A critical vulnerability identified by the National Vulnerability Database as CVE-2015-3456 or VENOM was published yesterday. It affects all KVM guests running on QEMU--a widely used emulator for virtual server hosting. This command and control vulnerability may allow a malicious user to escape guest environments and take full control of the operating system hosting. Like Heartbleed and Shellshock last year, this is a significant risk for organizations that could lead to the exfiltration of sensitive and proprietary data. Unchecked, this can impact thousands of organizations and millions of end users that rely on affected virtual machines for the distribution of shared computing resources.
This leaves many people scrambling to find a signature to block Venom’s impact. Even HP has yet to find a remediation. ThreatSTOP’s zero-day capability prevents Venom’s impact because it successfully cuts the lines of communication between a compromised system and the invading source. ThreatSTOP customers, partners and clients can block this attack.
As with many attacks of this nature, Venom exploits a weakness in software code that has existed for years but, had gone undisclosed until yesterday. Criminals exploiting this vulnerability on a single virtual machine could gain access to all virtual machines running on the host system, and harvest sensitive data passing unencrypted through the memory of any virtual machine on the system. However, exfiltrating this data requires a means of communication between the attacker and victim. Regardless of whether the attack vector is successful in gaining a foothold, any attempt of communication to or from a known bad actor is blocked, logged and reported by ThreatSTOP. If the malware or botnet cannot receive instructions or leak information to its source, the threat is neutralized; allowing IT/IS departments the critical time they need to fully remediate this new zero-day threat.
We recommend that any of our customers with Virtual Machines, especially large enterprise and hosting provider partners, update their ThreatSTOP policy definitions to include dynamic objects for critical and emerging threats, Unix servers, scanners, web attackers, botnets, malware, DShield lists, prohibited countries, and anonymous proxies. Additionally, ThreatSTOP recommends that all virtualization users apply the patches provided by the various Linux distributions to all Internet facing hosts as soon as possible.
Attacks like Venom, Heartbleed and Shellshock continue to escalate in frequency, rapidity and severity. Whether or not this particular bug has affected your systems already or not, it is only a matter of time before one does. Companies need the quickness and flexibility to protect itself in the critical hours, days or weeks before patches or signatures are developed and distributed. The best way to achieve this is by leveraging ThreatSTOP’s collective security intelligence of known bad actors to stop them from “calling home.”