Bare metal has an advantage that virtual machines do not. Because virtual machines are essentially a software abstraction emulating a physical system that runs on top of a real physical system, there is a risk that attackers can penetrate the hypervisor layer, gain access to the underlying physical server’s operating system and from there access other virtual machines running on the system. This is at least a theoretical risk in all multi-tenant shared hosting scenarios.
Hypervisor developers go to extraordinary lengths to make sure it doesn’t happen; a vulnerability of this sort is the worst nightmare for virtual cloud users. In fact, one of the major marketing points of the virtualized cloud is the impossibility of breaching the hypervisor layer. The strict segregation of virtual machine environments is crucial to the security of any data stored in that environment.
That’s why the recent revelation by CrowdStrike of a vulnerability in a number of hypervisors — a vulnerability that has existed for eleven years — is so troubling. The VENOM vulnerability has the potential to allow an attacker with access to one virtual machine to access the operating environment of the physical server, access other virtual machines on that server, and from there island hop to other secure servers within a business’s network.
Because businesses have no insight into or control over the physical infrastructure layer of the virtual machines they run on public cloud platforms, they are entirely reliant on cloud vendors to discover and fix such vulnerabilities — something that have conspicuously failed to do in the decade since VENOM was introduced.
The vulnerability impacts cloud platforms using the Xen, KVM, and QEMU hypervisors running guest and host operating systems including Windows, Linux, and OS X. VENOM is caused by a buffer overflow bug in QEMU’s Floppy Disk Controller, the code of which is also used in Xen and KVM. Two commands used to send data via the FDC fail to clear the buffer, allowing an attacker to send a crafted parameter, overflow the buffer, and execute arbitrary code within the context of the hypervisor.
Many are comparing the seriousness of the vulnerability to Heartbleed, an exploit that allowed malefactors to read the content of purportedly secure communications sent over SSL connections.
Patches exist for most affected systems, but public cloud platform users can’t apply the relevant updates themselves — a risk that anyone using a virtualized platform takes. Bare metal clouds have the advantage of giving users insight and control over the full stack of software running on their servers, from bare metal to services. And, bare metal has the obvious benefit that there is no additional complexity added to the system by a hypervisor layer. Which is not to say that bare metal clouds are inherently safe; they are subject to the same vulnerabilities as any complex software environment, but they do allow businesses to know and control exactly what software they are running to support their operations.