So here we go, another time for another major security threat, and this time it’s the “VIRTUALIZED ENVIRONMENT NEGLECTED OPERATIONS MANIPULATION” aka VENOM attack. Yes it has a website, and even a logo! (Creative Commons Attribution-ShareAlike 4.0 International License)
So what is all the fuss about? Well if you can compromise a Xen, or KVM (and QEMU) VM to run code that bangs against the floppy controller it can have a buffer overflow exploit.
But, I know what you are thinking, most people who KVM use guest OSs that either don’t have floppy drivers, or even explicitly disable the floppy controller. And from the site:
an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
But let’s calm down, first the attacker has to get root level on the VM before they can think about doing anything. Of course this is a BIG problem for VM resellers. Hopefully the patches will be available quickly, and they will be moderately disruptive, especially for those of us who still use virtual floppies.
The source patch has been released on the Qemu mailing list right here.