A security research firm is warning that a new bug could allow a hacker to take over vast portions of a datacenter -- from within. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.
Most datacenters nowadays condense customers -- including major technology companies and smaller firms -- into virtualized machines, or multiple operating systems on one single server. Those virtualized systems are designed to share resources but remain as separate entities in the host hypervisor, which powers the virtual machines. A hacker can exploit this newly-discovered bug, known as "Venom" -- an acronym for "Virtualized Environment Neglected Operations Manipulation" -- to gain access to the entire hypervisor, as well as every network-connected device in that datacenter.
The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies.
The bug, found in open-source computer emulator QEMU, dates back to 2004. Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code. VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/
The Linux Foundation security advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
National Cyber Awareness System: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
(Score: 1, Informative) by Anonymous Coward on Thursday May 14 2015, @04:37PM
Fortunately for those of us at Linode, they are not vulnerable [linode.com] to venom.
Xen Security Advisory ... XSA-133 ... states that “Systems running only x86 PV guests are not vulnerable”.
(Score: 2) by jcross on Thursday May 14 2015, @05:55PM
And since Amazon was basically unaffected and Rackspace already handled the issue back in March*, I can't see how this could approach the scale of heartbleed. It smells like a hype job to me.
* source: http://www.theregister.co.uk/2015/02/28/new_xen_vuln_causes_cloud_reboot [theregister.co.uk]
(Score: 2) by jcross on Thursday May 14 2015, @06:00PM
Eh, I just realized that source might be referring to a different bug, because whatever it referred to was unreleased at the time. Anyhow, my comment still stands for Amazon at least:
https://aws.amazon.com/security/security-bulletins/XSA_Security_Advisory_CVE_2015_3456/ [amazon.com]
(Score: 1) by canopic jug on Friday May 15 2015, @05:48AM
It smells like a hype job to me.
It is, and it can be at least partially traced back to M$ [techrights.org]: The "former" Bing (病) head moved over to CrowdStrike [crowdstrike.com] as a VP.
Money is not free speech. Elections should not be auctions.