This morning, CrowdStrike issued a vulnerability disclosure for CVE-2015-3456 — branded VENOM (Virtualized Environment Neglected Operations Manipulation). VENOM is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms.
I’ve seen a few articles from reputable outlets claiming that the vulnerability is “bigger than Heartbleed.” While I do believe companies should absolutely apply patches as they become available, I’m not convinced this vulnerability will have the same level of severity as Heartbleed.
If we are measuring the importance of a vulnerability solely on how widespread the vulnerability is, VENOM is certainly “bigger” than Heartbleed. It impacts numerous virtualization platforms and appliances, notably Xen, KVM and the native QEMU client, though it does not impact VMware, Microsoft Hyper-V and Bochs hypervisors. In addition, Amazon has stated its AWS systems are not affected. But despite the sheer breadth of systems that could be impacted, the severity is not as alarming for a few key reasons.
There isn’t currently an exploit available
At CA Veracode, when we are measuring the severity of a vulnerability and determining how we need to respond, one of the first questions we ask is if an exploit is already available. In this case, the answer appears to be no. CrowdStrike states that “Neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild.” This does not mean for certain an exploit does not exist, but chances are very low.
In addition to no exploit being available, all indications are that creating one is not a trivial effort. Because it would take a lot of effort to create an executable exploit, a cybercriminal would have to be highly motivated to do so. Which brings us to …
There is very little chance the vulnerability will be exploited on any scale
While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale. Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyberwarfare or the like. Again, that doesn’t mean there aren’t cybercriminals motivated by espionage or warfare that couldn’t create an exploit. It just means the chances of being a victim are quite low. Especially given …
Attackers have to already be in the target’s system to access the vulnerability
This is another factor we take into account when determining how we will respond to a new vulnerability disclosure — is the vulnerability susceptible to remote attacks? VENOM is not. While this does not make exploitation impossible — especially in a public cloud environment — it is a complicating factor that makes an exploit less likely. Attackers are more likely to get into your enterprise environment using SQL injection or some other web application vulnerability than they are through VENOM.
Branded vulnerabilities are here to stay; this certainly isn’t the last one we will see. And CrowdStrike is doing a great service by letting the world know about an existing vulnerability. By responsibly disclosing this vulnerability in a timely manner, CrowdStrike is giving enterprises an opportunity to patch before a reliable exploit is available, and that helps make us all more secure. Branding a vulnerability also helps bring attention to the importance of security and vulnerability testing. The downside to branded vulnerabilities is that they can cause panic leading to apathy. If every branded vulnerability causes enterprises to instantly react, eventually they will become numb to the noise. If everything is an emergency, nothing is.
I recommend companies update their systems as patches become available, but do not overreact. VENOM is not the next Heartbleed.