Venom security vulnerability allows hackers to infiltrate networks via the cloud

Experts say Venom isn't as bad as Heartbleed, but urge IT departments, especially those using Amazon, Rackspace or Oracle, to patch up

A new security vulnerability called Venom has been described by some as "bigger than Heartbleed", because it could allow hackers to take over whole swathes of cloud-based data centres, possibly including those of Amazon, Rackspace and Oracle.

The Heartbleed glitch was discovered last year and allowed anyone on the internet to read the memory of systems protected by vulnerable versions of OpenSSL, the open source core library for encrypting many forms of secure online traffic. Its discovery sent shockwaves across the IT industry.

However, while the Virtualised Environment Neglected Operations Manipulation (Venom) zero-day vulnerability is bad - potentially allowing cyber criminals and hackers to infiltrate entire networks - cloud providers and security experts have moved quickly to state that while Venom does pose a threat, it can and has already been patched.

Security researchers at Crowdstrike describe Venom as "a security vulnerability in the virtual floppy drive code used by many computer virtualisation platforms", exploitation of which could "expose access to corporate intellectual property, in addition to sensitive and personally identifiable information potentially impacting the thousands of organisations and millions of end users".

However, the researchers also state that "neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild".

The researchers say systems run by VMware, Microsoft Hyper-V, and Bochs aren't affected by the vulnerability, which has existed since 2004. They recommend that the best way to fight it is simply to "review and apply the latest patches developed to address this vulnerability".

In a statement provided to Forbes, a Rackspace spokesperson said that the firm has already patched the Venom vulnerability.

"Regarding Venom specifically, earlier this week, Rackspace was notified of a potential hypervisor vulnerability that affects a portion of our cloud servers fleet. We have applied the appropriate patch to our infrastructure and are working with customers to fully remediate this vulnerability," the spokesperson said.

While the discovery of Venom is a concern, Chris Eng, vice president of research at Veracode, said "the severity of this zero-day is not nearly as alarming for a few reasons".

"First, there is little chance of mass exploitation; any exploit created around Venom would have to be tailored against a specific target environment," he said.

"Second, the attacker would have to already be on the target system to get at the vulnerability - certainly not impossible in a public cloud environment but nevertheless a complicating factor," Eng continued.

"Lastly, there isn't currently a publicly available exploit, and creating one would require a non-trivial amount of effort," he added.

However, Eng did recommend that businesses apply the Venom patches as soon as they're released.

"Vulnerabilities like Venom are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like. Companies should absolutely apply patches as they become available," he said.

Dr Mike Lloyd, CTO at network security firm RedSeal, described Venom as "comparable to Heartbleed" but added that "five years from now, looking back, we will likely not remember it as causing quite as much heartburn".

However, Lloyd did describe Venom as "a widely feared form of vulnerability, since many business systems in the last few years have moved to public and private clouds".

"This virtualisation means we often cannot tell which other outside organisations might have their workloads running on the same physical server as our systems, and so in principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect," he said.

Like Eng, Lloyd saidthat the best course of action for IT departments - both of vendor and customer organisations - is to patch up the vulnerability as soon as possible.

"For users of external public cloud services, the responsibility to apply the remediation falls to the service provider, and so customers are likely to burn up the phone lines calling in to make sure this has been done promptly," he said.

"For organisations running private cloud infrastructure, the responsibility falls to internal IT, as a part of routine patch management," Lloyd continued.

"Businesses can expect some brief disruptions as this patch is applied; if your business uses the affected virtualisation systems, the patch should be treated with very high priority, and is well worth a brief service interruption in almost all cases," he concluded.

Computing's Enterprise and Risk Management Summit takes place later this year. It's free to attend for qualified end-users. Register here.