Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Venom' Security Vulnerability Threatens Most Datacenters

Posted by Soulskill on from the holes-in-legacy-code dept.

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

4 of 95 comments (clear)

  1. Legacy Code: Pwning all your machines since 2004 by Anonymous Coward · · Score: 2, Interesting

    I love how even if the floppy drive is disabled, this is still exploitable due to another unreleased bug.

    The solution is just to get rid of all the old unmaintained code by default. If someone wants to use old deprecated code, let them apply the patches themselves.

    The Linux kernel is a goldmine of barely maintained crap that hasn't had more than 2 users for the least 30 years. Not breaking userspace is nice, but at some point you need to take into account the huge gaping security risks of mistery legacy code running with maximum privileges.

  2. Open Source Branding by organgtool · · Score: 4, Interesting

    Not to get too far offtopic, but as a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom). If you look at closed-source software it is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout". So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

  3. Re:Not very serious by Anonymous Coward · · Score: 0, Interesting

    Indeed. The risk is nonexistent for the 200+ VMs I interact with regularly since none of them has a virtual floppy device attached.

    This is the unfortunate new norm of security research... You've got groups that just find and fix vulnerabilities as their normal activities and don't see any need to overhype the risk associated with the issues they address, and then you've got groups that want to sell security products or services that try to advertise their brands by creating fear around the issues they find.

  4. Re:Who uses virt floppy anymore by silas_moeckel · · Score: 3, Interesting

    Yet they don't link to the bug nor can I find anything besides circular references to the Venom announcement.

    --
    No sir I dont like it.