VENOM Vulnerability - Thoughts?

I was actually surprised that I hadn't heard about this till today from a coworker. After reading up it's not possible to remotely scan for it or to remotely execute it so I'm not worried too much. Plus there are patches for the affected software and VMWare along with Microsoft aren't vulnerable. Will it keep you up at night or just a little over blown?

Find more posts tagged with

Comments

BlackBeret

I'm running VMWare so it doesn't keep me up at night. It's realistically only going to affect a small number of targets, but on those it could have serious affects. The main concern is that in data centers that use affected software anyone could spin up a VM that they have root/sys on and exploit it. All you need is one good target.

ramrunner800

I think this could have been incredibad but Crowdstrike said they disclosed the vuln to vendors two weeks prior to public disclosure, which seems pretty responsible of them. This is why it was possible for vendors to patch everything up before exploits made it into the wild. Given how commonly platforms like KVM are used, it could have been so much worse. VM escapement attacks on things like AWS? Scary to think about. That said, I don't think there's too much to worry about at this point.

the_Grinch

Yeah I did a lot of research on it and felt it was overblown a bit. I do know that it was reported that AWS doesn't appear to be susceptible to it. But as stated, everyone has a patch for it so things should be good to go.

joehalford01

I think the hype has more to do with the fears of the "cloud" being actualized. Feeds the paranoia.

beads

Venom isn't all that scary if your talking VMware. Other VM products - possibly. The
"Logjam" vulnerability affecting about 9% of all websites? Now, that one has some sharp teeth.

-b/eads

--chris--

the_Grinch wrote: »

Yeah I did a lot of research on it and felt it was overblown a bit. I do know that it was reported that AWS doesn't appear to be susceptible to it. But as stated, everyone has a patch for it so things should be good to go.

This^. I spent 30 minutes reading into it, from what I gather you need to have root access on a VM that is hosted on the same physical host. Then the target VM needs the virtual floppy drive enabled (which apparently isn't that uncommon). Then there was one more consideration beyond that that would then potentially allow remote execution of code.

I don't have years of expertise to back this up, but it does not seem to have the same potential as a "heart bleed" type of vuln.

AWS says they were never vulnrable to this:
XSA Security Advisory CVE-2015-3456

Digital Ocean says they fixed it pronto:
https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/

ramrunner800

--chris-- wrote: »

AWS says they were never vulnrable to this:
XSA Security Advisory CVE-2015-3456

Amazon doesn't say they were never vulnerable. Amazon says that on the day of public disclosure there was no risk to customer data. Amazon received notice of the vulnerability 2 weeks before the public did, and had plenty of time to patch. I've learned the hard way that you need to read security information precisely.