Security vendor CrowdStrike revealed details on a vulnerability that was discovered in a popular virtualization software that allows an attacker to escape a compromised virtual machine while obtaining access to the host through code execution, causing the entire cloud to be vulnerable.

The detected flaw was identified as Virtualized Environment Neglected Operations Manipulation (Venom), a type of bug in an open-source code library otherwise known as QEMU. The latter is said to be popularly used in cloud computing. It has the capacity to emulate the floppy disk software that is common among very old machines.

"Venom could put company secrets or sensitive information at risk, potentially impacting thousands of organizations and millions of end users," says CrowdStrike on its official site.

Venom is the latest of the colorfully-named flaws that attack popular open-source products. In 2014, Shellshock and Heartbleed bugs were also reported. The latter, after popping up in a widely utilized open-source product, has prompted the nonprofit Linux Foundation to collect money from a number of technology firms in a security auditing campaign of open-source projects. These include companies such as Microsoft, Google, Facebook, Cisco and others.

"This virtualization means we often cannot tell which other outside organizations might have their workloads running on the same physical server as our systems," says CTO Mike Lloyd of RedSeal in an email. "In principle an attack on their systems in the shared cloud infrastructure could spill over into ours, causing a potential domino effect."

Luckily, Venom is somewhat different from Heartbleed since patches for several platforms are said to already be available. More patches are also about to be released in the not so distant future. Some of the released patches include those that came from F5, Ubuntu Linux, Suse, Red Hat, QEMU, FireEye, Citrix and Xen Project.

"It's serious, but not Heartbleed serious. There are no known in-the-wild attacks and a patch is available," says Karl Sigler, threat intelligence manager at Trustwave.

Tod Bearsley, Research Manager at Rapid7, added that those that were seriously affected have turned to hosted VPS services.

In other words, hackers can trick servers to place a duplicate of their programs into memory areas that are usually inaccessible. When this is achieved, hackers would be able to pass security protections and eventually run the programs with no obstruction.

"The patch should be treated with very high priority, and is well worth a brief service interruption in almost all cases," says Lloyd. 

Photo: Intel Free Press I Flickr