Security firm CrowdStrike has found a potentially serious vulnerability in a type of virtualization platform that could allow a hacker to breakout from its own virtual space and into the space of other users on a shared server. That means that millions of uses relying on the security of data stored "in the cloud" could be put at risk.
The vulnerability has been labeled Virtualized Environment Neglected Operations Manipulation (VENOM) because of the way it works (and likely its menacing sound). It takes advantage of a previously unknown problem with a virtual floppy disk controller used by the underlying operating system—if sent a particular string of characters by a hacker, officials with CrowdStrike report, it can be made to crash allowing entry to the hypervisor—a part of the operating system that interfaces with the individual supervisors that run the virtual environments for cloud customers. And that means that such a hacker would gain access to every piece of data on the server, potentially putting millions of people's data at risk of exposure. Virtual floppy disks are not often used by such systems but remain in place as legacy devices to maintain compatibility with older systems.
0 comments: