Server security: a poisonous threat

After heartbleed, a breakthrough new vulnerability has emerged in some of the world’s leading virtualization platforms, powering millions of VPS hosting contracts, virtual private servers, and shared hosting. This is Virtualized Environment Neglected Operations Manipulations (VENOM, English poison), which allows those who know how to exploit it to control of not only the virtual machine affected by the bug but also all those on the same hypervisor. By analogy, if someone with Heartbleed had the chance to enter your home and take possession of it, now VENOM can take control of your home and neighborhood.

The source of this vulnerability is a buffer overflow in the virtual floppy disk controller. The bug is present since 2004 in the open source QEMU emulator, whose legacy controller is now used in Xen, KVM, and Virtualbox virtualization platforms. Bochs, VMWare, and Microsoft Hyper-V are immune to the bug.

Upcoming updates of affected platforms will introduce corrections to bugs already announced; meanwhile, the easiest remedy is to disable the floppy driver on the virtualization platform. On the other hand in 2015 you can do without the floppy in most cases.