A security research firm is warning that a new bug could allow a
hacker to take over vast portions of a datacenter -- from within. The
zero-day vulnerability lies in a legacy common component in widely-used
virtualization software, allowing a hacker to infiltrate potentially
every machine across a datacenter's network.
Most
datacenters nowadays condense customers -- including major technology
companies and smaller firms -- into virtualized machines, or multiple
operating systems on one single server. Those virtualized systems are
designed to share resources but remain as separate entities in the host
hypervisor, which powers the virtual machines. A hacker can exploit this
newly-discovered bug, known as "Venom" -- an acronym for "Virtualized
Environment Neglected Operations Manipulation" -- to gain access to the
entire hypervisor, as well as every network-connected device in that
datacenter.
The cause is a widely-ignored, legacy virtual
floppy disk controller that, if sent specially crafted code, can crash
the entire hypervisor. That can allow a hacker to break out of their own
virtual machine to access other machines -- including those owned by
other people or companies.
The bug, found in open-source computer
emulator QEMU, dates back to 2004. Many modern virtualization platforms,
including Xen, KVM, and Oracle's VirtualBox, include the buggy code.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
"Millions
of virtual machines are using one of these vulnerable platforms," said
CrowdStrike's Jason Geffner, the researcher who found the bug, in a
phone interview Tuesday.
The flaw may be one of the biggest
vulnerabilities found this year. It comes just over a year after the
notorious Heartbleed bug, which allowed malicious actors to grab data
from the memory of servers running affected versions of the open-source
OpenSSL encryption software.
"Heartbleed lets an adversary look
through the window of a house and gather information based on what they
see," said Geffner, using an analogy. "Venom allows a person to break in
to a house, but also every other house in the neighborhood as well."
Geffner
said that the company worked with software makers to help patch the bug
before it was publicly disclosed Wednesday. As many companies offer
their own hardware and software, patches can be applied to thousands of
affected customers without any downtime.
Now, he said, the big concern is companies that run systems that can't be automatically patched.
2014 in security
To take advantage of the flaw, a hacker would
have to gain access to a virtual machine with high or "root" privileges
of the system. Geffner warned that it would take little effort to rent a
virtual machine from a cloud computing service to exploit the
hypervisor from there.
"What an adversary does from that position
is dependent on the network layout," said Geffner, indicating that a
datacenter takeover was possible.
Dan Kaminsky, a veteran security
expert and researcher, said in an email that the bug went unnoticed for
more than a decade because almost nobody looked at the legacy disk
drive system, which happens to be in almost every virtualization
software.
"It's definitely a real bug for people running clouds to
patch against," said Kaminsky. "It shouldn't be too much of a headache
as the big providers who might expose systemic risk have all addressed
the flaw."
As the bug was found in-house at CrowdStrike, there is
no publicly known code to launch an attack. Geffner said the
vulnerability can be exploited with relative ease, but said developing
the malicious code was "not trivial."
From the point of disclosure in late April, it's taken companies about two weeks to begin patching affected systems.
Rackspace
said in an emailed statement that it was notified of the vulnerability
that affects a "portion" of its cloud servers, and that its systems are
patched.
Oracle, which develops VirtualBox, said in an emailed
statement that the company was "aware" of the problem, and fixed the
code, adding that it will release a maintenance update soon.
"We
will release a VirtualBox 4.3 maintenance release very soon. Apart from
this, only a limited amount of users should be affected as the floppy
device emulation is disabled for most of the standard virtual machine
configurations," said software lead Frank Mehnert.
A spokesperson for Oracle declined to comment.
A spokesperson for The Linux Foundation, which runs the Xen Project, declined to comment on specifics, but noted that a security advisory was published.
Source:
ZDNet.com
Image Credit: zdnet.com
No comments:
Post a Comment