Announcement

Collapse
No announcement yet.

QEMU Vulnerability Exposes The Host Through Emulated CD-ROM Drive

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    QEMU Vulnerability Exposes The Host Through Emulated CD-ROM Drive

    Phoronix: QEMU Vulnerability Exposes The Host Through Emulated CD-ROM Drive

    Back in May was the big "VENOM" security vulnerability affect QEMU whereby VM security could be escaped through QEMU's virtual floppy disk drive. In June was a PCNET controller buffer overflow allowing a guest to escape to have host access. Today there's a similar security vulnerability going public about its virtual CD-ROM drive...

    http://www.phoronix.com/scan.php?pag...EMU-CD-ROM-CVE
    Tags: None
  • #2
    How about they just make a no-frills, legacy-free, barebone virtual machine without all the crap?

    No floppy, CD-ROM, PS/2, COM/LPT (serial, paralell) ports, FireWire, or any of that.
    Just Ethernet, maybe VGA, and maybe at most USB, but that is pushing it.

    Comment

    • #3
      Originally posted by uid313 View Post
      How about they just make a no-frills, legacy-free, barebone virtual machine without all the crap?

      No floppy, CD-ROM, PS/2, COM/LPT (serial, paralell) ports, FireWire, or any of that.
      Just Ethernet, maybe VGA, and maybe at most USB, but that is pushing it.
      I would not be happy to install Windows on hardware just to use some piece of software to communicate with a device over 'COM/LPT (serial, paralell) ports, FireWire, or any of that'.

      Same goes for floppy (albeit not *that* necessary). And without a cdrom, how are you supposed to install an os on an empty disk? I have seen very few systems distributed as qemu image (ReactOS comes to mind).

      Comment

      • #4
        Originally posted by Rexilion View Post

        I would not be happy to install Windows on hardware just to use some piece of software to communicate with a device over 'COM/LPT (serial, paralell) ports, FireWire, or any of that'.

        Same goes for floppy (albeit not *that* necessary). And without a cdrom, how are you supposed to install an os on an empty disk? I have seen very few systems distributed as qemu image (ReactOS comes to mind).
        What's a "cdrom" ?
        I use USB flash drives like everyone...

        Comment

        • #5
          Originally posted by wagaf View Post

          What's a "cdrom" ?
          I use USB flash drives like everyone...
          You're in minority then. CD images are *the* way to install stuff on virtual machines still

          Comment

          • #6
            Originally posted by nanonyme View Post
            You're in minority then. CD images are *the* way to install stuff on virtual machines still

            I usually bootstrap the system directly or just do a PXE boot. But there is no real harm in including this capability, still a QEMU machine type without legacy cruft would be appreciated.

            And most VMs are likely installed from images (consider how many are run by the largest "cloud" providers alone)
            Last edited by nils_; 27 July 2015, 04:11 PM.

            Comment

            • #7
              Originally posted by wagaf View Post
              What's a "cdrom" ?
              I use USB flash drives like everyone...
              I think you're overlooking the fact that we're talking about VMs here, not physical machines. Nobody is talking about using real CDs here, but mounting an ISO image as a virtual CD drive remains the standard way of installing an OS on a VM.

              Comment

              • #8
                Originally posted by Delgarde View Post

                I think you're overlooking the fact that we're talking about VMs here, not physical machines. Nobody is talking about using real CDs here, but mounting an ISO image as a virtual CD drive remains the standard way of installing an OS on a VM.
                Yes,

                I also guess that USB VM drivers are even more bug-prone.

                Comment

                • #9
                  Originally posted by wagaf View Post
                  I also guess that USB VM drivers are even more bug-prone.
                  Possibly, but it's mostly just that it's more complicated... when you boot from a USB drive, it's usually the result of taking an ISO image, copying it to your USB drive, and booting off that. And that would be stupid for a VM, since you can just boot directly off the ISO image on disk by telling the VM it's a CD drive.

                  Comment

                  • #10
                    Originally posted by Delgarde View Post

                    Possibly, but it's mostly just that it's more complicated... when you boot from a USB drive, it's usually the result of taking an ISO image, copying it to your USB drive, and booting off that. And that would be stupid for a VM, since you can just boot directly off the ISO image on disk by telling the VM it's a CD drive.
                    Well, the image could be presented to the guest as USB mass storage.

                    Comment

                    Previous template Next
                    Working...
                    X