Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Venom' Security Vulnerability Threatens Most Datacenters

Posted by Soulskill on from the holes-in-legacy-code dept.

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

65 of 95 comments (clear)

  1. Not very serious by DrDevil · · Score: 1

    I've get to some across a virtual server provider that has a floppy disk driver enabled. Seems a lot of hype about nothing to be honest and scaremongering.

    1. Re:Not very serious by qpqp · · Score: 5, Informative

      Seems a lot of hype about nothing to be honest and scaremongering.

      From venom.crowdstrike.com:

      Floppy drives are outdated, so why are these products still vulnerable?
      For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

    2. Re:Not very serious by martyros · · Score: 3, Insightful

      ...an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

      Which is why the PV mode in Xen is such a killer security feature -- the more stuff you have just lying around, even if unused in theory, the higher the probability that there will be a bug somewhere that can be exploited.

      --

      TCP: Why the Internet is full of SYN.

    3. Re:Not very serious by Anonymous Coward · · Score: 1

      Given the report you show is from September last year and this bug was discovered in April this year, chances are that these are unrelated...

    4. Re:Not very serious by Anonymous Coward · · Score: 5, Informative

      Indeed. The risk is nonexistent for the 200+ VMs I interact with regularly since none of them has a virtual floppy device attached.

      Ten people, at least, have written comments here saying that even without explicitly having one, you could still be a victim. If you truly work with VMs, you may want to RTFA instead of just writing some crap.

      Besides, even if you are not using a floppy disk on your VM, if someone else is and they share the same hypervisor as you, you may be screwed anyway.

    5. Re:Not very serious by chris200x9 · · Score: 1

      Of course it's serious it has a badass nickname!

    6. Re:Not very serious by xtronics · · Score: 1

      It only applies to folks running one of these packages:
      xen, qemu,

      The software is there for a reason - same goes for why there is still an ISA bus (used for timing) etc.

      These old devices need to exist for software compatibility.

    7. Re:Not very serious by jcwayne · · Score: 1

      AWS has posted an advisory stating that they are not affected by VENOM.

      --
      Failure to follow this advice may result in non-deterministic behavior.
    8. Re:Not very serious by sexconker · · Score: 2

      Yet everyone's champing at the bit to get browsers to implement shit that used to be handled by optional plugins and calling it more secure.

      I can choose not to install a plugin, but I can't remove the analogous code in the browser - at best I can turn the feature off in the hidden settings page and hope it's actually disabled, never loaded into memory, and a bug can't be used to reenable/jump to the code and leverage it in an attack.

      Less is more.

    9. Re:Not very serious by sexconker · · Score: 1

      Given the report you show is from September last year and this bug was discovered in April this year, chances are that these are unrelated...

      You don't know when the bug was first discovered or by whom it was first discovered.

    10. Re:Not very serious by Wintermute__ · · Score: 1

      Well they aren't now, but how about back in September?

    11. Re:Not very serious by F.Ultra · · Score: 1

      The use XEN so of course they where affected.

  2. Who uses virt floppy anymore by silas_moeckel · · Score: 1

    What is the use case for virt floppy? Drivers nearly never fit, VM's should not need firmware updates. SO why would people still be exposing a virt floppy to VM's?

    --
    No sir I dont like it.
    1. Re:Who uses virt floppy anymore by Nuitari+The+Wiz · · Score: 3, Informative

      From the article:

      Floppy drives are outdated, so why are these products still vulnerable?
      For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

    2. Re:Who uses virt floppy anymore by silas_moeckel · · Score: 3, Interesting

      Yet they don't link to the bug nor can I find anything besides circular references to the Venom announcement.

      --
      No sir I dont like it.
    3. Re:Who uses virt floppy anymore by DMUTPeregrine · · Score: 3, Informative

      It's CVE-2015-3456. https://cve.mitre.org/cgi-bin/...

      --
      Not a sentence!
    4. Re:Who uses virt floppy anymore by DMUTPeregrine · · Score: 1

      Cut off the bottom of my post on accident. It's supposed to be that CVE, but the actual CVE hasn't been published yet. They went with the press release first for some reason.

      --
      Not a sentence!
    5. Re:Who uses virt floppy anymore by DarkOx · · Score: 1

      While I realize VMware isn't effected by this vuln;

      Fusion can't boot a VM off USB (why the fuck is that?) So if I want to test a USB boot stick on my MAC I have to use this to chain load the USB sticks boot loader: https://www.plop.at/en/bootman...

      Its pretty convenient to just keep a VM defined with a floppy and the plop disk always attached. It would be better if it could/would boot a USB device, but the virtual floppy is my work around.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    6. Re:Who uses virt floppy anymore by Bert64 · · Score: 1

      Windows 2003, which is still supported for a short time, has to load storage drivers from floppy (it won't load them from cd)... If you want to use paravirtualized storage drivers for performance reasons you need to attach a virtual floppy from which to load the drivers.
      It's not uncommon to use a virtualization environment to run older systems for compatibility purposes either (e.g. to support legacy apps)... You likely also need privileged access to a guest to exploit this, so a legacy os would be a good target for such attacks.

      That said, you should remove the floppy drive as soon as the installation has completed.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  3. They have probably spent more time by Anonymous Coward · · Score: 5, Funny

    finding a full name that fits the really cool "venom", instead of actually going about fixing it.

    1. Re:They have probably spent more time by null+etc. · · Score: 2

      Very Entertaining Name Obstructs Momentum

    2. Re:They have probably spent more time by null+etc. · · Score: 1

      In Haiku format:

      Very Entertained,
      Name Obstructing Momentum,
      V.E.N.O.M

  4. Whoa, this is really bad by Anonymous Coward · · Score: 4, Funny

    This must be a very serious vulnerability judging purely by it's name.

    1. Re:Whoa, this is really bad by null+etc. · · Score: 2

      And what's the solution? Flip the name backwards and put a slash underneath.

      Monev
              /

  5. Legacy Code: Pwning all your machines since 2004 by Anonymous Coward · · Score: 2, Interesting

    I love how even if the floppy drive is disabled, this is still exploitable due to another unreleased bug.

    The solution is just to get rid of all the old unmaintained code by default. If someone wants to use old deprecated code, let them apply the patches themselves.

    The Linux kernel is a goldmine of barely maintained crap that hasn't had more than 2 users for the least 30 years. Not breaking userspace is nice, but at some point you need to take into account the huge gaping security risks of mistery legacy code running with maximum privileges.

  6. Re:Sooo.... by Anonymous Coward · · Score: 1

    No one was able to review the closed source ones.

    The open source tools were vulnerable from 2004 to 2015.

    The closed source ones? Nobody knows. And that's really scary.

  7. Re:Sooo.... by Imagix · · Score: 2

    Odd... all of the VM tools that I install are either by the OS's package manager, or by mounting a CD ISO. No floppies.

  8. Open Source Branding by organgtool · · Score: 4, Interesting

    Not to get too far offtopic, but as a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom). If you look at closed-source software it is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout". So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

    1. Re:Open Source Branding by thegarbz · · Score: 4, Insightful

      Sure if you cherry pick your applications to suit your case then you could argue that. To me I see open source vulnerabilities which are called CVE-215-3456 which someone happens to have an alternate name for. I see programs called StarOffice, and Libre Office. I see MySQL, openLDAP, and systemd. All very descriptive of what they do.

      Let's not over generalise.

    2. Re:Open Source Branding by FranTaylor · · Score: 2

      So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

      You are telling us:

      Every software developer should have a publicist from fox news on retainer so that new projects can receive names that are considered more appropriate for inclusion in technology news stories, it's much more important than the actual software itself

    3. Re:Open Source Branding by FranTaylor · · Score: 1

      so mysql is a tool for making sql queries that pertain to me?

      openldap is probably not a good place to keep secret login data because it's "open"

      systemd is clearly some sort of pig latin

      yes these products have fine names

    4. Re: Open Source Branding by Anonymous Coward · · Score: 1

      The reason is simple.

      Nobody cares that the tool is called hammer, bash, or clonk, as long as it does the job, but everyone should care that a bug in your hammer can allow any lunatic to grab it and bash your machine and clonk you over the head. Remotely.

      Hence the attention grabbing names for vulnerabilities.

      (Plus, the fact that a 20 year old bug in bash is BIG news and a major cause for concern kinda shows that open source doesn't need marketing. Its already widely deployed.)

    5. Re:Open Source Branding by Anonymous Coward · · Score: 1

      As for product naming : most open source project maintainers don't have the funding or time to buy and defend a trademark, so they pick names that are unlikely to violate or be similar to trademarks of actual companies (who do have lawyers to defend them).

      As for vulnerability naming : who knows. Big companies have powerful lawyers/marketing. Didn't prevent names like "bendgate", so maybe it's just selection bias.

    6. Re:Open Source Branding by ChunderDownunder · · Score: 1

      Photoshop - back last millenium, casual photographers would take their roll of film to a "photo shop" who would process the negatives and print the photos for a customer.

      Kids these days...

    7. Re:Open Source Branding by sexconker · · Score: 1

      Sure if you cherry pick your applications to suit your case then you could argue that. To me I see open source vulnerabilities which are called CVE-215-3456 which someone happens to have an alternate name for. I see programs called StarOffice, and Libre Office. I see MySQL, openLDAP, and systemd. All very descriptive of what they do.

      Let's not over generalise.

      What does "Star Office" do? How is it different from "Libre Office" or "Open Office"? Wait, "Open Office" IS "Star Office"? Oh, it's NOT? Then why does installing "Open Office" give me and "soffice" executable?!

      What's "MySQL"? Is it mine? Whose is it? Is it a server? Can I only use it for personal use?

      What's an "LDAP"? Do I want an open one or a closed one? I need it to be secure, so I probably don't want an open one.

      Oh, you included systemd. Your entire post is a troll.

    8. Re:Open Source Branding by Rich0 · · Score: 1

      What's "MySQL"?

      It is the other implementation of MariaDB, which also installs /usr/bin/mysqld. :)

    9. Re:Open Source Branding by null+etc. · · Score: 1

      Dear God, no. If software developers used publicists from Fox News, then LibreOffice would have been called "ObamaCommieOffice".

    10. Re: Open Source Branding by null+etc. · · Score: 1

      No, but the HR department *does* care that the software is called GIMP.

    11. Re:Open Source Branding by organgtool · · Score: 1

      I should have made my statement more clear. I didn't mean to imply that all open source projects have bad names (although I still believe that many do) but I was more focused on the fact that it seems to be only open source projects that have vulnerabilities with marketing-friendly names despite the fact that closed source software has had many vulnerabilities just as severe and I can't recall one closed source vulnerability with a memorable name. The point is: who is responsible for naming these vulnerabilities and why aren't they just as clever in naming closed source vulnerabilities as they are for open source?

    12. Re:Open Source Branding by organgtool · · Score: 1

      How did this straw man argument get modded up? I never suggested anything of the sort. I was implying that maybe these clever names for vulnerabilities aren't coming from within the open source community and that closed source software seems to be getting off easy when it comes to the level of effort in having their vulnerabilities named for them.

    13. Re:Open Source Branding by l0n3s0m3phr34k · · Score: 1

      I'd guess that's because closed source has real marketing people in the organization, people with 4+ year advertising, promotion, and marketing degrees who are naming these. In open source, it's whatever the dev wants to call it...the "professional" closed source apps have a marketing department who steps in and says "that name is horrible, it will make our clients subconsciously afraid to use the product, call it this instead." Very few devs have any real education in marketing; I've taken a few classes in it so I know a few of the basics behind it all.

    14. Re:Open Source Branding by thegarbz · · Score: 1

      You mean like a program to do with SQL, a program to do with LDAP, and a daemon for managing the system.

      There's only so much you can put into a name before you need to start ignoring the people who can't see the obvious.

    15. Re:Open Source Branding by thegarbz · · Score: 1

      It's not kids these days, it was a direct response to an equally stupid post by the GP.

    16. Re:Open Source Branding by thegarbz · · Score: 1

      What does "Star Office" do? How is it different from "Libre Office" or "Open Office"? Wait, "Open Office" IS "Star Office"? Oh, it's NOT? Then why does installing "Open Office" give me and "soffice" executable?!

      Who cares, it's on office suite. Is the marketing supposed to deal with the technicalities of the product? No. It's supposed to give you an idea of what it does, and if you download Libre Office or Open Office you end up with a product that gives you an office productivity suite. The marketing works, and the only people who fret about it are nerds splitting hairs about ownership, history and freedoms.

      What's "MySQL"? Is it mine? Whose is it? Is it a server? Can I only use it for personal use?

      It's a product to do with SQL. Quite a bit more relevant than commercial programs like "Filemaker" is it not.

      What's an "LDAP"? Do I want an open one or a closed one? I need it to be secure, so I probably don't want an open one.

      Again who cares about the open or closed cases? If you don't know what LDAP is the program is not for you, if you do know what it is googling for LDAP results in products with it in the name. Marketing works and if you're expecting the name to give you a complete list of pros and cons of a software package then maybe you should find a less mentally challenging career.

      Oh, you included systemd. Your entire post is a troll.

      You mean a daemon for controlling the system? No my post was full of relevant examples.
      Your post on the other hand is irrelevant crap, and argumentative for argumentation's sake. That is the definition of a troll.

    17. Re:Open Source Branding by thegarbz · · Score: 1

      I agree that there are many packages poorly named in closed source.

      But I stand by my thought that you're cherry picking or not researching enough.

      Blaster
      CodeRed
      SQL Slammer
      Conficker (ok this isn't a good one IMO)
      iPwn (This is a good one, it even tells you which platform it attacks)
      Sasser
      MyDoom

      These may be mostly named after the exploiting code rather than the exploit, but that is part of closed source madness of not hearing about something till it's actually exploited.

  9. Re:Sooo.... by LoRdTAW · · Score: 2, Insightful

    Not sure where you are getting this floppy business from. Virtualbox guest addition tools are loaded from a single CD image. All the driver packages are on that image. Hyper-V also uses a CD image. I have also used VMware in the past and they too used CD images.

    Perhaps you are confusing that with the provided floppy controller emulation.

  10. (CVE-2015-3456) by Anonymous Coward · · Score: 1

    (CVE-2015-3456)?

    I've got the same vulnerability designation on my luggage!

  11. Where's the test? by XanC · · Score: 1

    There's got to be some test I can run on my VMs to see whether or not I'm vulnerable, right?

    1. Re:Where's the test? by FranTaylor · · Score: 1

      you are probably not vulnerable if you have had your vaccinations, hard to tell about your computer

  12. Other proposed names that did not make it by Anonymous Coward · · Score: 1

    Gvenom
    Kvenom
    GNUvenom
    FreeVenom
    OpenVenom
    venom-1.0.7-RC2
    Venom.js

    1. Re:Other proposed names that did not make it by glwtta · · Score: 1

      The last one would obviously be: venumr.js

      --
      sic transit gloria mundi
  13. Re:Legacy Code: Pwning all your machines since 200 by FranTaylor · · Score: 1

    If your computer experience involves apply patches as part of normal operations, you've completely and utterly failed to understand that computers are there to relieve work from you, not make you work harder.

    So those engineers at RedHat who produce the bug fixes for the rest of is, they fail to understand what exactly?

  14. Re:Sooo.... by FranTaylor · · Score: 1

    global warning will make all disks floppy

  15. Goddamn Heartbleed by glwtta · · Score: 5, Insightful

    So every single vulnerability from now on is getting an idiotic media name?

    We can't have CVE-1234, no no, must be RageBoner or PantShitter or no one will take it seriously!

    --
    sic transit gloria mundi
    1. Re:Goddamn Heartbleed by Anonymous Coward · · Score: 1

      pantshitter sounds pretty serious.

    2. Re:Goddamn Heartbleed by ChunderDownunder · · Score: 1

      at least heartbleed is vaguely googleable though perhaps describing a medical condition. venom not so much.

    3. Re:Goddamn Heartbleed by l0n3s0m3phr34k · · Score: 1

      HAHAHA LOL "PantShitter" is the best name ever. I can only dream of a vulnerability with that name...I'd pay good money to see that name up on my work's Situation Management page.

    4. Re:Goddamn Heartbleed by rsmith-mac · · Score: 1

      We can't have CVE-1234, no no, must be RageBoner or PantShitter or no one will take it seriously!

      We can't have CVE-1234 exactly because no one will take it seriously, though I suspect you have the cause and effect reversed.

      When the CVE list numbers in the tens of thousands and contains everything from the trivial (program may crash) to the severe (remote code execution), CVE numbers are meaningless. It doesn't tell me just how important this vulnerability is and whether I should be concerned. Whereas if someone takes the time to name it, it means it was important enough to get a real name.

      Which is a terrible precedent to set, but if anyone has a better suggestion for naming vulnerabilities that gives them unique, easily communicated names, and in the process makes it clear whether they're a significant threat or not, well then I'm all ears. Otherwise for the time being, this is like complaining that people call oranges oranges rather than Citrus x sinensis.

    5. Re:Goddamn Heartbleed by rail2rail · · Score: 1

      It's the same reason we name major storms, stars, mountains, comets, planets, galaxies, etc. Relax, it's a good thing.

  16. most systems vulnerable, not as bad as it looks by Chirs · · Score: 2

    There's a recent post on the openstack-operators mailing list talking about this, but the basic gist is that pretty much all versions of qemu are susceptible to the bug, but that in practice it's not quite as big a deal as it sounds.

    The thing to note is that the major linux distros by default enable something called "sVirt" which basically locks down qemu to using only the resources that have been explicitly assigned to it. This should make it hard (ideally impossible) to break out and compromise the host or other qemu processes.

    Also, on most major linux distros qemu doesn't run as root but rather as a separate user with lower privileges.

  17. Re:Legacy Code: Pwning all your machines since 200 by Bert64 · · Score: 1

    The problem is that virtual machines are often used to run legacy software on modern hardware, cutting out the legacy cruft by default would cut off all those users... Although having it configurable at runtime would be much easier for users than having it a compile time patch.

    Some of us do make hardened builds removing unwanted crap, but having the hardened option require the extra work is more practical from a usability point of view as those of us who care most about it tend to be the most capable of making the changes.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  18. Inception by null+etc. · · Score: 1

    But what if you're running your VM within a VM? Will the malware know it's still in a dream?

  19. Re:Legacy Code: Pwning all your machines since 200 by l0n3s0m3phr34k · · Score: 1

    The last time I did some ESXi troubleshooting (about two weeks ago), I had to look up documentation that I would think our "system admins" would already know. I personally don't even know that much about the actual nuts n bolts of it yet, but our Indian sysadmins really won't do anything without someone like me beating them over the head with step-by-step instructions for the entire maintenance window. "Enter this command"...silence on the phone..."now hit Enter"...it's ridiculous.

    I blame this on the British, who beat this whole "do not act first, always ask" meme into the Indians during the colonial times. I so want to tell them "You work for an American company now, just GET IT DONE!" Sometimes it even gets to the point where SMT (Situation Management, the team that coordinates all our SEV1 / SEV2 issues) had to tell them "He is not your technical adviser, you need to keep trying to contact XYZ and bring them on this call" lol

  20. Re:Sooo.... by l0n3s0m3phr34k · · Score: 1

    in the article, it does say that neither HyperV nor VMWare are affected by this...so in reality about 80% of VM's are safe lol

  21. Xen paravirtualized not vulnerable by manu0601 · · Score: 1

    Xen security advisory notes that Xen paravirtualized setup is not vulnerable. It only strikes HVM, where the host OS is run unmodified and think it has access to a real floppy drive.