VENOM: The scariest threat to cloud

The malware can take over the entire cloud server through one infected virtual machine and hence affecting data of all the companies subscribing the web provider.

Enterprises have moved to cloud and those left behind are working hard to take their companies ‘higher’. Despite the cloud services being widely accepted by the business throughout the world, the security issue seems to have haunted the companies, ever since. The security check system that generally comes to a satisfactory low by adopting renowned cloud providers needs to be changed with the more high profile threats coming into being.


Generally, the cloud service providers create a virtualized environment by turning a physical computer into one or more pseudo computers or virtual machines. These virtual machines (VM) carry data of different organizations and are generally kept on same hardware within data centers but kept isolated through security systems.


Sophisticated hackers have developed ‘Virtualized Environment Neglected Operations Manipulation’ or simply, ‘Venom’ which can breach the security set by a cloud provider. This infection caught by even one virtual machine can pass on to the other and hence eventually infect the entire host.


As per Symantec threat report, as many as 16% malware variants are able to detect the presence of a virtualized environment, as per Symantec. The ability of malware to detect virtualized environment can help the malware to better evade detection, particularly on security sandboxing systems. These vulnerabilities can even detect when it is able to exploit and infect other virtual machines on the same system. However, as per Symantec this has seen a decline, as compared to 2014 when one in five (20%) malware could detect the presence of virtualized environment.


If Venom malware and through it the hacker can get through a cloud, it can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy, as per crowdstrike, a threat intelligence firm.


Redhat, ranked it as ‘important impact’. It is the second highest ranking, given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. Venom is the type of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.


Bigger concern with Venom is that the bug resides in the open-source hypervisor QEMU’s virtual Floppy Disk Controller (FDC).It is often installed by default in a number of virtualized infrastructures using Xen, QEMU, and KVM, as per crowdstrike, a threat


As per Redhat, a privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. It further sates that, even if a guest does not explicitly have a virtual floppy disk configured and attached, this issue is exploitable. The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.


Most of the large cloud providers, including Amazon, Oracle, Citrix, and Rackspace are vulnerable to Venom as they rely heavily on QEMU-based virtualization.


The cloud providers do not disregard the presence of this sophisticated vulnerability. As in their official statement, Rackspace said that they are working to “remediate the vulnerability”. AWS however said that they are “risk free”. But the question is for how long?


To exploit the FDC, one would require special privileges or root access, fo0r a Linux based machine. However, for Windows guest, practically anyone would have sufficient permissions to access the FDC, as per the hacker news.


The Venom malware (CVE-2015-3456) existed since 2004 but was disclosed only in 2015 by crowdstrike. However, Venom does not affect VMware, Microsoft Hyper-V, and Bochs hypervisors.

Kobe 13 A.D. Shoes

Add new comment