Slashdot Mirror
'Venom' Security Vulnerability Threatens Most Datacenters
An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."
Seems a lot of hype about nothing to be honest and scaremongering.
From venom.crowdstrike.com:
Floppy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
finding a full name that fits the really cool "venom", instead of actually going about fixing it.
This must be a very serious vulnerability judging purely by it's name.
I love how even if the floppy drive is disabled, this is still exploitable due to another unreleased bug.
The solution is just to get rid of all the old unmaintained code by default. If someone wants to use old deprecated code, let them apply the patches themselves.
The Linux kernel is a goldmine of barely maintained crap that hasn't had more than 2 users for the least 30 years. Not breaking userspace is nice, but at some point you need to take into account the huge gaping security risks of mistery legacy code running with maximum privileges.
From the article:
Floppy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
Odd... all of the VM tools that I install are either by the OS's package manager, or by mounting a CD ISO. No floppies.
Not to get too far offtopic, but as a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom). If you look at closed-source software it is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout". So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?
Not sure where you are getting this floppy business from. Virtualbox guest addition tools are loaded from a single CD image. All the driver packages are on that image. Hyper-V also uses a CD image. I have also used VMware in the past and they too used CD images.
Perhaps you are confusing that with the provided floppy controller emulation.
Which is why the PV mode in Xen is such a killer security feature -- the more stuff you have just lying around, even if unused in theory, the higher the probability that there will be a bug somewhere that can be exploited.
TCP: Why the Internet is full of SYN.
Indeed. The risk is nonexistent for the 200+ VMs I interact with regularly since none of them has a virtual floppy device attached.
Ten people, at least, have written comments here saying that even without explicitly having one, you could still be a victim. If you truly work with VMs, you may want to RTFA instead of just writing some crap.
Besides, even if you are not using a floppy disk on your VM, if someone else is and they share the same hypervisor as you, you may be screwed anyway.
So every single vulnerability from now on is getting an idiotic media name?
We can't have CVE-1234, no no, must be RageBoner or PantShitter or no one will take it seriously!
sic transit gloria mundi
Yet they don't link to the bug nor can I find anything besides circular references to the Venom announcement.
No sir I dont like it.
There's a recent post on the openstack-operators mailing list talking about this, but the basic gist is that pretty much all versions of qemu are susceptible to the bug, but that in practice it's not quite as big a deal as it sounds.
The thing to note is that the major linux distros by default enable something called "sVirt" which basically locks down qemu to using only the resources that have been explicitly assigned to it. This should make it hard (ideally impossible) to break out and compromise the host or other qemu processes.
Also, on most major linux distros qemu doesn't run as root but rather as a separate user with lower privileges.
It's CVE-2015-3456. https://cve.mitre.org/cgi-bin/...
Not a sentence!
Yet everyone's champing at the bit to get browsers to implement shit that used to be handled by optional plugins and calling it more secure.
I can choose not to install a plugin, but I can't remove the analogous code in the browser - at best I can turn the feature off in the hidden settings page and hope it's actually disabled, never loaded into memory, and a bug can't be used to reenable/jump to the code and leverage it in an attack.
Less is more.