A security research firm is warning that a new zero day vulnerability called Venom could allow a hacker to take over vast portions of the data center from within, reports ZDNet.
Venom is potentially bigger than Heartbleed. A common legacy component in ubiquitous virtualization software such as Xen, KVM, and Oracle's VirtualBox can allow a hacker to infiltrate potentially every machine in a data center network. VMware and Microsoft Hyper-V are not affected.
That component is a legacy virtual floppy disk controller. For younger folks, floppy disks look like that save icon that pops up in games and are largely ignored these days, much like the legacy component with the vulnerability. The bug has gone unnoticed for more than a decade, security expert Dan Kaminsky told ZDNet.
Virtualization has led to more densely packed servers filled with cordoned off virtual machines that share resources controlled by a hypervisor. Venom, which stands for Virtualized Environment Neglected Operations Manipulation, allows access to the entire hypervisor, as well as every other network-connected device.
The bug is found in open source computer emulator QEMU. Specially crafted code sent to the virtual floppy disk controller can allow a hacker to break out of their own virtual machine and access other machines, regardless of the owner. To exploit, root privileges are needed.
The researcher who found the bug was Jason Geffner. Geffner is a senior security researcher at Crowdstrike. CrowdStrike has worked with software vendors to patch the bug before the vulnerability was publicly exposed today.
Heartbleed allowed those with malicious intent to grab data from the memory of servers running affected versions of widely used and open source OpenSSL encryption software.