There be VENOMous snakes in them there clouds
QEMU (short for Quick EMUlator) is an open source hypervisor with multiple operating modes. As well as being used natively by many cloud providers, it is also used by the KVM and Xen hypervisors. In other words it is used to run loads of virtual machines everywhere you can possibly imagine, and beyond.
So it is a cause of considerable concern that the very brainy Jason Geffner from CrowdStrike has uncovered a bug in QEMU, leaving systems running on it vulnerable to attack. As with all of these new trendy vulnerabilities, it has a name: Virtualized Environment Neglected Operations Manipulation or VENOM for short, complete with a snakes head logo. Pretty Funky.
The ‘neglected operations’ bit is so called because the bug is found in the now overlooked piece of code that supports the virtualised floppy controller, which has had the flaw since 2004.
Although it is considered hard work to exploit the vulnerability, this does not mean that the world and his wife or husband will not be trying to bust your cloud provider’s servers any time soon.
If you use QEMU, KVM or Xen internally, look out for forthcoming patches. If you consume cloud services, we recommend you ask you provider what they are doing about this potentially serious issue. You might need to start talking to them and your business about some downtime – this one needs to be patched at the hypervisor level so all of your VMs might get bounced.
In this weeks bonus round we would also like to draw to your attention the fact that Cisco has announced a swathe of patches for it’s TelePresence solutions in order to alleviate two exploitable bugs, one allowing remote code execution and one being a denial of service issue. If you have Internet connected TP devices, you should get on with patching them promptly because the DOS bandits are hard at work as we speak.
Vulnerability management forms a core part of ITC’s NetSure360° platform and can be used to understand your exposure and risk, to prioritise patching and to reduce false positive security incident reporting. In a world with vulnerabilities arriving at this astonishing rate, we think it is an essential tool in the management of security and would certainly help you see the wood from the trees with both of these reported issues.
If you would like to talk to us about Vulnerability Management or any other security related topic, please contact us at: 0207 517 3900 or email [email protected]