'Venom' Security Vulnerability Threatens Most Datacenters

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

Not very serious

[DrDevil]

I've get to some across a virtual server provider that has a floppy disk driver enabled. Seems a lot of hype about nothing to be honest and scaremongering.

Re:Not very serious

[qpqp]

Seems a lot of hype about nothing to be honest and scaremongering.

From venom.crowdstrike.com [crowdstrike.com]:

Floppy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

Re:Not very serious

[martyros]

...an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

Which is why the PV mode in Xen is such a killer security feature -- the more stuff you have just lying around, even if unused in theory, the higher the probability that there will be a bug somewhere that can be exploited.

Re:

[sexconker]

Yet everyone's champing at the bit to get browsers to implement shit that used to be handled by optional plugins and calling it more secure.

I can choose not to install a plugin, but I can't remove the analogous code in the browser - at best I can turn the feature off in the hidden settings page and hope it's actually disabled, never loaded into memory, and a bug can't be used to reenable/jump to the code and leverage it in an attack.

Less is more.

Re:Not very serious

[Anonymous Coward]

Indeed. The risk is nonexistent for the 200+ VMs I interact with regularly since none of them has a virtual floppy device attached.

Ten people, at least, have written comments here saying that even without explicitly having one, you could still be a victim. If you truly work with VMs, you may want to RTFA instead of just writing some crap.

Besides, even if you are not using a floppy disk on your VM, if someone else is and they share the same hypervisor as you, you may be screwed anyway.

Re:

[Anonymous Coward]

Given the report you show is from September last year and this bug was discovered in April this year, chances are that these are unrelated...

Re:

[sexconker]

Given the report you show is from September last year and this bug was discovered in April this year, chances are that these are unrelated...

You don't know when the bug was first discovered or by whom it was first discovered.

Re:

[jcwayne]

AWS has posted an advisory [amazon.com] stating that they are not affected by VENOM.

Re:

[Wintermute__]

Well they aren't now, but how about back in September?

Re:

[F.Ultra]

The use XEN so of course they where affected.

Re:

[chris200x9]

Of course it's serious it has a badass nickname!

Re:

[xtronics]

It only applies to folks running one of these packages:
xen, qemu,

The software is there for a reason - same goes for why there is still an ISA bus (used for timing) etc.

These old devices need to exist for software compatibility.

Who uses virt floppy anymore

[silas_moeckel]

What is the use case for virt floppy? Drivers nearly never fit, VM's should not need firmware updates. SO why would people still be exposing a virt floppy to VM's?

Re:Who uses virt floppy anymore

[Nuitari The Wiz]

From the article:

Floppy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.

Re:Who uses virt floppy anymore

[silas_moeckel]

Yet they don't link to the bug nor can I find anything besides circular references to the Venom announcement.

Re:Who uses virt floppy anymore

[DMUTPeregrine]

It's CVE-2015-3456. https://cve.mitre.org/cgi-bin/... [mitre.org]

Re:

[DMUTPeregrine]

Cut off the bottom of my post on accident. It's supposed to be that CVE, but the actual CVE hasn't been published yet. They went with the press release first for some reason.

Re:

[DarkOx]

While I realize VMware isn't effected by this vuln;

Fusion can't boot a VM off USB (why the fuck is that?) So if I want to test a USB boot stick on my MAC I have to use this to chain load the USB sticks boot loader: https://www.plop.at/en/bootman... [www.plop.at]

Its pretty convenient to just keep a VM defined with a floppy and the plop disk always attached. It would be better if it could/would boot a USB device, but the virtual floppy is my work around.

Re:

[Bert64]

Windows 2003, which is still supported for a short time, has to load storage drivers from floppy (it won't load them from cd)... If you want to use paravirtualized storage drivers for performance reasons you need to attach a virtual floppy from which to load the drivers.
It's not uncommon to use a virtualization environment to run older systems for compatibility purposes either (e.g. to support legacy apps)... You likely also need privileged access to a guest to exploit this, so a legacy os would be a good t

They have probably spent more time

[Anonymous Coward]

finding a full name that fits the really cool "venom", instead of actually going about fixing it.

Re:

[null etc.]

Very Entertaining Name Obstructs Momentum

Re:

[null etc.]

In Haiku format:

Very Entertained,
Name Obstructing Momentum,
V.E.N.O.M

Whoa, this is really bad

[Anonymous Coward]

This must be a very serious vulnerability judging purely by it's name.

Re:

[null etc.]

And what's the solution? Flip the name backwards and put a slash underneath.

Monev
        /

Legacy Code: Pwning all your machines since 2004

[Anonymous Coward]

I love how even if the floppy drive is disabled, this is still exploitable due to another unreleased bug.

The solution is just to get rid of all the old unmaintained code by default. If someone wants to use old deprecated code, let them apply the patches themselves.

The Linux kernel is a goldmine of barely maintained crap that hasn't had more than 2 users for the least 30 years. Not breaking userspace is nice, but at some point you need to take into account the huge gaping security risks of mistery legacy cod

Re:

[FranTaylor]

If your computer experience involves apply patches as part of normal operations, you've completely and utterly failed to understand that computers are there to relieve work from you, not make you work harder.

So those engineers at RedHat who produce the bug fixes for the rest of is, they fail to understand what exactly?

Re:

[Bert64]

The problem is that virtual machines are often used to run legacy software on modern hardware, cutting out the legacy cruft by default would cut off all those users... Although having it configurable at runtime would be much easier for users than having it a compile time patch.

Some of us do make hardened builds removing unwanted crap, but having the hardened option require the extra work is more practical from a usability point of view as those of us who care most about it tend to be the most capable of mak

Re:

[l0n3s0m3phr34k]

The last time I did some ESXi troubleshooting (about two weeks ago), I had to look up documentation that I would think our "system admins" would already know. I personally don't even know that much about the actual nuts n bolts of it yet, but our Indian sysadmins really won't do anything without someone like me beating them over the head with step-by-step instructions for the entire maintenance window. "Enter this command"...silence on the phone..."now hit Enter"...it's ridiculous.

I blame this on the Brit

Re:

[Anonymous Coward]

No one was able to review the closed source ones.

The open source tools were vulnerable from 2004 to 2015.

The closed source ones? Nobody knows. And that's really scary.

Re:

[Imagix]

Odd... all of the VM tools that I install are either by the OS's package manager, or by mounting a CD ISO. No floppies.

Re:

[LoRdTAW]

Not sure where you are getting this floppy business from. Virtualbox guest addition tools are loaded from a single CD image. All the driver packages are on that image. Hyper-V also uses a CD image. I have also used VMware in the past and they too used CD images.

Perhaps you are confusing that with the provided floppy controller emulation.

Re:

[FranTaylor]

global warning will make all disks floppy

Re:

[l0n3s0m3phr34k]

in the article, it does say that neither HyperV nor VMWare are affected by this...so in reality about 80% of VM's are safe lol

Open Source Branding

[organgtool]

Not to get too far offtopic, but as a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom). If you look at closed-source software it is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout". So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

Re:Open Source Branding

[thegarbz]

Sure if you cherry pick your applications to suit your case then you could argue that. To me I see open source vulnerabilities which are called CVE-215-3456 which someone happens to have an alternate name for. I see programs called StarOffice, and Libre Office. I see MySQL, openLDAP, and systemd. All very descriptive of what they do.

Let's not over generalise.

Re:

[FranTaylor]

so mysql is a tool for making sql queries that pertain to me?

openldap is probably not a good place to keep secret login data because it's "open"

systemd is clearly some sort of pig latin

yes these products have fine names

Re:

[ChunderDownunder]

Photoshop - back last millenium, casual photographers would take their roll of film to a "photo shop" who would process the negatives and print the photos for a customer.

Kids these days...

Re:

[thegarbz]

It's not kids these days, it was a direct response to an equally stupid post by the GP.

Re:

[thegarbz]

You mean like a program to do with SQL, a program to do with LDAP, and a daemon for managing the system.

There's only so much you can put into a name before you need to start ignoring the people who can't see the obvious.

Re:

[sexconker]

Sure if you cherry pick your applications to suit your case then you could argue that. To me I see open source vulnerabilities which are called CVE-215-3456 which someone happens to have an alternate name for. I see programs called StarOffice, and Libre Office. I see MySQL, openLDAP, and systemd. All very descriptive of what they do.

Let's not over generalise.

What does "Star Office" do? How is it different from "Libre Office" or "Open Office"? Wait, "Open Office" IS "Star Office"? Oh, it's NOT? Then why does installing "Open Office" give me and "soffice" executable?!

What's "MySQL"? Is it mine? Whose is it? Is it a server? Can I only use it for personal use?

What's an "LDAP"? Do I want an open one or a closed one? I need it to be secure, so I probably don't want an open one.

Oh, you included systemd. Your entire post is a troll.

Re:

[Rich0]

What's "MySQL"?

It is the other implementation of MariaDB, which also installs /usr/bin/mysqld. :)

Re:

[thegarbz]

What does "Star Office" do? How is it different from "Libre Office" or "Open Office"? Wait, "Open Office" IS "Star Office"? Oh, it's NOT? Then why does installing "Open Office" give me and "soffice" executable?!

Who cares, it's on office suite. Is the marketing supposed to deal with the technicalities of the product? No. It's supposed to give you an idea of what it does, and if you download Libre Office or Open Office you end up with a product that gives you an office productivity suite. The marketing works, and the only people who fret about it are nerds splitting hairs about ownership, history and freedoms.

What's "MySQL"? Is it mine? Whose is it? Is it a server? Can I only use it for personal use?

It's a product to do with SQL. Quite a bit more relevant than commercial programs like "Filemaker" is it not

Re:

[organgtool]

I should have made my statement more clear. I didn't mean to imply that all open source projects have bad names (although I still believe that many do) but I was more focused on the fact that it seems to be only open source projects that have vulnerabilities with marketing-friendly names despite the fact that closed source software has had many vulnerabilities just as severe and I can't recall one closed source vulnerability with a memorable name. The point is: who is responsible for naming these vulnerab

Re:

[thegarbz]

I agree that there are many packages poorly named in closed source.

But I stand by my thought that you're cherry picking or not researching enough.

Blaster
CodeRed
SQL Slammer
Conficker (ok this isn't a good one IMO)
iPwn (This is a good one, it even tells you which platform it attacks)
Sasser
MyDoom

These may be mostly named after the exploiting code rather than the exploit, but that is part of closed source madness of not hearing about something till it's actually exploited.

Re:

[FranTaylor]

So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

You are telling us:

Every software developer should have a publicist from fox news on retainer so that new projects can receive names that are considered more appropriate for inclusion in technology news stories, it's much more important than the actual software itself

Re:

[null etc.]

Dear God, no. If software developers used publicists from Fox News, then LibreOffice would have been called "ObamaCommieOffice".

Re:

[organgtool]

How did this straw man argument get modded up? I never suggested anything of the sort. I was implying that maybe these clever names for vulnerabilities aren't coming from within the open source community and that closed source software seems to be getting off easy when it comes to the level of effort in having their vulnerabilities named for them.

Re:

[l0n3s0m3phr34k]

I'd guess that's because closed source has real marketing people in the organization, people with 4+ year advertising, promotion, and marketing degrees who are naming these. In open source, it's whatever the dev wants to call it...the "professional" closed source apps have a marketing department who steps in and says "that name is horrible, it will make our clients subconsciously afraid to use the product, call it this instead." Very few devs have any real education in marketing; I've taken a few classes i

Other proposed names that did not make it

[Anonymous Coward]

Gvenom
Kvenom
GNUvenom
FreeVenom
OpenVenom
venom-1.0.7-RC2
Venom.js

Re:

[glwtta]

The last one would obviously be: venumr.js

Re: Open Source Branding

[Anonymous Coward]

The reason is simple.

Nobody cares that the tool is called hammer, bash, or clonk, as long as it does the job, but everyone should care that a bug in your hammer can allow any lunatic to grab it and bash your machine and clonk you over the head. Remotely.

Hence the attention grabbing names for vulnerabilities.

(Plus, the fact that a 20 year old bug in bash is BIG news and a major cause for concern kinda shows that open source doesn't need marketing. Its already widely deployed.)

Re:

[null etc.]

No, but the HR department *does* care that the software is called GIMP.

Re:

[Anonymous Coward]

As for product naming : most open source project maintainers don't have the funding or time to buy and defend a trademark, so they pick names that are unlikely to violate or be similar to trademarks of actual companies (who do have lawyers to defend them).

As for vulnerability naming : who knows. Big companies have powerful lawyers/marketing. Didn't prevent names like "bendgate", so maybe it's just selection bias.

(CVE-2015-3456)

[Anonymous Coward]

(CVE-2015-3456)?

I've got the same vulnerability designation on my luggage!

Where's the test?

[XanC]

There's got to be some test I can run on my VMs to see whether or not I'm vulnerable, right?

Re:

[FranTaylor]

you are probably not vulnerable if you have had your vaccinations, hard to tell about your computer

Goddamn Heartbleed

[glwtta]

So every single vulnerability from now on is getting an idiotic media name?

We can't have CVE-1234, no no, must be RageBoner or PantShitter or no one will take it seriously!

Re:

[Anonymous Coward]

pantshitter sounds pretty serious.

Re:

[ChunderDownunder]

at least heartbleed is vaguely googleable though perhaps describing a medical condition. venom not so much.

Re:

[l0n3s0m3phr34k]

HAHAHA LOL "PantShitter" is the best name ever. I can only dream of a vulnerability with that name...I'd pay good money to see that name up on my work's Situation Management page.

Re:

[rsmith-mac]

We can't have CVE-1234, no no, must be RageBoner or PantShitter or no one will take it seriously!

We can't have CVE-1234 exactly because no one will take it seriously, though I suspect you have the cause and effect reversed.

When the CVE list numbers in the tens of thousands and contains everything from the trivial (program may crash) to the severe (remote code execution), CVE numbers are meaningless. It doesn't tell me just how important this vulnerability is and whether I should be concerned. Whereas if som

Re:

[rail2rail]

It's the same reason we name major storms, stars, mountains, comets, planets, galaxies, etc. Relax, it's a good thing.

most systems vulnerable, not as bad as it looks

[Chirs]

There's a recent post on the openstack-operators mailing list talking about this, but the basic gist is that pretty much all versions of qemu are susceptible to the bug, but that in practice it's not quite as big a deal as it sounds.

The thing to note is that the major linux distros by default enable something called "sVirt" which basically locks down qemu to using only the resources that have been explicitly assigned to it. This should make it hard (ideally impossible) to break out and compromise the host or other qemu processes.

Also, on most major linux distros qemu doesn't run as root but rather as a separate user with lower privileges.

Open source colored glasses?

[Nkwe]

The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software."

I note that the two proprietary systems were not impacted. Of course all software has bugs and vulnerabilities without regard to open source or proprietary, but here on slashdot we like think that open source is always the better option. This is not always the case.

The phrase "almost every virtualization software" is used, but the list of items given has three pieces of software that are impacted and three that are not. In terms of virtualization systems that are in production use by business, I would thi

Inception

[null etc.]

But what if you're running your VM within a VM? Will the malware know it's still in a dream?

Xen paravirtualized not vulnerable

[manu0601]

Xen security advisory notes that Xen paravirtualized setup is not vulnerable. It only strikes HVM, where the host OS is run unmodified and think it has access to a real floppy drive.