The world was alerted to the VENOM vulnerability (CVE-2015-3456) when it was exposed two days ago, potentially affecting the security of cloud services. Fortunately, as of this writing, there have been no reported exploits in the wild.
Skyhigh was not affected because our services that utilize virtualization are hosted in Equinix, and Skyhigh does not utilize the affected virtualization systems.
Additionally, the following cloud service providers from our CloudTrust Program have proactively self-reported that they are NOT vulnerable to VENOM: Accellion, Aerohive Networks, Backupify (acquired by Datto), ClickSoftware, Druva, E-SignLive, FoxyCart, Informatica Cloud, Maytech, OneLogin, ProofHQ, ShareVault, Simply Voting, Spanning, TemboSocial, Workspot, and Xendo. These companies were either not vulnerable to VENOM or have applied the necessary patches to remove the vulnerability, and they continue to represent the best-of-breed companies who care greatly about protecting their customers’ data.
Read on to find out more about VENOM and what additional steps you can take.
What is VENOM?
VENOM is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
Does this affect the security of my IaaS services?
This depends on which VMs your IaaS providers use. If your IaaS provider uses Xen, KVM, or native QEMU clients then they are vulnerable until they apply the patch. If your IaaS provider uses Vmware, Microsoft Hyper-V, or Bochs hypervisors exclusively, they will not be vulnerable.
Amazon released a security advisory saying they are not affected. We also know that Equinix’s IaaS services were not affected. Some of the Rackspace servers are affected and customers are expected to do a power cycle of their VMs within a 24-hour window after Rackspace applied the patch. After which, Rackspace will power-cycle the VMs that were not explicitly done.
Does this affect the security of my SaaS services?
This depends on which datacenters your cloud service is hosted in and, as described above, which host virtualization that datacenter utilizes. Unfortunately, there is no organization that can determine every vulnerable SaaS service, because the vulnerability is based on the VMs utilized by the SaaS provider and that information is not public.
What are some steps I can take?
We encourage you to directly contact the support teams of the cloud providers that house your corporation’s sensitive data to ensure that they have applied the appropriate patches. If they have not, the security of your data in that service is at risk.