called VENOM, an acronym for virtualized environment neglected operations manipulation. Bill Weinberg, senior director of open source strategy at Black Duck Software, explained it to me in an email:
VENOM is a zero-day vulnerability that breaks down the isolation across virtual machines hosted on QEMU-based hypervisors. Such isolation is viewed as one of the key benefits of virtualization, obviously for security, but also for modularization, scalability, high availability and separation of critical IP. These hypervisors include QEMU itself, Xen (the foundation for Citrix platforms), the Linux Kernel Virtual Machine (KVM) and Oracle’s VirtualBox - the core of the cloud and a myriad of other application domains.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
VENOM is being compared to Heartbleed or, by some media and experts, it is being called an even bigger deal than Heartbleed. Jason Geffner, a researcher with CrowdStrike who discovered the bug, was quoted in ZDNet:
Heartbleed lets an adversary look through the window of a house and gather information based on what they see. VENOM allows a person to break in to a house, but also every other house in the neighborhood as well.
Others are a little more skeptical of how dangerous VENOM really is. In Forbes, Zach Lanier, researcher at security provider Accuvant Labs, thinks the bug only rates a “moderate” severity rating and pointed out:
VENOM is an interesting bug, though not unprecedented and no exploits have been seen in the wild, neither have any guest-to-host escapes against a provider been seen before.
The researchers at Symantec also question the comparisons to Heartbleed. In a blog post, they write that the damage that could be done by VENOM really depends on how vulnerable your system is and the type of data you are running in the cloud. Sensitive data could be at great risk, but then, there are a lot of questions about sensitive data in the cloud even in the most secure situations.
This might be the first big vulnerability to hit cloud computing, but as Jeff Williams, CTO at Contrast Security, told me in an email, we shouldn’t be surprised by it:
There’s a lot of old software out there that hasn’t received any scrutiny. For every one of these latent flaws that gets discovered, there are thousands more in operating systems, libraries, components, etc.
Just because millions of hosts are vulnerable, does not mean that they will actually be exploited. Most likely, they will all get patched quickly and we can get back to business. Just like Heartbleed.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.