Theme

Welcome · log in · join

Forums → Software and Operating Systems →

Security → Re: Venom - QEMU based Clouds vulnerable

uniqs
6

« Odd internal -> external connection • Diagnostics Tracking Service (MS KB 3022345) »

This is a sub-selection from Venom - QEMU based Clouds vulnerable

dave Premium Member join:2000-05-04 not in ohio	dave to Link Logger Premium Member 2015-May-16 10:24 am to Link Logger Re: Venom - QEMU based Clouds vulnerable How many virtual systems need/have virtual floppies? None of the half-a-dozen real systems I have at home, nor the several I touch at work, have real floppies. So who needs a virtualized one and why? Or is it the case that people use ill-considered cookie-cutter templates that provide virtual floppies as if it were virtually the 20th century? If so, can't you mitigate the issue by just removing the virtual floppy drive? EDIT: I guess my questions were answered in the crowdstrike article further down: quote: For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
	· actions · 2015-May-16 10:24 am ·
dennismurphy Put me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ	dennismurphy Premium Member 2015-May-16 4:22 pm said by dave: None of the half-a-dozen real systems I have at home, nor the several I touch at work, have real floppies. So who needs a virtualized one and why? I do use a virtualized floppy occasionally, specifically when I install an older OS. I have disk images of {DOS, OS/2 Warp, NetWare, etc.} and use those with the virtual floppy device. It's handy and useful - not necessarily day-in and day-out, but sure as heck handy to have.
	· actions · 2015-May-16 4:22 pm ·
dave Premium Member join:2000-05-04 not in ohio	dave Premium Member 2015-May-16 5:47 pm Sure, so include a virtual floppy in the VMs you make for older OSes, but don't put a virtual floppy in every PaaS server in your cloud data centre.
	· actions · 2015-May-16 5:47 pm ·

dennismurphy Put me on hold? I'll put YOU on hold Premium Member join:2002-11-19 Parsippany, NJ	dennismurphy Premium Member 2015-May-16 6:23 pm said by dave: Sure, so include a virtual floppy in the VMs you make for older OSes, but don't put a virtual floppy in every PaaS server in your cloud data centre. Agreed 150%. No business in a VM farm.
	· actions · 2015-May-16 6:23 pm ·
drjenkins join:2005-03-30 Bealeton, VA Motorola MB8600 Linksys EA9500	drjenkins to dave Member 2015-May-18 8:36 am to dave said by dave: So who needs a virtualized one and why? If you don't go out of your way to disable them, many times floppies are installed by default. Even if there is no good reason to have one. said by venom.crowdstrike.com : For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers. The real question is, so many years after floppies were deprecated from hardware systems, why are they ubiquitous on virtual systems?
	· actions · 2015-May-18 8:36 am ·

Forums → Software and Operating Systems → Security	« Odd internal -> external connection • Diagnostics Tracking Service (MS KB 3022345) »
This is a sub-selection from Venom - QEMU based Clouds vulnerable