Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Venom' Security Vulnerability Threatens Most Datacenters

Posted by Soulskill on from the holes-in-legacy-code dept.

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

4 of 95 comments (clear)

  1. Re:Not very serious by qpqp · · Score: 5, Informative

    Seems a lot of hype about nothing to be honest and scaremongering.

    From venom.crowdstrike.com:

    Floppy drives are outdated, so why are these products still vulnerable?
    For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

  2. Re:Who uses virt floppy anymore by Nuitari+The+Wiz · · Score: 3, Informative

    From the article:

    Floppy drives are outdated, so why are these products still vulnerable?
    For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

  3. Re:Not very serious by Anonymous Coward · · Score: 5, Informative

    Indeed. The risk is nonexistent for the 200+ VMs I interact with regularly since none of them has a virtual floppy device attached.

    Ten people, at least, have written comments here saying that even without explicitly having one, you could still be a victim. If you truly work with VMs, you may want to RTFA instead of just writing some crap.

    Besides, even if you are not using a floppy disk on your VM, if someone else is and they share the same hypervisor as you, you may be screwed anyway.

  4. Re:Who uses virt floppy anymore by DMUTPeregrine · · Score: 3, Informative

    It's CVE-2015-3456. https://cve.mitre.org/cgi-bin/...

    --
    Not a sentence!