ArsTechnica reports how the critical exploit would allow attackers to gain access to every file on a web server. Web hosts typically give each new user a protected virtual environment that acts as though it is its own server but in reality it is running from one physical server.
“Venom” would allow an attacker to escape their own virtual zone and break into the main server. From there, they could create absolute chaos for the web host, deleting whole sites from the server, changing privileges or just sifting through data stored in the virtual environments of other users.
In great exploit-finding spirit, the major bug is caused by an archaic form of deprecated technology: a virtual floppy disk controller built by virtual machine provider QEMU. This driver is used in virtualisation platforms by several other major companies too though including Xen and KVM.
The details of the issue are relatively straight-forward which led to a fix being provided by QEMU and Xen within hours of the publication of the report, created by security firm CrowdStrike. The vulnerability was discovered by Jason Geffner, Senior Security Researcher, during a review of virtual machine system security. Other cloud platforms including Red Hat, Citrix and Digital Ocean have also all now provided fixes.
CrowdStrike described Venom in simple terms in its report, saying that the vulnerability “may allow an attacker to escape from the confines of an affected virtual machine guest and potentially obtain code-execution access to the host.”
It is unknown whether Venom has ever been exploited in the past. With the issue now safely fixed by all of the key providers, it is up to system administrators to ensure that their virtual machines are updated if affected.
Venom was initially compared to Heartbleed by several journalists online but in reality is substantially different and less serious. Heartbleed allowed anybody to read the memory of OpenSSL systems used to send data securely over the internet remotely while Venom exists on web hosts and in data centres and requires an attacker to have access to a virtual environment on the server before carrying out the exploit.
