VENOM – Does it live up to the hype?, (Sat, May 16th)

Unless you have been hiding under a rock this week you have heard about VENOM. The first article that I saw was fromZDNet with the headline of Bigger than Heartbleed, Venom security vulnerability threatens most datacenters. Pretty provocative stuff. Is VENOM really worth that much hype?
VENOM stands for Virtualized Environment Neglected Operations Manipulation. The cuteacronym basically means that the exploit takes advantage of a vulnerability in legacy code.In short thevulnerability is CVE-2015-3456 and it is foundin fdc.c, the floppy disk controller software, used in some virtualization products. the most popular ones being QEMU, Xen and KVM. The vulnerability will permit someone with administrator access in the virtualmachine (VM) to potentially escape the VM and execute arbitrary code from within the host virtualization software, with the permissions of the hostvirtualization software. The worst case scenario is that the attacker could escape to the guest operating system and access other guestson the same machine. To the best of my knowledge nobody has succeeded in demonstrating the worst case.
Should we panic?
This vulnerability is important because it has the potential to affecta significant portion of the virtualization platforms that are in common use today, but there is no reason to panic.
* The vulnerability cannot be compromised remotely, nor is it possible to remotely scan for this vulnerability.
* In order for the attacker to even attempt to exploit the vulnerability they need to have shell level access asan administrator level to a virtualized guest.
* While a proof of concept exists that exploits the vulnerability, nobody has demonstrated any practical use of the exploit.
* Patches are available for all affected virtualization platforms.
Certainly not of the significance of Heartbleed or FREAK. While it is important to get vulnerable systems patched as soon as reasonable there is no reason to panic.

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.