16 May 2015

BIGGER THAN HEARTBLEED, ‘VENOM’ SECURITY ZERO-DAY VULNERABILITY THREATENS MOST DATA CENTERS AROUND THE WORLD; ‘IDEAL EXPLOITATION TARGET FOR STATE-SPONSORED SPIES AND CRIMINALS ALIKE, FISHING FOR PASSWORDS, CRYPTOGRAPHY KEYS, OR BITCOINS

May 14, 2015 

Zack Whittaker, writing on the May 13, 2015 website, ZDNet, notes that “a security research firm is warning that a new [cyber] bug could allow a hacker to take over vast portions of a data center — from within. The zero-day vulnerability lies in a legacy component in widely used virtualization software — allowing a hacker to infiltrate potentially every machine across a data center’s network.” Dan Goodin, writing on the ArsTechnica website, said this recently-patched vulnerability “is an ideal exploitation target for state-sponsored spies, and criminals alike, fishing for passwords, cryptography keys, or Bitcoins.”

“Most data centers nowadays, condense customers,” Mr. Whittaker writes, “including major technology companies and smaller firms – into virtualized machines — or, multiple operating systems on one single server. Those virtualized systems are designed to share resources; but, remain as separate entities in the host hypervisor — which powers the virtual machines. A hacker can exploit this newly discovered bug, known as ‘Venom,’ — an acronym for “Virtualized Environment Neglected Operations Manipulation,” to gain access to the entire hypervisor, as well as every network-connected device in that data center.”

“The cause,” Mr. Whittaker writes, “is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code — can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine…[and] to gain access to other machines — including those owned by other people, or companies.”

“The bug, found in open-source computer emulator, (QEMU), dates back to 2004. Many modern virtualization platforms: including Xen, KVM, and Oracle’s VirtualBox, include the buggy code. VMware, Microsoft Hyper-V, and Bosch hypervisor are not affected,” ZDNet noted.

“Millions of virtual machines are using one of these vulnerable platforms,” said CrowdStrike’sJason Geffner, the researcher who found the bug, in a phone interview with Mr. Whittaker.

“The flaw may be one of the biggest vulnerabilities found this year; and, it comes just over a year after the notorious HeartBleed bug, which allowed malicious actors to grab the data from the memory of servers running affected versions of the open-source — Open SSL encryption software,” Mr. Whittaker noted. “HeartBleed lets the adversary look through the window of a house, and gather information based on what they see,” said Geffner in an analogy. “Venom allows a person to break in to a house — but, every other house in the neighborhood as well,” he added.

“Geffner said that [his] the company worked with software makers to help patch the bug before it was publicly disclosed Wednesday. “To take advantage of the flaw, a hacker would have to gain access to a virtual machine with high, or “root” privileges of the system,” ZDNet said. Geffner warned “that it would take little effort to rent a virtual machine from a cloud computing service to exploit the hypervisor from there. What an adversary does from that position, is dependent on the network layout,” Geffner said, “indicating that a takeover of a data center is possible.”

Dan Kaminsky, a veteran security expert and researcher, said in an email that “the bug went unnoticed for more than a decade, because almost nobody looked at the legacy disk drive system, which happens to be in almost every [piece] of virtualization software.” “It’s definitely a real bug for people running clouds to patch against,” Mr. Kaminsky added. “It shouldn’t be too much of a headache, as the big providers, who might expose systemic risk have all addressed the flaw.”

“As the bug was found in-house at CrowdStrike, there is no publicly known code to launch an attack,” Mr. Kaminsky wrote. Geffner said “the vulnerability can be exploited with relative ease;” but, added that “developing the malicious code was “not trivial.”

“From the point of disclosure in late April, its taken companies about two weeks to begin patching affected systems,” Mr. Kaminsky noted. 

As I have written many times before — the Internet/world wide Web, is a wonderful asset to modern society and elsewhere; but, the system was built for easy access, and easy communication and convenience – not security. As a consequence, we have a great tool that has enriched our lives and helped countless others around the globe; but, this ease of access, convenience has come with a stiff price — security and trust. They ‘system’ is just to full of ‘holes’ and vulnerabilities to convince anyone in the short-to-mid-term, that their network/s and system/s are clean.

No comments: