Another reason to not trust the cloud. Like we needed more...
Heartbleed, eat your heart out: VENOM vuln poisons countless VMs
A new vulnerability discovered in the QEMU virtualization hypervisor has left virtual machines open to attacks for over a decade, security researchers have disclosed. Jason Geffner, a senior security researcher with CrowdStrike who discovered the vulnerability, has dubbed it VENOM, for Virtualized Environment Neglected …
COMMENTS
-
-
-
Thursday 14th May 2015 11:05 GMT Velv
Yet for millions of ordinary users, the cloud provides more security than they have on their BUSINESS systems. Perspective is key.
Having consulted in a number of businesses I've seen vary degrees of quality and security of in house managed systems. I'm no lover of cloud, but in a lot of cases the externally provided service is more up to date, more quickly patched, and better managed. Perspective is key.
-
Thursday 14th May 2015 14:19 GMT Anonymous Coward
Fair points but -especially for domestic and (to a certain extent) SMB users- you're taking the competence of your cloud provider largely on faith.
Now I'm only in the webhosting shallow end, so to speak, but I have -not infrequently- encountered service providers who couldn't manage the infrastructure AT ALL, let alone securely.
-
-
-
-
Wednesday 13th May 2015 21:27 GMT GBE
A "new vulnerability" that has been there for 10+ years?
First sentence in the the article:
"A new vulnerability discovered in the QEMU virtualization hypervisor has left virtual machines open to attacks for over a decade, security researchers have disclosed."
How is it a "new vulnerability" if it's been there for over 10 years?
-
Wednesday 13th May 2015 21:37 GMT sisk
I can see the concern with Xen, but Qemu itself is hardly a major player in the virtualization market. In fact I've never seen or heard of anyone using it for anything other than virtualizing an OS on their workstations. It's not exactly server-centric on its own. I can't see any vulnerability affecting it being in the same league as heartbleed in terms of penetration.
-
-
-
Saturday 16th May 2015 20:08 GMT Jamie Jones
Re: KVM has a less than 1% market share
"KVM has a less than 1% market share for virtualisation. (Vmware has 46.4% and Hyper-V has 30.6%)"
Fair enough, but then they are used 46.4 X everywhere, and 30.6 X everywhere !
But more seriously, it's offered "All over the place" and not mainly tied to workstations as the OP states!
-
-
-
This post has been deleted by its author
-
Thursday 14th May 2015 02:52 GMT Voland's right hand
QEMU == KVM
For a variety of historic reasons people use the term KVM where the correct name should be QEMU. KVM is just the x86 virtualization accel for QEMU. The QEMU codebase still handles most of the IO, memory management, etc.
By the way, some of the QEMU codebase is now reused in Xen too (if memory serves me right).
-
This post has been deleted by its author
-
-
Wednesday 13th May 2015 21:43 GMT Alistair
Terror!! Terror!! Horror!! HELP!
Found a chunk of bad code that was written ages ago that, well it is terrible, it can crash all sorts of things and cause all manner of havoc.
But you'll have to write one off code per installation to take advantage of it.
(and by the looks of it it might well be one off code per installation to hook into this one)
CALL THE PRESS!!!!
Yeeeesh.
Yes, you found a nasty one - that someone *hasn't* been looking at because the code "just worked" -- and yes, somewhere along the line somebody might have thought to compartmentalize the code out so that it wasn't loaded by default ( I myself, um, have a vm that uses the floppy driver for, errr, um ... testing purposes. And well it aint a windows guest.). But this does not warrant a commentary about digital apocalypses.
(and I installed the patch for the Vuln this morning on my Fedora ... RH's are in the repos as of this evening's review)
-
Wednesday 13th May 2015 23:44 GMT elip
wow...definitely doesn't deserve its own vuln "codename"
With regards to everybody and their mama dubbing every vuln with a uber-cool codename and marketing slides = lame. Grow the eff up.
So...I need to already have shell access to the VM with write perms to the fd device ey? Yet they still felt the effort to create the "sweet" snake logo, nickname (surely took several researchers multiple 2-hour meetings to agree on it) and marketing release was justified ey? Asked my VPC provider to not patch and reboot my servers, no need, nothing to see here.
-
Thursday 14th May 2015 08:59 GMT Alister
Re: wow...definitely doesn't deserve its own vuln "codename"
Yet they still felt the effort to create the "sweet" snake logo, nickname (surely took several researchers multiple 2-hour meetings to agree on it) and marketing release was justified ey?
Agreed, you can imagine the marketing meeting for a new vulnerability:
MarketDroid "You can't call this new vulnerability SPLODGE! What does it even mean?"
Tech "Well it's an acronym of what the vulnerability does".
MarketDroid "Well think of a better one! We can't use SPLODGE, it would adversely affect uptake of our new product... er, I mean... er... no-one will take any notice of this critical vulnerability..."
-