SoylentNews is people
SoylentNews
A security research firm is warning that a new bug could allow a hacker to take over vast portions of a datacenter -- from within. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.
Most datacenters nowadays condense customers -- including major technology companies and smaller firms -- into virtualized machines, or multiple operating systems on one single server. Those virtualized systems are designed to share resources but remain as separate entities in the host hypervisor, which powers the virtual machines. A hacker can exploit this newly-discovered bug, known as "Venom" -- an acronym for "Virtualized Environment Neglected Operations Manipulation" -- to gain access to the entire hypervisor, as well as every network-connected device in that datacenter.
The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines -- including those owned by other people or companies.
The bug, found in open-source computer emulator QEMU, dates back to 2004. Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code. VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/
The Linux Foundation security advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
National Cyber Awareness System: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
(Score: 2) by CRCulver on Thursday May 14 2015, @10:15PM
There is definitely a case to be made for still shipping a lot of hoary old Unix stuff. After the whole systemd flap, I recently installed Slackware on one of my systems, and I initially raised an eyebrow at a lot of the Unix utilities essentially going back to the 1980s that come along with it. Some of them I decided to try out, and they proved quite useful because they still do a job, do it well, and virtually all bugs were long since ironed out. (A person might be inclined to think that systems of ages past were clunky and unproductive, but if I could go back in time, knowing what I know now about Unix pipes and shell scripting, I could move mountains.)
However, I don't really see the point of retaining support for hardware that is virtually never used any more. I didn't like having to uninstall floppy support packages as soon as the Slackware installation was complete. Sure, keep support for such more-than-legacy systems available somewhere, but why make it part of a default installation?