back to article Heartbleed, eat your heart out: VENOM vuln poisons countless VMs

A new vulnerability discovered in the QEMU virtualization hypervisor has left virtual machines open to attacks for over a decade, security researchers have disclosed. Jason Geffner, a senior security researcher with CrowdStrike who discovered the vulnerability, has dubbed it VENOM, for Virtualized Environment Neglected …

  1. Anonymous Coward
    Anonymous Coward

    Another reason to not trust the cloud. Like we needed more...

    1. tacitust

      Yet for millions of ordinary users, the cloud provides more security than they have on their home systems (i.e. often, very little to none at all). Perspective is key.

      1. Velv

        Yet for millions of ordinary users, the cloud provides more security than they have on their BUSINESS systems. Perspective is key.

        Having consulted in a number of businesses I've seen vary degrees of quality and security of in house managed systems. I'm no lover of cloud, but in a lot of cases the externally provided service is more up to date, more quickly patched, and better managed. Perspective is key.

        1. Anonymous Coward
          Anonymous Coward

          Fair points but -especially for domestic and (to a certain extent) SMB users- you're taking the competence of your cloud provider largely on faith.

          Now I'm only in the webhosting shallow end, so to speak, but I have -not infrequently- encountered service providers who couldn't manage the infrastructure AT ALL, let alone securely.

  2. GBE

    A "new vulnerability" that has been there for 10+ years?

    First sentence in the the article:

    "A new vulnerability discovered in the QEMU virtualization hypervisor has left virtual machines open to attacks for over a decade, security researchers have disclosed."

    How is it a "new vulnerability" if it's been there for over 10 years?

    1. big_D Silver badge

      Re: A "new vulnerability" that has been there for 10+ years?

      Lazy wording, it should be "a newly discovered vulnerability," but the headline doesn't sound as good.

  3. sisk

    I can see the concern with Xen, but Qemu itself is hardly a major player in the virtualization market. In fact I've never seen or heard of anyone using it for anything other than virtualizing an OS on their workstations. It's not exactly server-centric on its own. I can't see any vulnerability affecting it being in the same league as heartbleed in terms of penetration.

    1. Jamie Jones Silver badge

      Um, KVM is used just about everywhere!

      1. Anonymous Coward
        Anonymous Coward

        KVM has a less than 1% market share

        " Um, KVM is used just about everywhere!"

        KVM has a less than 1% market share for virtualisation. (Vmware has 46.4% and Hyper-V has 30.6%)

        1. Jamie Jones Silver badge
          Happy

          Re: KVM has a less than 1% market share

          "KVM has a less than 1% market share for virtualisation. (Vmware has 46.4% and Hyper-V has 30.6%)"

          Fair enough, but then they are used 46.4 X everywhere, and 30.6 X everywhere !

          But more seriously, it's offered "All over the place" and not mainly tied to workstations as the OP states!

    2. This post has been deleted by its author

    3. Voland's right hand Silver badge

      QEMU == KVM

      For a variety of historic reasons people use the term KVM where the correct name should be QEMU. KVM is just the x86 virtualization accel for QEMU. The QEMU codebase still handles most of the IO, memory management, etc.

      By the way, some of the QEMU codebase is now reused in Xen too (if memory serves me right).

    4. This post has been deleted by its author

  4. Alistair
    Windows

    Terror!! Terror!! Horror!! HELP!

    Found a chunk of bad code that was written ages ago that, well it is terrible, it can crash all sorts of things and cause all manner of havoc.

    But you'll have to write one off code per installation to take advantage of it.

    (and by the looks of it it might well be one off code per installation to hook into this one)

    CALL THE PRESS!!!!

    Yeeeesh.

    Yes, you found a nasty one - that someone *hasn't* been looking at because the code "just worked" -- and yes, somewhere along the line somebody might have thought to compartmentalize the code out so that it wasn't loaded by default ( I myself, um, have a vm that uses the floppy driver for, errr, um ... testing purposes. And well it aint a windows guest.). But this does not warrant a commentary about digital apocalypses.

    (and I installed the patch for the Vuln this morning on my Fedora ... RH's are in the repos as of this evening's review)

  5. elip

    wow...definitely doesn't deserve its own vuln "codename"

    With regards to everybody and their mama dubbing every vuln with a uber-cool codename and marketing slides = lame. Grow the eff up.

    So...I need to already have shell access to the VM with write perms to the fd device ey? Yet they still felt the effort to create the "sweet" snake logo, nickname (surely took several researchers multiple 2-hour meetings to agree on it) and marketing release was justified ey? Asked my VPC provider to not patch and reboot my servers, no need, nothing to see here.

    1. Alister

      Re: wow...definitely doesn't deserve its own vuln "codename"

      Yet they still felt the effort to create the "sweet" snake logo, nickname (surely took several researchers multiple 2-hour meetings to agree on it) and marketing release was justified ey?

      Agreed, you can imagine the marketing meeting for a new vulnerability:

      MarketDroid "You can't call this new vulnerability SPLODGE! What does it even mean?"

      Tech "Well it's an acronym of what the vulnerability does".

      MarketDroid "Well think of a better one! We can't use SPLODGE, it would adversely affect uptake of our new product... er, I mean... er... no-one will take any notice of this critical vulnerability..."

  6. Phuq Witt

    Remediate?

    "...We ... are working with customers to fully remediate this vulnerability..."

    Make up your minds. Are you going to remedy it, or mediate with it?

    1. nijam Silver badge

      Re: Remediate?

      I thought they meant re-meditate with it.

      1. Phuq Witt
        Trollface

        Re: Remediate?

        ...or, I suppose to "remediate" might mean to 'remedy immediately'. In which case I salute their 'proactivisationalness'.

        1. Stuart Castle Silver badge

          Re: Remediate?

          According to the OED, remediation is..

          "the action of remedying something, in particular of reversing or stopping environmental damage."

  7. Anonymous Coward
    Anonymous Coward

    If you're debating "remediate"..........

    ........you're late to the game. This shit was over yesterday. Why are you still talking about it today?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like