How is Kyup Immune to VENOM
Last night technical media and cloud providers alike were suddenly put on the alert with the report of major vulnerability affecting some Hypervisor virtualization providers.
How does this affect Kyup clients? It doesn't.
The bug, dubbed VENOM (Virtualized Environment Neglected Operations Manipulation) lies in the open-source computer emulator QEMU, used in the most widely-used virtualization platforms today, such as KVM, Xen, and VirtualBox. The vulnerability allows malicious users with root access to their own virtual machine to break out of their own instance and access those of other users that reside on the same host node. Some sources cite the security issue to be “Bigger than Heartbleed”.
Since instead of using Hypervisor, our infrastructure is entirely container-based, using OS-level virtualisation, our clients remain entirely unaffected by this particular vulnerability. The virtualization, or rather containerization method that we use does not require legacy virtual floppy disk controllers, such as QEMU, that has been in use since 2004 and caused the issue.
Who should be on the alert?
For those of you running VMs elsewhere, an official patch for qemu-kvm has already been released to fix the vulnerability. Hypervisor cloud hosting providers should have already started the process of patching and upgrading their software and rebooting the VMs to make sure the fix has been applied. Here is a proof of concept code to test if your machine is vulnerable, but note that it will crash your running VM in case it is, so use with caution.
Our LXC-based containers running on bare-metal remain unaffected, but if you are running containers on top of KVMs or other type of affected virtual machines, you’d still need to patch or upgrade the QEMU in order to avoid an attack.
VENOM puts VMs at the exact same risk that some containerization sceptics have been pointing out as the major security flaw of containers as a whole. If nothing else, this is an important reminder that no software is exempt from serious security issues whatsoever.