On April 7, 2014, the security world transformed with the disclosure of the Heartbleed vulnerability, and that was never more evident than with Wednesday’s disclosure of the VENOM (Virtualized Environment Neglected Operations Manipulation) flaw.
Heartbleed was perhaps the first security vulnerability to get its own Website at the point of disclosure, with its own logo and Frequently Asked Questions (FAQ) list. Heartbleed created the trend of the packaged, branded vulnerability for easy media consumption. VENOM, disclosed by security firm CrowdStrike, followed the Heartbleed playbook, with a logo, a brand and a Website—oh, and hype too.
Within an hour of VENOM being disclosed on May 13, my inbox was flooded by an onslaught of ambulance chasing experts and their PR representatives all eager to tell me why VENOM is or isn’t the next Heartbleed. No surprise to me. VENOM followed the Heartbleed playbook, so why shouldn’t the hype?
VENOM, however, is no Heartbleed—for a number of reasons. The most basic reason is one I figured out within 5 minutes of seeing the disclosure—that is none of my servers was at risk, or was likely ever to be exploited from VENOM. You see, with Heartbleed the flaw was within the OpenSSL cryptographic library, which enables secure data transport on hundreds of millions of devices. It was a trivial flaw to exploit and as it turned out, it was exploited rapidly.
VENOM is another story. It’s a flaw in the QEMU virtualization layer that is often used in hypervisor deployments including those for the open-source KVM and Xen hypervisors. The flaw essentially enables a breakout from the security of a single virtual machine to potentially infect other machines.
Proper deployment of any virtual technology, or any host-based process for that matter, on a Linux operating system should involve the use of mandatory access controls, such as SELinux (Security-Enhanced Linux) or AppArmor. For SELinux, there is the sVirt project that specifically provides controls for virtualization, including QEMU. So, in my own professional opinion, any organization running sVirt (which is a whole lot of them) has limited to no risk from VENOM. Now the use of SELinux is also something that is recommended as a best practice for Linux container deployment, like Docker, and will limit the risk of any potential sandbox breakouts with that technology as well.
I’m not saying users shouldn’t patch for VENOM—and there are patches now available from the major Linux vendors. What I am saying is that this isn’t a cataclysmic vulnerability that anyone is exploiting today. VENOM is a legitimate vulnerability that can be mitigated through proper process controls that all Linux system administrators should already be using.
There have been virtualization vulnerabilities in the last years far worse than VENOM that didn’t get the Heartbleed-branded treatment. Most notably is CVE-2014-7188, or what I like to refer to as The Xen Vulnerability That Rebooted the Public Cloud. That vulnerability was never publicly branded by a security firm and didn’t receive the same media hype, but was vastly more impactful and dangerous. Amazon, Rackspace and IBM carefully coordinated that vulnerability, and each had to reboot their clouds to fix the issue.
So why is it that security vendors are all chasing the next Heartbleed? Why is there a need to brand and hype vulnerability disclosures? The simple answer, of course, is that by branding a vulnerability, a security vendor perhaps hopes to gain further exposure for its own brand and expertise. There is some notoriety in finding that next big vulnerability, the vulnerability that could destroy the Web and cause massive financial losses.
The hunt for the next Heartbleed is a very noble pursuit, if done properly. By looking for deeply embedded bugs, hidden vulnerabilities that could expose millions to risk can be fixed. The concern is that not every vulnerability is in fact “the next big thing,” and by overhyping vulnerabilities, there is a risk of desensitizing the market. Not quite a “crying wolf” scenario, but close.
VENOM is an interesting flaw, and I’m glad the CrowdStrike researchers found it and responsibly disclosed it so it could get patched. That said, vulnerabilities are responsibly disclosed and patched every day. Most will never get a logo or a branded Website, and that’s the way it should be. Vulnerability patching is just part of daily operations. It’s not a unicorn or a unique event; it’s just the new normal.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.