Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Venom' Security Vulnerability Threatens Most Datacenters

Posted by Soulskill on from the holes-in-legacy-code dept.

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

11 of 95 comments (clear)

  1. Re:Not very serious by qpqp · · Score: 5, Informative

    Seems a lot of hype about nothing to be honest and scaremongering.

    From venom.crowdstrike.com:

    Floppy drives are outdated, so why are these products still vulnerable?
    For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

  2. They have probably spent more time by Anonymous Coward · · Score: 5, Funny

    finding a full name that fits the really cool "venom", instead of actually going about fixing it.

  3. Whoa, this is really bad by Anonymous Coward · · Score: 4, Funny

    This must be a very serious vulnerability judging purely by it's name.

  4. Re:Who uses virt floppy anymore by Nuitari+The+Wiz · · Score: 3, Informative

    From the article:

    Floppy drives are outdated, so why are these products still vulnerable?
    For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

  5. Open Source Branding by organgtool · · Score: 4, Interesting

    Not to get too far offtopic, but as a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom). If you look at closed-source software it is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout". So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

    1. Re:Open Source Branding by thegarbz · · Score: 4, Insightful

      Sure if you cherry pick your applications to suit your case then you could argue that. To me I see open source vulnerabilities which are called CVE-215-3456 which someone happens to have an alternate name for. I see programs called StarOffice, and Libre Office. I see MySQL, openLDAP, and systemd. All very descriptive of what they do.

      Let's not over generalise.

  6. Re:Not very serious by martyros · · Score: 3, Insightful

    ...an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

    Which is why the PV mode in Xen is such a killer security feature -- the more stuff you have just lying around, even if unused in theory, the higher the probability that there will be a bug somewhere that can be exploited.

    --

    TCP: Why the Internet is full of SYN.

  7. Re:Not very serious by Anonymous Coward · · Score: 5, Informative

    Indeed. The risk is nonexistent for the 200+ VMs I interact with regularly since none of them has a virtual floppy device attached.

    Ten people, at least, have written comments here saying that even without explicitly having one, you could still be a victim. If you truly work with VMs, you may want to RTFA instead of just writing some crap.

    Besides, even if you are not using a floppy disk on your VM, if someone else is and they share the same hypervisor as you, you may be screwed anyway.

  8. Goddamn Heartbleed by glwtta · · Score: 5, Insightful

    So every single vulnerability from now on is getting an idiotic media name?

    We can't have CVE-1234, no no, must be RageBoner or PantShitter or no one will take it seriously!

    --
    sic transit gloria mundi
  9. Re:Who uses virt floppy anymore by silas_moeckel · · Score: 3, Interesting

    Yet they don't link to the bug nor can I find anything besides circular references to the Venom announcement.

    --
    No sir I dont like it.
  10. Re:Who uses virt floppy anymore by DMUTPeregrine · · Score: 3, Informative

    It's CVE-2015-3456. https://cve.mitre.org/cgi-bin/...

    --
    Not a sentence!