Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Thursday May 14 2015, @04:02PM   Printer-friendly
from the breaking-out-of-the-sandbox dept.

A security research firm is warning that a new bug could allow a hacker to take over vast portions of a datacenter -- from within. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.

Most datacenters nowadays condense customers -- including major technology companies and smaller firms -- into virtualized machines, or multiple operating systems on one single server. Those virtualized systems are designed to share resources but remain as separate entities in the host hypervisor, which powers the virtual machines. A hacker can exploit this newly-discovered bug, known as "Venom" -- an acronym for "Virtualized Environment Neglected Operations Manipulation" -- to gain access to the entire hypervisor, as well as every network-connected device in that datacenter.

The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies.

The bug, found in open-source computer emulator QEMU, dates back to 2004. Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code. VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.

http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/

The Linux Foundation security advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456

National Cyber Awareness System: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Thexalon on Thursday May 14 2015, @04:36PM

    by Thexalon (636) on Thursday May 14 2015, @04:36PM (#182979)

    I know that's now the epitome of security blunders, so lots of security researchers wanting to make a big splash will say "this is bigger than Heartbleed" in much the same way that political muckrakers say "this is worse than Watergate".

    But from what I can tell, the attack surface is much smaller:
    1. This only affects VMs running a particular set of virtualization suites, which means it doesn't affect absolutely *everybody* the way Heartbleed did.
    2. It apparently allows somebody controlling one VM to control other VMs on the same physical server. While that's not an insurmountable hurdle by any means, it's a lot harder than just sending the right command over ssh.

    So yes, we need to fix it, but it's not bigger than Heartbleed.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Thursday May 14 2015, @04:52PM

    by Anonymous Coward on Thursday May 14 2015, @04:52PM (#182991)

    Parent sounds like a VENOMous post perpetrated by a soulless hacker who has already commandeered the Hypervisor that controls Soylent's VM. </sarcasm>

  • (Score: 4, Informative) by frojack on Thursday May 14 2015, @08:08PM

    by frojack (1554) on Thursday May 14 2015, @08:08PM (#183098) Journal

    Agreed, this sounds like a whole bunch of hype, because, as TFS/TFA explains crashing the entire hyper-visor is not something that will go un-noticed.
    Therefore, I doubt this could actually be employed to attack a different VM at will, because all VMs are likely to crash or lock up once the hyper-visor goes down. You might get lucky somehow and get tossed into a different VM, you are just as likely to lock up your won machine.

    Oddly, VMware pushed updates for several of their older products yesterday. Although they only appear to be fixing SSL [vmware.com] problems.

     

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by sjames on Thursday May 14 2015, @10:09PM

      by sjames (2882) on Thursday May 14 2015, @10:09PM (#183146) Journal

      If I'm understanding the nature of the bug properly, the scope is even more limited. It seems (correct me if I'm wrong) that for a VM to be vulnerable, it must have a defined virtual floppy device. None of the VMs I have ever created had a virtual floppy. Very few VMs have any use for a floppy.

      • (Score: 3, Informative) by frojack on Thursday May 14 2015, @11:24PM

        by frojack (1554) on Thursday May 14 2015, @11:24PM (#183167) Journal

        If there is a virtual floppy, it is usually pointed at a .img file, because nobody even has a physical drive anymore, other than an external USB Floppy somewhere at the bottom of their box of computer junk in the closet of troubled hardware.

        --
        No, you are mistaken. I've always had this sig.