VENOM - Xen, KVM, and QEMU Virtualization - High Vulnerability Advisory

VENOM (Virtualized Environment Neglected Operations Manipulation)

If you are currently utilizing Xen, KVM or QEMU virtualization products you need to apply patches. VMware and Microsoft Hyper-V virtualization products are not affected.

This blog post was updated to reflect the now-assigned CVSS score of 7.7 (High).

A security researcher from Crowdstrike has discovered a software flaw in the virtual floppy drive code in QEMU’s virtual floppy disk controller.  This vulnerable code is present by default on Windows, Linux and OSX hosts running the virtualization products Xen, KVM (Kernel-Based Virtualization not Keyboard-Video-Mouse) and the QEMU client whether or not virtual floppy drives are used. This vulnerability has been present since 2004 and affects both x86 and x86-64 guest instances.  In order to exploit this vulnerability, an attacker must have gained access to the virtual machine guest.  This is not remotely exploitable, instead an attacker would have to first compromise the guest virtual machine.If successfully exploited, this vulnerability could allow an attacker to escape from the virtual environment and execute code on the host system.  Theoretically, a successful attack could also allow access to other systems on the host’s network.At the time of this advisory, there have been no reports of successful attacks and there is no publicly available exploit code.  Vendors have begun releasing patches for this.  Please see the links section below.This vulnerability has been assigned a 7.7 (High) CVSS score.  In this case a 7.7 CVSS score means that the impact of the vulnerability if high, however, the exploitability is much lower due to not being remotely exploitable.  Learn more at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456.

CVSS, the Common Vulnerability Scoring System, is an industry standard mechanism used to assess the severity of computer security vulnerabilities and works with a scale from 1 -10. More information about the CVSS system can be found at https://www.first.org/cvss/faq.

Next Steps

• How do I know if it affects us?
• If you are using one of the affected products (At this time the known affected products are Xen, QEMU and KVM)
• Many cloud based providers use virtualization products and may be affected.  For customers using such services, check with your vendor.  For example, Amazon has stated that AWS customers are not vulnerable http://aws.amazon.com/security/security-bulletins/XSA_Security_Advisory_CVE_2015_345
• How serious is this vulnerability?
• This issue has been receiving a good deal of attention and is potentially serious. There is no known exploit code available at this time, however, the vulnerable code sections have been identified so an exploit could be published soon.
• Since vendors are releasing patches quickly and because this is not remotely exploitable, NWG considers this a high severity vulnerability as opposed to a critical vulnerability.
• What should we do next?
• Apply patches as they become available (see links below).
• Check with your cloud provider (if applicable) to determine if they have applied the appropriate patches.
• If you have any of the affected products and have questions regarding next steps please contact us using the contact information below.
• As details regarding this vulnerability emerge, NWG will also offer Vulnerability Management customers proactive scanning to determine if they are affected by this issue.

Links

• Xen Advisory (contains patches)http://xenbits.xen.org/xsa/advisory-133.html
• About the vulnerabilityhttp://venom.crowdstrike.com/http://www.forbes.com/sites/thomasbrewster/2015/05/13/venom-vulnerabilit...
• Notice from Amazonhttp://aws.amazon.com/security/security-bulletins/XSA_Security_Advisory_...
• List of vulnerable Linux distributionshttp://www.cyberciti.biz/faq/cve-2015-3456-patch-venom-on-debian-ubuntu-fedora-centos-rhel-linux/
• https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
• Citrix security advisoryhttp://support.citrix.com/article/CTX201078
• Redhat blog posthttps://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
• FireEye Vulnerability Summaryhttps://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
• NetWorks Group updates regarding this vulnerabilityhttps://www.networksgroup.com/blog

If you have questions regarding this notice or about this vulnerability please call us at 734-827-1400, option 3 or email support@networksgroup.com.

Topics: Threat Hunting, Vulnerability Management, Threat Management, Threat Advisory