6 comments

  • br0ceph 2 hours ago

    "If you operate an x86 KVM host that accepts multi-tenant guests and supports nested virtualization, or use an instance on top of one"

    does this mean that you must have nested virtualization enabled to br vulnerable. does disabling this feature in the host os or bios, make you immune to this bug?

    • kurisufag 2 hours ago

      Nested virtualization prompts the use of shadow paging (where the bug is), is my understanding, where non-nested cases use hardware accelerated translation instead.

  • rvz an hour ago

    The full write up is here: [0].

    This is a very nasty vulnerability and risks any service that uses and allows nested x86 virtualization features at risk. Including those running VMs as a service.

    > Running the PoC inside a guest VM can trigger a host kernel panic. A full escape exploit that works in a controlled environment also exists, but it is not released at this time and is planned to be released in the very distant future.

    The first commit that introduced this vulnerability was in 2010. [1] So it was undiscovered for 16 years until now [2].

    It was only a matter of time that a vulnerability in KVM would appear. This one is really not good as it is the first KVM guest-to-host exploit working on both AMD and Intel.

    [0] https://github.com/V4bel/Januscape/blob/main/assets/write-up...

    [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

    [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

  • TZubiri an hour ago

    hey, here's a good rule of thumb.

    If you share resources, that reduces costs, but increases security risks.

    choose whether to share a filesystem, an OS, a kernel, hardware, or just use a dedicated server.

    The economics of sharing resources are all in a tiny sliver of the budget spectrum, the shoestring budget range :

    0-1$/mo: serverless

    1$-5$/mo containers

    5$-200$/mo Virtual Machine(s)

    200$-1Billion$/month , at least one dedicated server

    So if your hourly is worth anywhere upwards of 5$/hr, and your project has any semblance of seriousness, just use a dedicated server, and avoid a whole class of LPE vulnerabilities just to save some $.

    Businesses have expenses, let's stop pretending that all of these non dedicated server infrastructures are serious. Shell out 200$/month or stick to hobby status.

    No, I don't sell dedicated servers, but I should

    • Scotrix 32 minutes ago

      I run 3 servers for 200 EUR, thanks to Hetzner, exactly for this reason (and I’m cheap and I never understood cloud/services like Vercel and Railway as serious alternatives ;-)).

    • antonvs 6 minutes ago

      If you can run everything you need on two or three servers, what you describe can work. But it’s still hobby status, basically. The equation changes when the scale gets significantly bigger. Managing a non-trivial hardware fleet requires people, and people cost money.

      The reason “managed services” of all kinds, including cloud services, are so widespread in business is because someone else is managing things so that you don’t have to. This is as serious as it gets in business. Managing your own hardware makes very little sense for many, if not most companies.