So here we go, another time for another major security threat, and this time it’s the “VIRTUALIZED ENVIRONMENT NEGLECTED OPERATIONS MANIPULATION” aka VENOM attack. Â Yes it has a website, and even a logo! (Creative Commons Attribution-ShareAlike 4.0 International License)
So what is all the fuss about? Â Well if you can compromise a Xen, or KVM (and QEMU) VM to run code that bangs against the floppy controller it can have a buffer overflow exploit.
But, I know what you are thinking, most people who KVM use guest OSs that either don’t have floppy drivers, or even explicitly disable the floppy controller. Â And from the site:
an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
But let’s calm down, first the attacker has to get root level on the VM before they can think about doing anything. Â Of course this is a BIG problem for VM resellers. Â Hopefully the patches will be available quickly, and they will be moderately disruptive, especially for those of us who still use virtual floppies.
The source patch has been released on the Qemu mailing list right here.
Got my share of “please reboot” mails from the VPS farmers I rent from. Got me wondering how closed the PDP and VAX simulators in simh are as jails after throwing away the CTRL-E key. Maybe time to fire up a few fuzzers and see how well they hold up.