Venom—or "Virtualized Environment Neglected Operations Manipulation"—is a horrible, horrible bug in many virtualization platforms. It breaks the main promise of multi-tenant public clouds, as it allows a hacker to escape from a guest and infect all the other guests on a host machine.
That's nasty. Really nasty. Xen, KVM, VirtualBox and QEMU are known to be vulnerable.
In IT Blogwatch, bloggers activate awful acronyms.
Your humble blogwatcher curated these extra bloggy bits for your entertainment.
Zack Whittaker flicks the Zs:
Move over, Heartbleed. There's a new catastrophic vulnerability in town. ... The zero-day vulnerability lies in...widely-used virtualization software, allowing a hacker to infiltrate...every machine across a datacenter. [It's] known as "Venom" -- an acronym for "Virtualized Environment Neglected Operations Manipulation"
The bug [is] in open-source computer emulator QEMU. ... Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code.
A hacker would have to gain access to a virtual machine [as] root. ... It would take little effort to rent a virtual machine from a cloud computing service to exploit the hypervisor [so] that a datacenter takeover was possible. MORE
And Dan Goodin goes in:
There's an extremely critical bug in the Xen, KVM, and native QEMU virtual machine platforms and appliances...it pierces a key protection that many cloud service providers use to segregate one customer's data from another's...undermining one of the fundamental guarantees of virtual machines.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected. ... The bug has existed since 2004.
There's an extremely broad range of platforms...vulnerable to this exploit [serving] banks, e-commerce providers, and countless other sensitive services. MORE
Jason Geffner discovered the vuln:
VENOM...may allow an attacker to escape from the confines of an affected virtual machine [giving] access to the host system...all other VMs running on that host...and adjacent systems.
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable. ... VENOM (CVE-2015-3456) is unique in that it applies to a wide array of...platforms, works on default configurations, and allows for direct arbitrary code execution. MORE
ZOMG! Joseph Steinberg has more:
One of the data structures used for communication by the faulty driver can be loaded with too much data so that the data extends beyond the intended memory space and overwrites critical data. ... A hacker can easily cause the hypervisor and all virtual machines it is managing to crash...and, by carefully constructing the contents of the data...may be able to gain control of the physical computer...and perhaps even to the network to which the physical device is connected.
The magnitude of this risk is obvious. ... If you are hosting any virtual machines within your computer infrastructure, and are using a vulnerable platform, you want to address the situation ASAP. ... If you have “appliances” on your network that may use virtualization within them, check with the relevant vendors. ... Confirm that your hosting provider/s...that house your data or applications in the “cloud”...are addressing it. MORE
So Dennis Fisher reels 'em in: [You're fired -Ed.]
The vulnerability itself lies in the virtual floppy disk controller component of QEMU. ... Although floppy drives are hopelessly obsolete, the [code] is present in many places.
Though the vulnerable code has been in QEMU for 11 years, it wasn’t known until now, and knowing is half the battle. MORE
And this Anonymous Coward reminds us why we should care about our neighbors:
Even if you are not using a floppy disk on your VM, if someone else is and they share the same hypervisor as you, you may be screwed. MORE
Meanwhile, organgtool drifts off-topic:
As a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom).
Closed-source...is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout".
Are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities? MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.