Cyber Enthusiasts:
The news this week is all coiled up about the VENOM zero-day vulnerability in virtualization platforms. Essentially, a decade-old floppy disk (yes, I said floppy disk) emulator can be exploited by an attacker with administrator privileges to effect a buffer overflow and execute arbitrary code on the host running with the privileges of the hypervisor. In the virtualized environment in which this attack is run, success would allow the attacker to initiate a “guest to host” attack a la “Cloudburst” in 2009, yielding the ability to do bad things across the cloud platform and potentially compromise other guest VM’s. This vulnerability exists on a large number of private and public cloud platforms, but the major cloud providers are reported to be immune.
Invincea CEO Anup Ghosh’s comments in SecurityWeek today are a great reminder that hypervisors are not the magic security blanket some companies promote. They are just complex software infrastructures that have vulnerabilities like every other software layer in the stack and should not be implicitly trusted to provide security. As always, the more privileged the code (e.g., Ring 0), the more critical the vulnerability.
What I find even more interesting about VENOM is the controversy among security professionals regarding its impact. While many security professionals acknowledged the flaw as important to patch, many criticized the commercialization and marketing of the flaw disclosure as hyperbole. Why is that?
Here’s my perspective as a former CISO: If you read the details, in the vast landscape of daily attacks against my valuable data, VENOM is relatively low risk. It’s about risk management, and this one rates low on the list.
While VENOM is a real vulnerability with the potential to do bad things in virtualized environments, you need two important things to implement the attack. First, you need access to the VM, and second you need administrative privileges on the VM. Understand that most of today’s malicious actors aren’t the wickedly brilliant mad scientists that you see on TV or in the movies. The vast majority are cyber crime gangs generating billions selling personal and banking information, or they’re more advanced actors looking for defense, corporate, or government data. Every one of them is going to take the easiest path to the gold that avoids detection, and VENOM certainly isn’t it.
VENOM is an interesting discovery and a lesson, to be sure – but low on the list of true enterprise threats. Spear phishing, watering hole attacks, malvertising – these are the attacks that yield high rates of return and should be today’s highest priority for CISO’s to focus on addressing.
Best,
Norm Laudermilch
COO
Invincea, Inc.
@norm911
Zuletzt bearbeitet:
