A decade-old vulnerability in the QEMU virtualisation hypervisor virtual floppy drive code used by millions of platforms has been uncovered by researchers at CrowdStrike.
CrowdStrike senior security researcher Jason Geffner reported uncovering what has been codenamed Venom in a threat advisory, warning that it could be exploited by hackers for a variety of purposes.
"This vulnerability may allow an attacker to escape from the confines of an affected virtual machine guest and potentially obtain code-execution access to the host," read the advisory.
"Exploitation of the Venom vulnerability can expose access to corporate intellectual property, in addition to sensitive and personally identifiable information."
Geffner added that successful exploitation could have an impact on "the thousands of organisations and millions of end users that rely on affected virtual machines for the allocation of shared computing resources, as well as connectivity, storage, security and privacy".
Venom is believed to have existed since at least 2004 and affects products from QEMU, Xen Project, Red Hat, Citrix, FireEye, Rackspace, Ubuntu, Debian, Suse, DigitalOcean and F5. CrowdStrike shared the details of Venom in April and the affected firms have since released fixes for the flaw.
VMware, Microsoft Hyper-V and Bochs hypervisors are not affected as they do not use QEMU virtualisation hypervisors.
The widespread nature of Venom has caused some to describe it as the next Heartbleed.
However, members of the security community have downplayed Venom's significance, pointing out that there is no evidence of hackers targeting the flaw and little chance of future attacks as the exploitation process is fairly difficult.
"Any exploit created around Venom would have to be tailored against a specific target environment," explained Chris Eng, vice president of research at Veracode.
"Second, the attacker would have to already be on the target system to get at the vulnerability - certainly not impossible in a public cloud environment but nevertheless a complicating factor.
"Lastly, there isn't currently a publicly available exploit, and creating one would require a non-trivial amount of effort."
Heartbleed is a bug in the OpenSSL encryption software used by open source web servers such as Apache and Nginx that was originally discovered in April 2014.
Yeah, sorry about all that, simpers Zuckerberg
Vivaldi promotes DuckDuckGo search engine over Google over privacy concerns
Scientists say that strontium titanate could transform electronics
The wheels of justice grind surprisingly slowly