Online security professionals recently found a critical bug that preys on virtual machine platforms and appliances to gain entry into victims’ private storage devices.
The flaw is called Virtualized Environment Neglected Operations Manipulation, or VENOM, which reportedly targets the QUEMU-based virtual servers and enables hackers to burst forth from the restrictive guest environments of a machine. It subsequently provides them root access to the operating system that could be hosting a large number of clients, each having some sort of private data.
Trait-wise, VENOM seems like an unofficial offspring of HeartBleed, an OpenSSL cryptography library bug that was similarly revealing the users’ private data to remote attackers. As Rob Graham, CEO of a renowned security firm, believes, such critical flaws can certainly pose threats to value-carrying data, such as Bitcoin wallets, RSA private keys, and any confidential information that might be stored on machine’s raw memory.
Excerpt from his blogpost:
“Once you’ve popped the host [of the Virtual Private Machine], reading memory of other hosted virtual machines is undetectable. Assuming the NSA had a program that they’d debugged over the years that looked for such stuff, for $100,000 they could buy a ton of $10 VPS instances around the world, then run the search. All sorts of great information would fall out of such an effort—you’d probably make your money back from discovered Bitcoin alone.”
There are however critics that deny calling VENOM a serious threat to virtual private networks. As Ars Technica reported, many of these critics believe that the bug’s severity is being exaggerated for no apparent reasons; that the flaw cannot be remotely exploited.
“It can’t be exploited on large numbers of machines in a single stroke, as is the case with most serious security bugs,” the tech website said.