A new security vulnerability called VENOM surfaced today, and cloud providers are now scrambling to make patches and issue statements as a result of the disclosure.
VENOM, which stands for Virtualized Environment Neglected Operations Manipulation, lies at the heart of cloud providers’ infrastructure. It starts from virtual machines, several of which can run on each physical server, and can allow access elsewhere on a server and potentially elsewhere in a given data center.
This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
The flaw is specifically inside QEMU’s virtual Floppy Disk Controller, which is used in KVM and Xen hypervisors for implementing virtual machines on servers. And it’s existed since 2004, according to Crowdstrike.
Widely used VMware and Microsoft Hyper-V hypervisors are not affected by VENOM, Crowdstrike said.
Red Hat has issued updates to QEMU, Xen, and KVM.
Amazon Web Services, the biggest public cloud on the market, said in a statement today that “there is no risk to AWS customer data or instances.”
Rackspace said the issue does affect some of its Cloud Servers. “We have applied the appropriate patch to our infrastructure and are working with customers to fully remediate this vulnerability,” a spokesman wrote in an email to VentureBeat.
WP Engine is currently doing maintenance for customers (including VentureBeat).
“Google Cloud Platform was never vulnerable to this flaw,” a Google spokesman told VentureBeat in an email. “We do not use the vulnerable software.”
Cloud and cloud software provider Joyent has a statement on how VENOM affects its software.
“Although the flaw exists in our KVM/QEMU in the Joyent software (SmartDataCenter and the JPC), our architecture runs QEMU inside of an additional secure container with almost no privileges,” Joyent’s Peter Gale wrote. “This means that if an attacker were to exploit this, they would be confined inside their secure container and CANNOT EXECUTE MALICIOUS CODE that will affect other customers.
“We will be patching the software to completely remove this flaw and will roll that out to the JPC and our SDC customers in a future build.”
DigitalOcean said it’s rebooting some of its hypervisors in a statement of its own.
“On hypervisors running the latest version of our cloud, the QEMU process is confined by a mandatory access control profile which would prevent a would-be attacker from accessing the host system or other Droplets,” the company said. “We are rolling out updates across all of our infrastructure to ensure the latest QEMU security patches are applied on each server. In addition, we have implemented a number of other security and monitoring features in order to provide early warning of attempts to exploit similar vulnerabilities.”
IBM told VentureBeat that VENOM does not affect its SoftLayer virtual servers.
Microsoft declined to comment.